Edit tour

Windows Analysis Report
hYrJbjnzVc.exe

Overview

General Information

Sample name:	hYrJbjnzVc.exe renamed because original name is a hash value
Original sample name:	adb680e5c7586df1d183ad1ef4807648.exe
Analysis ID:	1435364
MD5:	adb680e5c7586df1d183ad1ef4807648
SHA1:	df9c9e796c877100ebe80a457d57d9358401be50
SHA256:	597e094a98f56c0ef8b89cedd7c96d14fca1f5dd25e6e120525246d47de6ba96
Tags:	32exetrojan
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Connects to many ports of the same IP (likely port scanning)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

hYrJbjnzVc.exe (PID: 1968 cmdline: "C:\Users\user\Desktop\hYrJbjnzVc.exe" MD5: ADB680E5C7586DF1D183AD1EF4807648)

schtasks.exe (PID: 7016 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 424 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 6976 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: ADB680E5C7586DF1D183AD1EF4807648)

MPGPH131.exe (PID: 6864 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: ADB680E5C7586DF1D183AD1EF4807648)

RageMP131.exe (PID: 3992 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: ADB680E5C7586DF1D183AD1EF4807648)

RageMP131.exe (PID: 7080 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: ADB680E5C7586DF1D183AD1EF4807648)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: hYrJbjnzVc.exe PID: 1968	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 6976	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 6864	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 3992	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7080	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\hYrJbjnzVc.exe, ProcessId: 1968, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-15:51:00.791980
SID:	2046269
Source Port:	49712
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-15:51:00.553596
SID:	2046269
Source Port:	49710
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-15:51:01.432598
SID:	2046269
Source Port:	49721
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:49:19.512222
SID:	2046266
Source Port:	58709
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:50:31.741030
SID:	2046267
Source Port:	58709
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:50:32.037911
SID:	2046267
Source Port:	58709
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:50:32.590411
SID:	2046267
Source Port:	58709
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:49:30.619527
SID:	2046266
Source Port:	58709
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:50:31.373536
SID:	2046267
Source Port:	58709
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:50:31.755257
SID:	2046267
Source Port:	58709
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:49:01.484930
SID:	2046266
Source Port:	58709
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:49:08.939674
SID:	2046266
Source Port:	58709
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.6

Timestamp:	05/02/24-15:49:08.962696
SID:	2046266
Source Port:	58709
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.6 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-15:49:02.615417
SID:	2049060
Source Port:	49710
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-15:51:01.135824
SID:	2046269
Source Port:	49719
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-15:51:00.823298
SID:	2046269
Source Port:	49713
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 52%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 50%	Perma Link

Multi AV Scanner detection for submitted file

Source: hYrJbjnzVc.exe	ReversingLabs: Detection: 52%
Source: hYrJbjnzVc.exe	Virustotal: Detection: 51%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hYrJbjnzVc.exe

Joe Sandbox ML: detected

Source: hYrJbjnzVc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49710
Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49710 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49710 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49712
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49713
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49712 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49713 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49719
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49719 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49721
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49721 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49710
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49712
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49713
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49719
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49721

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 147.45.47.93:58709

Source: Joe Sandbox View

IP Address: 147.45.47.93 147.45.47.93

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

Code function: 0_2_00345940 recv,WSAStartup,closesocket,socket,connect,closesocket,

0_2_00345940

Source: global traffic

DNS traffic detected: DNS query: ipinfo.io

Source: hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 0000000C.00000002.3338900504.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/5
Source: MPGPH131.exe, 00000006.00000002.3339556281.0000000000957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/M%
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.0000000001290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ameSpace=
Source: RageMP131.exe, 00000008.00000002.3338690809.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/g_Entries
Source: hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 00000008.00000002.3338690809.000000000094D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/tG
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3339556281.0000000000987000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000177C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225R
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225T5
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225r2G
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.000000000125E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3339556281.000000000092E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3338690809.000000000090E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTD
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary

PE file contains section with special chars

Source: hYrJbjnzVc.exe	Static PE information: section name:
Source: hYrJbjnzVc.exe	Static PE information: section name: .idata
Source: hYrJbjnzVc.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_002BA918	0_2_002BA918
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_002BC950	0_2_002BC950
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_002B7190	0_2_002B7190
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_002CDA74	0_2_002CDA74
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_00370350	0_2_00370350
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_002C035F	0_2_002C035F
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_002D8BA0	0_2_002D8BA0
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_002AF570	0_2_002AF570
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_002D47AD	0_2_002D47AD
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_0036CFC0	0_2_0036CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D67190	6_2_00D67190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D6C950	6_2_00D6C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D6A918	6_2_00D6A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D7DA74	6_2_00D7DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D88BA0	6_2_00D88BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D7035F	6_2_00D7035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00E20350	6_2_00E20350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D5F570	6_2_00D5F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00E8FECB	6_2_00E8FECB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00E1CFC0	6_2_00E1CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D847AD	6_2_00D847AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00E90F23	6_2_00E90F23
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D67190	7_2_00D67190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D6C950	7_2_00D6C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D6A918	7_2_00D6A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D7DA74	7_2_00D7DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D88BA0	7_2_00D88BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D7035F	7_2_00D7035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00E20350	7_2_00E20350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D5F570	7_2_00D5F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00E8FECB	7_2_00E8FECB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00E1CFC0	7_2_00E1CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D847AD	7_2_00D847AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00E90F23	7_2_00E90F23
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F17190	8_2_00F17190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F1C950	8_2_00F1C950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F1A918	8_2_00F1A918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F1AADF	8_2_00F1AADF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F2DA74	8_2_00F2DA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F38BA0	8_2_00F38BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F2035F	8_2_00F2035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00FD0350	8_2_00FD0350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F0F570	8_2_00F0F570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00FCCFC0	8_2_00FCCFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F347AD	8_2_00F347AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F17190	12_2_00F17190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F1C950	12_2_00F1C950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F1A918	12_2_00F1A918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F2DA74	12_2_00F2DA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F38BA0	12_2_00F38BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F2035F	12_2_00F2035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00FD0350	12_2_00FD0350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F0F570	12_2_00F0F570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00FCCFC0	12_2_00FCCFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F347AD	12_2_00F347AD

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 00D64370 appears 48 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 00F14370 appears 48 times

Source: hYrJbjnzVc.exe	Binary or memory string: OriginalFilename vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000003.2131257623.0000000007327000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000000.2076126335.0000000000847000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000002.3346617022.0000000002C88000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe

Source: hYrJbjnzVc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@1/1

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: hYrJbjnzVc.exe	ReversingLabs: Detection: 52%
Source: hYrJbjnzVc.exe	Virustotal: Detection: 51%

Source: hYrJbjnzVc.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: hYrJbjnzVc.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

File read: C:\Users\user\Desktop\hYrJbjnzVc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hYrJbjnzVc.exe "C:\Users\user\Desktop\hYrJbjnzVc.exe"
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior

Source: hYrJbjnzVc.exe

Static file information: File size 2372608 > 1048576

Source: hYrJbjnzVc.exe

Static PE information: Raw size of rtycizfs is bigger than: 0x100000 < 0x194400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Unpacked PE file: 0.2.hYrJbjnzVc.exe.280000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 7.2.MPGPH131.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 12.2.RageMP131.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x245ac8 should be: 0x252c23
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x245ac8 should be: 0x252c23
Source: hYrJbjnzVc.exe	Static PE information: real checksum: 0x245ac8 should be: 0x252c23

Source: hYrJbjnzVc.exe	Static PE information: section name:
Source: hYrJbjnzVc.exe	Static PE information: section name: .idata
Source: hYrJbjnzVc.exe	Static PE information: section name:
Source: hYrJbjnzVc.exe	Static PE information: section name: rtycizfs
Source: hYrJbjnzVc.exe	Static PE information: section name: ybcmmseg
Source: hYrJbjnzVc.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: rtycizfs
Source: RageMP131.exe.0.dr	Static PE information: section name: ybcmmseg
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: rtycizfs
Source: MPGPH131.exe.0.dr	Static PE information: section name: ybcmmseg
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Code function: 0_2_002B3F49 push ecx; ret	0_2_002B3F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D63F49 push ecx; ret	6_2_00D63F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D63F49 push ecx; ret	7_2_00D63F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F13F49 push ecx; ret	8_2_00F13F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F13F49 push ecx; ret	12_2_00F13F5C

Source: hYrJbjnzVc.exe	Static PE information: section name: entropy: 7.924289235236996
Source: hYrJbjnzVc.exe	Static PE information: section name: rtycizfs entropy: 7.911667279717006
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.924289235236996
Source: RageMP131.exe.0.dr	Static PE information: section name: rtycizfs entropy: 7.911667279717006
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.924289235236996
Source: MPGPH131.exe.0.dr	Static PE information: section name: rtycizfs entropy: 7.911667279717006

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Stalling execution: Execution stalls by calling Sleep	graph_0-17957
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep	graph_6-17471

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 41780A second address: 417825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9630EEA8B0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 417825 second address: 41782F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58D18B second address: 58D190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 57B1D4 second address: 57B207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 jmp 00007F96311B0BD9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58C0C6 second address: 58C0CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 57B1C6 second address: 57B1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F96311B0C04h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58C391 second address: 58C399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58C399 second address: 58C3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F96311B0BD9h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58C3BE second address: 58C3FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8AFh 0x00000009 jmp 00007F9630EEA8B1h 0x0000000e popad 0x0000000f jmp 00007F9630EEA8ADh 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007F9630EEA8A6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58C3FA second address: 58C3FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58C3FE second address: 58C404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58C88A second address: 58C8A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58C8A7 second address: 58C8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E47E second address: 58E49D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96311B0BCFh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E49D second address: 58E4A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E4A3 second address: 58E4C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F96311B0BC8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E4C0 second address: 41780A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F9630EEA8B5h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c mov edi, dword ptr [ebp+122D27D1h] 0x00000012 push dword ptr [ebp+122D0BA5h] 0x00000018 push ebx 0x00000019 jmp 00007F9630EEA8B6h 0x0000001e pop esi 0x0000001f call dword ptr [ebp+122D371Bh] 0x00000025 pushad 0x00000026 pushad 0x00000027 jc 00007F9630EEA8A6h 0x0000002d jmp 00007F9630EEA8ACh 0x00000032 popad 0x00000033 add dword ptr [ebp+122D27D1h], edi 0x00000039 xor eax, eax 0x0000003b pushad 0x0000003c mov ax, bx 0x0000003f mov dword ptr [ebp+122D27D1h], ecx 0x00000045 popad 0x00000046 mov edx, dword ptr [esp+28h] 0x0000004a jc 00007F9630EEA8BBh 0x00000050 jmp 00007F9630EEA8B5h 0x00000055 jmp 00007F9630EEA8AEh 0x0000005a mov dword ptr [ebp+122D2A1Ch], eax 0x00000060 jng 00007F9630EEA8ACh 0x00000066 mov esi, 0000003Ch 0x0000006b pushad 0x0000006c movsx ecx, si 0x0000006f popad 0x00000070 add esi, dword ptr [esp+24h] 0x00000074 xor dword ptr [ebp+122D27D1h], edx 0x0000007a lodsw 0x0000007c cld 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 jmp 00007F9630EEA8B1h 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a xor dword ptr [ebp+122D27D1h], esi 0x00000090 nop 0x00000091 push eax 0x00000092 push ebx 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E592 second address: 58E596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E596 second address: 58E615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b xor dword ptr [esp], 0AF9CA52h 0x00000012 jng 00007F9630EEA8B4h 0x00000018 pushad 0x00000019 xor dword ptr [ebp+122D279Dh], ecx 0x0000001f mov ebx, dword ptr [ebp+122D27FEh] 0x00000025 popad 0x00000026 push 00000003h 0x00000028 mov dx, di 0x0000002b push 00000000h 0x0000002d mov esi, 45481381h 0x00000032 push 00000003h 0x00000034 push 832276A9h 0x00000039 pushad 0x0000003a jng 00007F9630EEA8A8h 0x00000040 jnl 00007F9630EEA8B1h 0x00000046 popad 0x00000047 add dword ptr [esp], 3CDD8957h 0x0000004e or dword ptr [ebp+122D27C2h], ebx 0x00000054 lea ebx, dword ptr [ebp+1244A33Eh] 0x0000005a push edi 0x0000005b cmc 0x0000005c pop ecx 0x0000005d xchg eax, ebx 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F9630EEA8B1h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E615 second address: 58E619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E619 second address: 58E64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F9630EEA8B6h 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 jc 00007F9630EEA8ACh 0x00000016 push eax 0x00000017 push edx 0x00000018 jg 00007F9630EEA8A6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E6C4 second address: 58E772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007F96311B0BCCh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov cx, 9444h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F96311B0BC8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f movzx edx, bx 0x00000032 push 15DEB995h 0x00000037 push ebx 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c pop eax 0x0000003d popad 0x0000003e pop ebx 0x0000003f xor dword ptr [esp], 15DEB915h 0x00000046 jo 00007F96311B0BCCh 0x0000004c mov dword ptr [ebp+122D2EE7h], eax 0x00000052 push 00000003h 0x00000054 mov di, 0C29h 0x00000058 push 00000000h 0x0000005a mov esi, dword ptr [ebp+122D2BB8h] 0x00000060 push 00000003h 0x00000062 jmp 00007F96311B0BD7h 0x00000067 mov cx, 9C25h 0x0000006b push A0BD3A1Bh 0x00000070 pushad 0x00000071 jmp 00007F96311B0BD5h 0x00000076 push eax 0x00000077 push edx 0x00000078 jc 00007F96311B0BC6h 0x0000007e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58E7CB second address: 58E7D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F9630EEA8ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5AEA1A second address: 5AEA45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F96311B0BCAh 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5AEA45 second address: 5AEA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5AEA4B second address: 5AEA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5AEBB8 second address: 5AEBC6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F9630EEA8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5AF6FD second address: 5AF704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5AFAFD second address: 5AFB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jns 00007F9630EEA8A6h 0x0000000c je 00007F9630EEA8A6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 popad 0x00000018 jng 00007F9630EEA8A6h 0x0000001e pop eax 0x0000001f push ebx 0x00000020 pushad 0x00000021 popad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop ebx 0x00000025 popad 0x00000026 pushad 0x00000027 pushad 0x00000028 js 00007F9630EEA8A6h 0x0000002e push eax 0x0000002f pop eax 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5AFB2F second address: 5AFB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5AFB38 second address: 5AFB3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5AFB3C second address: 5AFB40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B0563 second address: 5B0585 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9630EEA8A6h 0x00000008 jno 00007F9630EEA8A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F9630EEA8B2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B0585 second address: 5B05A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD6h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B05A0 second address: 5B05A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B08C2 second address: 5B08F2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F96311B0BCEh 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F96311B0BD2h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B08F2 second address: 5B08F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B08F8 second address: 5B08FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B3237 second address: 5B323C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B323C second address: 5B3246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B6E04 second address: 5B6E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B6E0E second address: 5B6E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B6E14 second address: 5B6E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 577BB7 second address: 577BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5B9756 second address: 5B9765 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F9630EEA8A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BDBE2 second address: 5BDBE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BDBE8 second address: 5BDBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BDBEC second address: 5BDBF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BDBF2 second address: 5BDBF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BD723 second address: 5BD729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BD729 second address: 5BD735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BD873 second address: 5BD87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BD87F second address: 5BD884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BD884 second address: 5BD8A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96311B0BCAh 0x00000008 jmp 00007F96311B0BD2h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BDA45 second address: 5BDA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BDA49 second address: 5BDA4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BDA4D second address: 5BDA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F9630EEA8AEh 0x0000000e jo 00007F9630EEA8A6h 0x00000014 pushad 0x00000015 popad 0x00000016 je 00007F9630EEA8C7h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BEB15 second address: 5BEB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BEB19 second address: 5BEB1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BEB8E second address: 5BEB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BF479 second address: 5BF4C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push edx 0x00000013 jmp 00007F9630EEA8B6h 0x00000018 pop edx 0x00000019 pushad 0x0000001a jmp 00007F9630EEA8ABh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BFB11 second address: 5BFB15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5BFD41 second address: 5BFD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C0E6F second address: 5C0E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C1F0D second address: 5C1F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F9630EEA8A8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+122D2B0Ch] 0x0000002b mov si, dx 0x0000002e push 00000000h 0x00000030 mov di, cx 0x00000033 push 00000000h 0x00000035 mov di, F366h 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b ja 00007F9630EEA8A8h 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 jmp 00007F9630EEA8AAh 0x00000049 popad 0x0000004a popad 0x0000004b push eax 0x0000004c pushad 0x0000004d jng 00007F9630EEA8ACh 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C2B5D second address: 5C2B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BD5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C280F second address: 5C2815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C2815 second address: 5C2819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C3629 second address: 5C362D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C362D second address: 5C3691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F96311B0BD3h 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F96311B0BD1h 0x00000015 nop 0x00000016 mov esi, 54104D66h 0x0000001b mov esi, edi 0x0000001d push 00000000h 0x0000001f jmp 00007F96311B0BD9h 0x00000024 push 00000000h 0x00000026 xchg eax, ebx 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C4C61 second address: 5C4CBA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F9630EEA8B1h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F9630EEA8A8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 pushad 0x00000034 mov ax, cx 0x00000037 xor di, 4B00h 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f pushad 0x00000040 js 00007F9630EEA8A6h 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C5792 second address: 5C5798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C5798 second address: 5C57A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C8FA5 second address: 5C9003 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F96311B0BCFh 0x0000000f push eax 0x00000010 jmp 00007F96311B0BCAh 0x00000015 pop eax 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F96311B0BC8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 and edi, dword ptr [ebp+122D36E5h] 0x00000038 push 00000000h 0x0000003a movsx edi, dx 0x0000003d push 00000000h 0x0000003f mov di, dx 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 pushad 0x00000047 popad 0x00000048 pop eax 0x00000049 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CA137 second address: 5CA154 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9630EEA8B1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CE15B second address: 5CE176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96311B0BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CE176 second address: 5CE1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F9630EEA8A8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov bh, C2h 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F9630EEA8A8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F9630EEA8B2h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CE1D6 second address: 5CE1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CC216 second address: 5CC21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CD25E second address: 5CD265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CE1DC second address: 5CE1EE instructions: 0x00000000 rdtsc 0x00000002 js 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CC21A second address: 5CC21E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CE1EE second address: 5CE1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CD265 second address: 5CD2D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F96311B0BCCh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 nop 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov edi, dword ptr [ebp+122D2D96h] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov di, 93FEh 0x0000002f mov eax, dword ptr [ebp+122D0BD9h] 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F96311B0BC8h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f jmp 00007F96311B0BCDh 0x00000054 add ebx, 0030E807h 0x0000005a push FFFFFFFFh 0x0000005c mov bx, 52F7h 0x00000060 push eax 0x00000061 push ebx 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CC21E second address: 5CC224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CF1ED second address: 5CF2C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F96311B0BC8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 jnl 00007F96311B0BD2h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F96311B0BC8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D1D9Bh], ecx 0x0000004e push 00000000h 0x00000050 call 00007F96311B0BD2h 0x00000055 or dword ptr [ebp+122D1D1Dh], edx 0x0000005b pop ebx 0x0000005c pushad 0x0000005d call 00007F96311B0BD4h 0x00000062 adc si, 953Fh 0x00000067 pop edi 0x00000068 and esi, dword ptr [ebp+122D2A28h] 0x0000006e popad 0x0000006f xchg eax, esi 0x00000070 jmp 00007F96311B0BD7h 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 push edi 0x00000079 jo 00007F96311B0BC6h 0x0000007f pop edi 0x00000080 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D019A second address: 5D019F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CF49B second address: 5CF49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5CF49F second address: 5CF4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D036A second address: 5D0370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D11C9 second address: 5D11D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9630EEA8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D0370 second address: 5D037A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F96311B0BCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D31FC second address: 5D3202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D3202 second address: 5D326A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F96311B0BC8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 clc 0x00000029 push 00000000h 0x0000002b mov edi, ecx 0x0000002d push 00000000h 0x0000002f mov di, 829Bh 0x00000033 xchg eax, esi 0x00000034 jmp 00007F96311B0BCDh 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d jnp 00007F96311B0BC6h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D432D second address: 5D4339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9630EEA8ACh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D22C5 second address: 5D22CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D1301 second address: 5D1321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jo 00007F9630EEA8A6h 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D4339 second address: 5D4343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D22CA second address: 5D22D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D1321 second address: 5D132B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D4343 second address: 5D43B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F9630EEA8A8h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 push eax 0x00000022 mov di, dx 0x00000025 pop edi 0x00000026 push 00000000h 0x00000028 mov ebx, esi 0x0000002a mov bh, 14h 0x0000002c push 00000000h 0x0000002e jl 00007F9630EEA8ACh 0x00000034 mov edi, dword ptr [ebp+122D1CF7h] 0x0000003a xchg eax, esi 0x0000003b push edx 0x0000003c pushad 0x0000003d jp 00007F9630EEA8A6h 0x00000043 push esi 0x00000044 pop esi 0x00000045 popad 0x00000046 pop edx 0x00000047 push eax 0x00000048 pushad 0x00000049 pushad 0x0000004a jp 00007F9630EEA8A6h 0x00000050 jmp 00007F9630EEA8B3h 0x00000055 popad 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D132B second address: 5D13BD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d stc 0x0000000e xor bh, FFFFFFB5h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push ebx 0x00000019 mov ebx, 4AAE37F2h 0x0000001e pop ebx 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F96311B0BC8h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 mov bx, dx 0x00000043 mov eax, dword ptr [ebp+122D1785h] 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007F96311B0BC8h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 0000001Ch 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 jc 00007F96311B0BD2h 0x00000069 jno 00007F96311B0BCCh 0x0000006f push FFFFFFFFh 0x00000071 mov bh, A8h 0x00000073 push eax 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D43B3 second address: 5D43B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D13BD second address: 5D13C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D457B second address: 5D457F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D457F second address: 5D4591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jg 00007F96311B0BC6h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D4591 second address: 5D4596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D669B second address: 5D66A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D6884 second address: 5D688A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D688A second address: 5D68A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F96311B0BC6h 0x00000009 js 00007F96311B0BC6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D68A3 second address: 5D68BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D68BE second address: 5D68C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D68C4 second address: 5D6953 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d pushad 0x0000000e mov esi, dword ptr [ebp+122D2BCCh] 0x00000014 mov eax, ecx 0x00000016 popad 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov ebx, dword ptr [ebp+122D2A14h] 0x00000024 pushad 0x00000025 mov ax, si 0x00000028 mov dword ptr [ebp+122D3720h], edx 0x0000002e popad 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 movsx edi, di 0x00000039 mov eax, dword ptr [ebp+122D10B5h] 0x0000003f jbe 00007F9630EEA8BBh 0x00000045 je 00007F9630EEA8A8h 0x0000004b mov bl, 4Ch 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push edi 0x00000052 call 00007F9630EEA8A8h 0x00000057 pop edi 0x00000058 mov dword ptr [esp+04h], edi 0x0000005c add dword ptr [esp+04h], 00000014h 0x00000064 inc edi 0x00000065 push edi 0x00000066 ret 0x00000067 pop edi 0x00000068 ret 0x00000069 mov edi, 6F470BC3h 0x0000006e nop 0x0000006f je 00007F9630EEA8B4h 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D6953 second address: 5D6964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F96311B0BC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D862C second address: 5D86B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 jnp 00007F9630EEA8A8h 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F9630EEA8B6h 0x00000014 popad 0x00000015 nop 0x00000016 and edi, dword ptr [ebp+122D26AAh] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F9630EEA8A8h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 mov dword ptr [ebp+122D24D4h], eax 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007F9630EEA8A8h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 00000019h 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a xchg eax, esi 0x0000005b push ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F9630EEA8ABh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D77A4 second address: 5D77AE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D6964 second address: 5D6969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D77AE second address: 5D77B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D6969 second address: 5D696E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D77B8 second address: 5D7848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ebx, dword ptr [ebp+122D2AC0h] 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F96311B0BC8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov bx, CDB2h 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F96311B0BC8h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 0000001Dh 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 mov edi, dword ptr [ebp+122D279Dh] 0x0000005e mov eax, dword ptr [ebp+122D178Dh] 0x00000064 mov dword ptr [ebp+1244566Bh], edx 0x0000006a push FFFFFFFFh 0x0000006c mov di, ax 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 pop edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D7848 second address: 5D785F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9630EEA8A8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jng 00007F9630EEA8A6h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D785F second address: 5D7865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D7865 second address: 5D7869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D8857 second address: 5D8861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5D8861 second address: 5D8865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E2CFE second address: 5E2D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 jp 00007F96311B0BC6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E2D0F second address: 5E2D2A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F9630EEA8ABh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E2D2A second address: 5E2D44 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F96311B0BC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F96311B0BCEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E24B0 second address: 5E24B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E24B6 second address: 5E24C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F96311B0BC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E24C1 second address: 5E24CB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9630EEA8AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E7FF9 second address: 5E801E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007F96311B0BD5h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E801E second address: 5E805F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F9630EEA8B5h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9630EEA8B8h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E812B second address: 41780A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F96311B0BCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 4A68932Bh 0x00000011 jmp 00007F96311B0BCFh 0x00000016 push dword ptr [ebp+122D0BA5h] 0x0000001c jmp 00007F96311B0BD6h 0x00000021 call dword ptr [ebp+122D371Bh] 0x00000027 pushad 0x00000028 pushad 0x00000029 jc 00007F96311B0BC6h 0x0000002f jmp 00007F96311B0BCCh 0x00000034 popad 0x00000035 add dword ptr [ebp+122D27D1h], edi 0x0000003b xor eax, eax 0x0000003d pushad 0x0000003e mov ax, bx 0x00000041 mov dword ptr [ebp+122D27D1h], ecx 0x00000047 popad 0x00000048 mov edx, dword ptr [esp+28h] 0x0000004c jc 00007F96311B0BDBh 0x00000052 jmp 00007F96311B0BD5h 0x00000057 jmp 00007F96311B0BCEh 0x0000005c mov dword ptr [ebp+122D2A1Ch], eax 0x00000062 jng 00007F96311B0BCCh 0x00000068 mov esi, 0000003Ch 0x0000006d pushad 0x0000006e movsx ecx, si 0x00000071 popad 0x00000072 add esi, dword ptr [esp+24h] 0x00000076 xor dword ptr [ebp+122D27D1h], edx 0x0000007c lodsw 0x0000007e cld 0x0000007f add eax, dword ptr [esp+24h] 0x00000083 jmp 00007F96311B0BD1h 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c xor dword ptr [ebp+122D27D1h], esi 0x00000092 nop 0x00000093 push eax 0x00000094 push ebx 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5E96E8 second address: 5E96EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5EE6C0 second address: 5EE6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96311B0BCEh 0x00000009 jmp 00007F96311B0BD8h 0x0000000e popad 0x0000000f jmp 00007F96311B0BD2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5EE6FD second address: 5EE707 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9630EEA8AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5EDA55 second address: 5EDA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5EDE2D second address: 5EDE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8B5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5EDE46 second address: 5EDE4B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5EE12A second address: 5EE146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F9630EEA8B4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5EE261 second address: 5EE29A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F96311B0BC6h 0x00000008 jmp 00007F96311B0BD8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F96311B0BD0h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5EE54E second address: 5EE554 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5EE554 second address: 5EE567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 ja 00007F96311B0BD6h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5F5A5E second address: 5F5A62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 580287 second address: 58029A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58029A second address: 58029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 58029E second address: 5802A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C69C5 second address: 5C6A48 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F9630EEA8B6h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F9630EEA8A8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov ecx, 06AEDC74h 0x00000030 lea eax, dword ptr [ebp+1248277Ch] 0x00000036 pushad 0x00000037 jno 00007F9630EEA8ACh 0x0000003d mov dword ptr [ebp+122D3713h], ecx 0x00000043 popad 0x00000044 nop 0x00000045 jne 00007F9630EEA8BEh 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C6A48 second address: 5C6A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C6A4C second address: 5C6A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C6A52 second address: 5C6A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C6B54 second address: 5C6B59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C6C60 second address: 5C6C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C6C6D second address: 5C6C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C6C71 second address: 5C6C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C7019 second address: 5C7023 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9630EEA8ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C70E4 second address: 5C70E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C70E9 second address: 5C711B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jnc 00007F9630EEA8B2h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F9630EEA8AFh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C711B second address: 5C7121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C7121 second address: 5C7125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C720E second address: 5C7214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C7294 second address: 5C72C7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], esi 0x0000000a pushad 0x0000000b jmp 00007F9630EEA8AEh 0x00000010 ja 00007F9630EEA8A8h 0x00000016 popad 0x00000017 nop 0x00000018 push eax 0x00000019 jnp 00007F9630EEA8A8h 0x0000001f pop eax 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C72C7 second address: 5C72CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C72CC second address: 5C72DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8AFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C73BB second address: 5C73DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F96311B0BCDh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C73DF second address: 5C73E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C73E3 second address: 5C7408 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F96311B0BC8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C761D second address: 5C7681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnc 00007F9630EEA8A8h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F9630EEA8A8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jmp 00007F9630EEA8B8h 0x0000002c push 00000004h 0x0000002e mov di, B749h 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F9630EEA8B1h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C7681 second address: 5C7687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C7D3D second address: 5C7D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C7D41 second address: 5C7D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C7DD5 second address: 5C7DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C7DD9 second address: 5C7DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C7DDF second address: 5C7DE4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5A3617 second address: 5A361D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5A361D second address: 5A3621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5A3621 second address: 5A3627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5F4C4E second address: 5F4C53 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5F55D9 second address: 5F55DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FB69C second address: 5FB6A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FB6A3 second address: 5FB6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FA265 second address: 5FA285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F9630EEA8A6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FA285 second address: 5FA29D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F96311B0BCCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FA41E second address: 5FA42B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F9630EEA8A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FA42B second address: 5FA431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FA692 second address: 5FA69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FA69B second address: 5FA6A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FA6A0 second address: 5FA6A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FA6A7 second address: 5FA6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FAC1B second address: 5FAC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FAC24 second address: 5FAC28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FAC28 second address: 5FAC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FADAF second address: 5FADD1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007F96311B0BD5h 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5FAF7D second address: 5FAF81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5F9DC7 second address: 5F9DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F96311B0BD3h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5F9DE7 second address: 5F9DFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6006E3 second address: 6006E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 600859 second address: 60086D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9630EEA8ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6046EE second address: 6046F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6046F4 second address: 604705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 604705 second address: 604719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F96311B0BC6h 0x0000000e jne 00007F96311B0BC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6067CC second address: 6067DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F9630EEA8A6h 0x00000009 pop esi 0x0000000a js 00007F9630EEA8ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6067DE second address: 6067E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 57CC7B second address: 57CC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jno 00007F9630EEA8A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 60A29F second address: 60A2B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F96311B0BC6h 0x00000009 js 00007F96311B0BC6h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 60FFFC second address: 610002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 610002 second address: 61000E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007F96311B0BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 610166 second address: 61016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 61016A second address: 610188 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F96311B0BD4h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6102E1 second address: 6102FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F9630EEA8B1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6105B5 second address: 6105BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6105BB second address: 6105CF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9630EEA8ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6154ED second address: 6154F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6154F3 second address: 6154F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6154F7 second address: 6154FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6154FB second address: 615501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 615501 second address: 615516 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F96311B0BC6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 614A3A second address: 614A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 614A40 second address: 614A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F96311B0BC6h 0x0000000a popad 0x0000000b push esi 0x0000000c jo 00007F96311B0BC6h 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F96311B0BD1h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 614A6B second address: 614A71 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 614A71 second address: 614A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 614A77 second address: 614A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 614BD4 second address: 614BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 614BD8 second address: 614C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F9630EEA8A8h 0x0000000c je 00007F9630EEA8BCh 0x00000012 jmp 00007F9630EEA8B6h 0x00000017 popad 0x00000018 pushad 0x00000019 jns 00007F9630EEA8AEh 0x0000001f je 00007F9630EEA8A6h 0x00000025 push esi 0x00000026 pop esi 0x00000027 jmp 00007F9630EEA8B7h 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6150E4 second address: 6150E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6150E8 second address: 6150F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9630EEA8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6150F8 second address: 6150FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6150FE second address: 615102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 61A113 second address: 61A11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 619246 second address: 619263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jnp 00007F9630EEA8AEh 0x0000000e pushad 0x0000000f popad 0x00000010 jo 00007F9630EEA8A6h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6193AC second address: 6193B6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F96311B0BC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 619520 second address: 619526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 619526 second address: 61952A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 619970 second address: 61997B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F9630EEA8A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 619C90 second address: 619CA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F96311B0BC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 619CA4 second address: 619CC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9630EEA8B1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 623834 second address: 623851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jnp 00007F96311B0BCEh 0x0000000d jbe 00007F96311B0BCEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 621A6F second address: 621A9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F9630EEA8A6h 0x00000009 jne 00007F9630EEA8A6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push esi 0x00000013 jmp 00007F9630EEA8AAh 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 jnl 00007F9630EEA8A6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 621A9C second address: 621AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 621AA1 second address: 621AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F9630EEA8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 621AAB second address: 621ABF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F96311B0BC6h 0x00000008 jns 00007F96311B0BC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 621ABF second address: 621AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 621AC3 second address: 621AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 62211F second address: 622125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6222AD second address: 6222B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F96311B0BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6222B8 second address: 6222C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9630EEA8A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 62246C second address: 6224A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jnp 00007F96311B0BC6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push ecx 0x00000017 jns 00007F96311B0BC6h 0x0000001d pop ecx 0x0000001e pushad 0x0000001f jmp 00007F96311B0BD0h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 62286A second address: 622870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 622870 second address: 62287A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 621618 second address: 621636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9630EEA8B8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 628F95 second address: 628F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 628F9B second address: 628FA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 628FA1 second address: 628FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6290F1 second address: 6290FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6350D3 second address: 63510D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F96311B0BCCh 0x0000000c ja 00007F96311B0BCEh 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F96311B0BD6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 634AE9 second address: 634B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8ACh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 634B00 second address: 634B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 634C4F second address: 634C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 js 00007F9630EEA8A6h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 634C5E second address: 634C69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F96311B0BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 634C69 second address: 634C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6368AC second address: 6368B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6368B2 second address: 6368C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007F9630EEA8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F9630EEA8C0h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6368C9 second address: 6368CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6368CF second address: 6368DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9630EEA8A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 639F76 second address: 639F88 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F96311B0BC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 639F88 second address: 639F92 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9630EEA8A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 63A0F0 second address: 63A10B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 646D94 second address: 646DAE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9630EEA8A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F9630EEA8AEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 646DAE second address: 646DCD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F96311B0BCAh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F96311B0BCFh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 646DCD second address: 646DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 64A11F second address: 64A123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 649F25 second address: 649F51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F9630EEA8ACh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 649F51 second address: 649F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 649F5B second address: 649F61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 649F61 second address: 649F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 649F6E second address: 649F8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B9h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 649F8D second address: 649F9E instructions: 0x00000000 rdtsc 0x00000002 je 00007F96311B0BCCh 0x00000008 jg 00007F96311B0BC6h 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 64F46F second address: 64F480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F9630EEA8A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 64F480 second address: 64F486 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 64F486 second address: 64F496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F9630EEA8A6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 64F496 second address: 64F4A4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 64F4A4 second address: 64F4A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 655620 second address: 655624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 655624 second address: 65562C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 655764 second address: 655778 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F96311B0BC6h 0x0000000e jns 00007F96311B0BC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 669982 second address: 669986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 66983B second address: 669850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F96311B0BCAh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 669850 second address: 669854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 669854 second address: 669862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 669862 second address: 669866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 66CCE1 second address: 66CCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 66CCE5 second address: 66CCFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F9630EEA8ADh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 66CCFA second address: 66CD04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 66CD04 second address: 66CD08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 66CD08 second address: 66CD21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F96311B0BCBh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 666619 second address: 66662B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8ACh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 66662B second address: 66662F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 679EDC second address: 679F05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9630EEA8ACh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 679F05 second address: 679F11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F96311B0BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A2980 second address: 6A2999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A2999 second address: 6A29A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A2B52 second address: 6A2B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A2B56 second address: 6A2B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A2B6C second address: 6A2B7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9630EEA8ABh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A2FFC second address: 6A3013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCEh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A3013 second address: 6A3023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007F9630EEA8A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A31D8 second address: 6A31DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A31DD second address: 6A31E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A31E3 second address: 6A3228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96311B0BCFh 0x00000009 jc 00007F96311B0BC6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F96311B0BD0h 0x0000001a push esi 0x0000001b jno 00007F96311B0BC6h 0x00000021 jmp 00007F96311B0BCFh 0x00000026 pop esi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A7A96 second address: 6A7AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A7AA2 second address: 6A7AAC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A7B25 second address: 6A7B2F instructions: 0x00000000 rdtsc 0x00000002 je 00007F9630EEA8ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A7B2F second address: 6A7B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A7B3B second address: 6A7B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8B8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A7E14 second address: 6A7E30 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007F96311B0BC6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F96311B0BD4h 0x00000013 pushad 0x00000014 jnl 00007F96311B0BC6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A9471 second address: 6A9477 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A9477 second address: 6A9491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F96311B0BD2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A9491 second address: 6A9495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A9495 second address: 6A94B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96311B0BD5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A94B0 second address: 6A94B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A94B5 second address: 6A94BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6A94BE second address: 6A94C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6AB42B second address: 6AB431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 6AB431 second address: 6AB46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8B8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9630EEA8ACh 0x00000011 jmp 00007F9630EEA8B2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F9079E second address: 4F907FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F96311B0BD7h 0x00000008 pop ecx 0x00000009 mov esi, ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebp 0x0000000f jmp 00007F96311B0BD0h 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov eax, ebx 0x0000001c pushfd 0x0000001d jmp 00007F96311B0BD9h 0x00000022 jmp 00007F96311B0BCBh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F907FE second address: 4F90804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F90804 second address: 4F90808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F90808 second address: 4F90870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9630EEA8B8h 0x00000013 xor esi, 10258F68h 0x00000019 jmp 00007F9630EEA8ABh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F9630EEA8B8h 0x00000025 jmp 00007F9630EEA8B5h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F90870 second address: 4F90883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dx, B80Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F90883 second address: 4F90887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F90887 second address: 4F90895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F6001B second address: 4F60058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9630EEA8AEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9630EEA8AEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F60058 second address: 4F6007E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F96311B0BD2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F6007E second address: 4F600DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 movzx esi, di 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov edx, 0E8208BCh 0x00000011 pushfd 0x00000012 jmp 00007F9630EEA8B5h 0x00000017 xor ecx, 497E8E16h 0x0000001d jmp 00007F9630EEA8B1h 0x00000022 popfd 0x00000023 popad 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F9630EEA8B8h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F600DB second address: 4F600DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F600DF second address: 4F600E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD018E second address: 4FD01BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F96311B0BD7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD01BC second address: 4FD01C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0DF9 second address: 4FC0E3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F96311B0BD0h 0x0000000f push eax 0x00000010 jmp 00007F96311B0BCBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F96311B0BD0h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0E3B second address: 4FC0E4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0E4A second address: 4FC0E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0C64 second address: 4FA0C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0C68 second address: 4FA0C84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0C84 second address: 4FA0C8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0C8A second address: 4FA0C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0C8E second address: 4FA0C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF03A3 second address: 4FF03A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF03A7 second address: 4FF03C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF03C4 second address: 4FF03E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF03E0 second address: 4FF03E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF03E6 second address: 4FF03EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF03EC second address: 4FF03F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF03F0 second address: 4FF0434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F96311B0BCBh 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F96311B0BD6h 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov bx, 3230h 0x00000020 mov edi, 35F5415Ch 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF0434 second address: 4FF043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF043A second address: 4FF043E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF043E second address: 4FF0458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9630EEA8AFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF0458 second address: 4FF045D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0E4C second address: 4FD0E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0E50 second address: 4FD0E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0E54 second address: 4FD0E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0E5A second address: 4FD0E81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F96311B0BCEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0E81 second address: 4FD0E86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0E86 second address: 4FD0ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F96311B0BD7h 0x0000000a xor esi, 68019F0Eh 0x00000010 jmp 00007F96311B0BD9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d movsx ebx, si 0x00000020 mov edi, eax 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0ECF second address: 4FD0EDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0EDF second address: 4FD0EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0EEF second address: 4FD0EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0EF3 second address: 4FD0F0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F60573 second address: 4F605E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9630EEA8B6h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, 748535E4h 0x00000016 movsx edx, ax 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F9630EEA8B2h 0x00000022 add esi, 7AFA6898h 0x00000028 jmp 00007F9630EEA8ABh 0x0000002d popfd 0x0000002e mov ah, BEh 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 pushad 0x00000034 mov edx, 02C8F874h 0x00000039 mov cx, di 0x0000003c popad 0x0000003d pop ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F605E1 second address: 4F605E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F605E5 second address: 4F605EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD04BC second address: 4FD04C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD04C2 second address: 4FD04E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD04E2 second address: 4FD04E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD04E8 second address: 4FD05AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e pushfd 0x0000000f jmp 00007F9630EEA8B9h 0x00000014 sub cl, FFFFFFF6h 0x00000017 jmp 00007F9630EEA8B1h 0x0000001c popfd 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 push ecx 0x00000022 jmp 00007F9630EEA8B3h 0x00000027 pop eax 0x00000028 mov si, bx 0x0000002b popad 0x0000002c mov eax, dword ptr [ebp+08h] 0x0000002f pushad 0x00000030 push ebx 0x00000031 pushfd 0x00000032 jmp 00007F9630EEA8ACh 0x00000037 adc cx, 2D78h 0x0000003c jmp 00007F9630EEA8ABh 0x00000041 popfd 0x00000042 pop ecx 0x00000043 pushfd 0x00000044 jmp 00007F9630EEA8B9h 0x00000049 xor si, FE16h 0x0000004e jmp 00007F9630EEA8B1h 0x00000053 popfd 0x00000054 popad 0x00000055 and dword ptr [eax], 00000000h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b mov ecx, 70A3E195h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE011A second address: 4FE0136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0136 second address: 4FE013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE013A second address: 4FE014D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F8086B second address: 4F8089B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F9630EEA8B0h 0x0000000b sub esi, 06BD0578h 0x00000011 jmp 00007F9630EEA8ABh 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F8089B second address: 4F8089F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F8089F second address: 4F808A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F808A3 second address: 4F808A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F808A9 second address: 4F808D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9630EEA8ABh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 mov si, dx 0x00000015 pop ebx 0x00000016 mov ecx, 0F836623h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov si, FA11h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0BDA second address: 4FE0C6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F96311B0BD7h 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ecx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F96311B0BD0h 0x00000014 and ecx, 2723AD08h 0x0000001a jmp 00007F96311B0BCBh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F96311B0BD8h 0x00000026 sbb eax, 561A4F68h 0x0000002c jmp 00007F96311B0BCBh 0x00000031 popfd 0x00000032 popad 0x00000033 push eax 0x00000034 jmp 00007F96311B0BD9h 0x00000039 xchg eax, ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0C6A second address: 4FE0C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0C6E second address: 4FE0C81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0C81 second address: 4FE0C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0C87 second address: 4FE0C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0C8B second address: 4FE0CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [774365FCh] 0x0000000d jmp 00007F9630EEA8B7h 0x00000012 test eax, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9630EEA8B5h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0CC8 second address: 4FE0CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0CCE second address: 4FE0CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0CD2 second address: 4FE0D37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F96A3583852h 0x0000000e jmp 00007F96311B0BCFh 0x00000013 mov ecx, eax 0x00000015 jmp 00007F96311B0BD6h 0x0000001a xor eax, dword ptr [ebp+08h] 0x0000001d jmp 00007F96311B0BD1h 0x00000022 and ecx, 1Fh 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F96311B0BD3h 0x0000002d mov edx, eax 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA000C second address: 4FA0013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0013 second address: 4FA005E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96311B0BCAh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F96311B0BCCh 0x00000012 jmp 00007F96311B0BD2h 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F96311B0BD7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA005E second address: 4FA0086 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dh, FCh 0x00000010 movzx ecx, bx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0086 second address: 4FA00EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F96311B0BCCh 0x00000009 sub esi, 2D5B5D28h 0x0000000f jmp 00007F96311B0BCBh 0x00000014 popfd 0x00000015 mov cx, D21Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c and esp, FFFFFFF8h 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F96311B0BD0h 0x00000026 sbb eax, 57AC8F88h 0x0000002c jmp 00007F96311B0BCBh 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 call 00007F96311B0BD6h 0x00000039 pop ecx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA00EF second address: 4FA0112 instructions: 0x00000000 rdtsc 0x00000002 mov dh, 5Eh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9630EEA8B9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0112 second address: 4FA0130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, dx 0x0000000e push eax 0x0000000f push edx 0x00000010 mov bh, 3Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0130 second address: 4FA0163 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 75C1h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F9630EEA8ACh 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 mov edi, eax 0x00000013 mov di, cx 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9630EEA8B2h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0163 second address: 4FA0175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BCEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0175 second address: 4FA019E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F9630EEA8B7h 0x0000000e mov ebx, dword ptr [ebp+10h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA019E second address: 4FA01A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA01A2 second address: 4FA01BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA01BD second address: 4FA01F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F96311B0BCBh 0x00000009 sbb ch, FFFFFFBEh 0x0000000c jmp 00007F96311B0BD9h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA01F3 second address: 4FA01F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA01F7 second address: 4FA01FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA01FD second address: 4FA0250 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov cx, bx 0x0000000e call 00007F9630EEA8ADh 0x00000013 pop edi 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov ah, dh 0x0000001b pushfd 0x0000001c jmp 00007F9630EEA8B0h 0x00000021 sbb cx, 2278h 0x00000026 jmp 00007F9630EEA8ABh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0250 second address: 4FA02B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F96311B0BCBh 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, dword ptr [ebp+08h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F96311B0BD5h 0x00000016 adc eax, 2C5255C6h 0x0000001c jmp 00007F96311B0BD1h 0x00000021 popfd 0x00000022 call 00007F96311B0BD0h 0x00000027 mov si, 2281h 0x0000002b pop ecx 0x0000002c popad 0x0000002d push ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov ebx, 580EEB0Ah 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA02B4 second address: 4FA0300 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8ADh 0x00000009 xor esi, 4EB63886h 0x0000000f jmp 00007F9630EEA8B1h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], edi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F9630EEA8B9h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0300 second address: 4FA0326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F96311B0BCDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0326 second address: 4FA03B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F96A32F8B80h 0x0000000f jmp 00007F9630EEA8AEh 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F9630EEA8AEh 0x00000022 and ecx, 3347AA48h 0x00000028 jmp 00007F9630EEA8ABh 0x0000002d popfd 0x0000002e mov esi, 241C2DBFh 0x00000033 popad 0x00000034 je 00007F96A32F8B53h 0x0000003a jmp 00007F9630EEA8B2h 0x0000003f mov edx, dword ptr [esi+44h] 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F9630EEA8B7h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA03B2 second address: 4FA03CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA03CA second address: 4FA03CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA03CE second address: 4FA043F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007F96311B0BD7h 0x00000010 test edx, 61000000h 0x00000016 jmp 00007F96311B0BD6h 0x0000001b jne 00007F96A35BEE42h 0x00000021 jmp 00007F96311B0BD0h 0x00000026 test byte ptr [esi+48h], 00000001h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F96311B0BD7h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA043F second address: 4FA04A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8AFh 0x00000009 sbb esi, 57CD576Eh 0x0000000f jmp 00007F9630EEA8B9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F9630EEA8B0h 0x0000001b xor al, FFFFFFE8h 0x0000001e jmp 00007F9630EEA8ABh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 jne 00007F96A32F8AB2h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA04A1 second address: 4FA04A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA04A5 second address: 4FA04AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA04AB second address: 4FA04C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC02F6 second address: 4FC02FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC02FC second address: 4FC0302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0302 second address: 4FC0334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F9630EEA8B0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 pop edi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0334 second address: 4FC0339 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0339 second address: 4FC03B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9630EEA8B1h 0x0000000a adc ecx, 465A6D36h 0x00000010 jmp 00007F9630EEA8B1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b mov cx, 90C3h 0x0000001f mov ch, 76h 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushfd 0x00000028 jmp 00007F9630EEA8B7h 0x0000002d or ecx, 2A2AEB1Eh 0x00000033 jmp 00007F9630EEA8B9h 0x00000038 popfd 0x00000039 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC03B0 second address: 4FC03EE instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov di, si 0x0000000a popad 0x0000000b and esp, FFFFFFF8h 0x0000000e jmp 00007F96311B0BD6h 0x00000013 xchg eax, ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F96311B0BD7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC03EE second address: 4FC0406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0406 second address: 4FC0423 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F96311B0BCCh 0x0000000f push eax 0x00000010 push edx 0x00000011 mov eax, 12217E87h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0423 second address: 4FC0466 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 7C23h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F9630EEA8B6h 0x0000000f xchg eax, esi 0x00000010 jmp 00007F9630EEA8B0h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9630EEA8ADh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0466 second address: 4FC046A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC046A second address: 4FC0470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0470 second address: 4FC048E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, 3BAA7B3Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F96311B0BCCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC048E second address: 4FC0494 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0494 second address: 4FC04C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, AFC3h 0x00000007 mov ah, 85h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, dword ptr [ebp+08h] 0x0000000f jmp 00007F96311B0BCBh 0x00000014 sub ebx, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F96311B0BD2h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC04C4 second address: 4FC0543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c jmp 00007F9630EEA8B4h 0x00000011 mov ax, 6671h 0x00000015 popad 0x00000016 je 00007F96A32D0745h 0x0000001c pushad 0x0000001d mov di, si 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F9630EEA8B4h 0x00000027 or ah, 00000078h 0x0000002a jmp 00007F9630EEA8ABh 0x0000002f popfd 0x00000030 mov si, 59AFh 0x00000034 popad 0x00000035 popad 0x00000036 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003d pushad 0x0000003e call 00007F9630EEA8B0h 0x00000043 pushad 0x00000044 popad 0x00000045 pop eax 0x00000046 push eax 0x00000047 push edx 0x00000048 mov eax, edi 0x0000004a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0543 second address: 4FC0578 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 0AEEh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ecx, esi 0x0000000b jmp 00007F96311B0BD5h 0x00000010 je 00007F96A3596A06h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F96311B0BCDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0578 second address: 4FC05E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 call 00007F9630EEA8B8h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test byte ptr [77436968h], 00000002h 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F9630EEA8B7h 0x0000001d sbb al, 0000000Eh 0x00000020 jmp 00007F9630EEA8B9h 0x00000025 popfd 0x00000026 mov ebx, esi 0x00000028 popad 0x00000029 jne 00007F96A32D0682h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov dx, 0F46h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC06F0 second address: 4FC0724 instructions: 0x00000000 rdtsc 0x00000002 call 00007F96311B0BCAh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F96311B0BD1h 0x00000011 push dword ptr [ebp+14h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F96311B0BCDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC076A second address: 4FC0770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC0770 second address: 4FC07A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx edx, cx 0x00000011 jmp 00007F96311B0BD6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC07A7 second address: 4FC07AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC07AD second address: 4FC07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC07B1 second address: 4FC07CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FC07CB second address: 4FC07DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 50119D1 second address: 5011A2E instructions: 0x00000000 rdtsc 0x00000002 mov ch, 24h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F9630EEA8B3h 0x0000000f and ah, 0000003Eh 0x00000012 jmp 00007F9630EEA8B9h 0x00000017 popfd 0x00000018 mov ecx, 04F95887h 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F9630EEA8B9h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5011A2E second address: 5011AA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 0000007Fh 0x0000000b pushad 0x0000000c mov ebx, ecx 0x0000000e pushfd 0x0000000f jmp 00007F96311B0BD8h 0x00000014 adc si, DEF8h 0x00000019 jmp 00007F96311B0BCBh 0x0000001e popfd 0x0000001f popad 0x00000020 push 00000001h 0x00000022 jmp 00007F96311B0BD6h 0x00000027 push dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F96311B0BD7h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5011AD8 second address: 5011AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, al 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov esi, ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5011AE6 second address: 50119D1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F96311B0BCDh 0x00000008 sub eax, 0BFC1FB6h 0x0000000e jmp 00007F96311B0BD1h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx ecx, bx 0x00000019 popad 0x0000001a retn 0004h 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call ebx 0x00000023 mov edi, edi 0x00000025 pushad 0x00000026 jmp 00007F96311B0BD0h 0x0000002b mov ebx, eax 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f jmp 00007F96311B0BCCh 0x00000034 push eax 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F96311B0BD1h 0x0000003c jmp 00007F96311B0BCBh 0x00000041 popfd 0x00000042 push eax 0x00000043 push edx 0x00000044 mov di, si 0x00000047 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C1AD8 second address: 5C1ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C1ADC second address: 5C1B07 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F96311B0BD9h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F96311B0BC6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C1B07 second address: 5C1B0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5C1B0B second address: 5C1B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F6024E second address: 4F6027B instructions: 0x00000000 rdtsc 0x00000002 mov al, dl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, si 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F9630EEA8B6h 0x00000010 push eax 0x00000011 pushad 0x00000012 mov eax, edx 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F6027B second address: 4F60296 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F603BC second address: 4F603DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c movzx eax, di 0x0000000f push eax 0x00000010 push edx 0x00000011 mov edi, 3541D18Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F40BB1 second address: 4F40C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2929046Ah 0x00000008 pushfd 0x00000009 jmp 00007F96311B0BCBh 0x0000000e jmp 00007F96311B0BD3h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 call 00007F96311B0BD4h 0x0000001e movzx esi, dx 0x00000021 pop edi 0x00000022 mov cx, FCA3h 0x00000026 popad 0x00000027 push eax 0x00000028 jmp 00007F96311B0BD9h 0x0000002d xchg eax, ebp 0x0000002e jmp 00007F96311B0BCEh 0x00000033 mov ebp, esp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F96311B0BD7h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F40C3F second address: 4F40C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4F40C57 second address: 4F40C68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a mov cx, dx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF04C4 second address: 4FF04C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF04C8 second address: 4FF04E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF04E3 second address: 4FF04FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF04FB second address: 4FF04FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF04FF second address: 4FF053F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F9630EEA8B3h 0x00000013 xor cx, 6C6Eh 0x00000018 jmp 00007F9630EEA8B9h 0x0000001d popfd 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FF053F second address: 4FF0571 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, cx 0x00000009 popad 0x0000000a pop ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007F96311B0BD2h 0x00000014 or ax, 0B18h 0x00000019 jmp 00007F96311B0BCBh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD00C2 second address: 4FD00C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD00C6 second address: 4FD00CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD00CC second address: 4FD00DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD00DC second address: 4FD00E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD00E0 second address: 4FD0110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F9630EEA8ACh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F9630EEA8B0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0110 second address: 4FD0114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FD0114 second address: 4FD011A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0E09 second address: 4FA0E50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov bh, 1Ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, 8322h 0x00000013 pushfd 0x00000014 jmp 00007F96311B0BD3h 0x00000019 xor ax, D01Eh 0x0000001e jmp 00007F96311B0BD9h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0E50 second address: 4FA0E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0E56 second address: 4FA0E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0E5A second address: 4FA0E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0E7A second address: 4FA0E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0E7E second address: 4FA0E99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0E99 second address: 4FA0E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FA0E9F second address: 4FA0EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5030374 second address: 50303BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f pushfd 0x00000010 jmp 00007F96311B0BD6h 0x00000015 sub esi, 79DD2488h 0x0000001b jmp 00007F96311B0BCBh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 50303BD second address: 5030455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9630EEA8AFh 0x00000008 mov bh, ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f pushad 0x00000010 mov eax, ebx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jmp 00007F9630EEA8B9h 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push ecx 0x0000001f movsx edx, ax 0x00000022 pop esi 0x00000023 push ebx 0x00000024 movzx ecx, bx 0x00000027 pop edx 0x00000028 popad 0x00000029 push dword ptr [ebp+0Ch] 0x0000002c pushad 0x0000002d call 00007F9630EEA8B6h 0x00000032 pushfd 0x00000033 jmp 00007F9630EEA8B2h 0x00000038 jmp 00007F9630EEA8B5h 0x0000003d popfd 0x0000003e pop eax 0x0000003f mov cx, dx 0x00000042 popad 0x00000043 push dword ptr [ebp+08h] 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5030455 second address: 5030459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5030459 second address: 503045D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 503045D second address: 5030463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5030463 second address: 503049E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F9630EEA8A9h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9630EEA8B5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 503049E second address: 50304BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 50304BA second address: 50304BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 50304BE second address: 50304C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 50304C4 second address: 50305A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8ABh 0x00000009 sub ch, 0000006Eh 0x0000000c jmp 00007F9630EEA8B9h 0x00000011 popfd 0x00000012 mov ebx, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007F9630EEA8ADh 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 call 00007F9630EEA8B7h 0x00000028 jmp 00007F9630EEA8B8h 0x0000002d pop eax 0x0000002e pushfd 0x0000002f jmp 00007F9630EEA8ABh 0x00000034 sub ecx, 0906F68Eh 0x0000003a jmp 00007F9630EEA8B9h 0x0000003f popfd 0x00000040 popad 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F9630EEA8B7h 0x0000004c and cx, 149Eh 0x00000051 jmp 00007F9630EEA8B9h 0x00000056 popfd 0x00000057 push eax 0x00000058 push edx 0x00000059 mov ax, 66BDh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 50305A8 second address: 50305AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 50305AC second address: 50305BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 50305BA second address: 50305BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 50305BE second address: 50305C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5030608 second address: 5030617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5030617 second address: 5030649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8AFh 0x00000009 add cl, 0000001Eh 0x0000000c jmp 00007F9630EEA8B9h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 5030649 second address: 503066D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx eax, al 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F96311B0BD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 503066D second address: 5030673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE05F4 second address: 4FE0601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0601 second address: 4FE0605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE0605 second address: 4FE060B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE060B second address: 4FE064B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8B2h 0x00000009 or cx, 3ED8h 0x0000000e jmp 00007F9630EEA8ABh 0x00000013 popfd 0x00000014 mov dx, si 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F9630EEA8B0h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	RDTSC instruction interceptor: First address: 4FE064B second address: 4FE0655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 427D80E4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Special instruction interceptor: First address: 41787E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Special instruction interceptor: First address: 5B7A1F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Special instruction interceptor: First address: 41518A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Special instruction interceptor: First address: 5C6BCB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Special instruction interceptor: First address: 62B4DF instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: EC787E instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 1067A1F instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: EC518A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 1076BCB instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 10DB4DF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 107787E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 1217A1F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 107518A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 1226BCB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 128B4DF instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

Code function: 0_2_05020CC3 rdtsc

0_2_05020CC3

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Window / User API: threadDelayed 506	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Window / User API: threadDelayed 672	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Window / User API: threadDelayed 4686	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 2876	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 2836	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 631	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4870	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1224	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1280	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1266	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1249	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1280	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 378	Jump to behavior

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-17975
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_6-17489
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 1540	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 1540	Thread sleep time: -82041s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 1424	Thread sleep count: 506 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 1424	Thread sleep time: -1012506s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 572	Thread sleep count: 119 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 5504	Thread sleep count: 672 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 5504	Thread sleep time: -1344672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 572	Thread sleep count: 256 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 5936	Thread sleep count: 4686 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 5936	Thread sleep time: -9376686s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3052	Thread sleep count: 55 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3052	Thread sleep time: -110055s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6480	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6480	Thread sleep time: -112056s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5968	Thread sleep count: 69 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3196	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3196	Thread sleep time: -118059s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5968	Thread sleep count: 318 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5968	Thread sleep time: -32118s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2792	Thread sleep count: 2876 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2792	Thread sleep time: -5754876s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3088	Thread sleep count: 2836 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3088	Thread sleep time: -5674836s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1372	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1372	Thread sleep time: -76038s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5492	Thread sleep count: 631 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5492	Thread sleep time: -1262631s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6860	Thread sleep count: 67 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6860	Thread sleep count: 286 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3560	Thread sleep count: 4870 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3560	Thread sleep time: -9744870s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6124	Thread sleep count: 1224 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6124	Thread sleep time: -2449224s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3784	Thread sleep count: 1280 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3784	Thread sleep time: -2561280s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1080	Thread sleep count: 102 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1080	Thread sleep count: 339 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1080	Thread sleep time: -34239s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6904	Thread sleep count: 1266 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6904	Thread sleep time: -2533266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5952	Thread sleep count: 1249 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5952	Thread sleep time: -2499249s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6292	Thread sleep count: 123 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4024	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4024	Thread sleep time: -84042s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6268	Thread sleep count: 1280 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6268	Thread sleep time: -2561280s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6292	Thread sleep count: 378 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6292	Thread sleep time: -38178s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RageMP131.exe, RageMP131.exe, 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.0000000001250000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000J
Source: hYrJbjnzVc.exe, 00000000.00000003.2142690858.00000000012CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: hYrJbjnzVc.exe, 00000000.00000002.3341233164.0000000000F5C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}$
Source: RageMP131.exe, 0000000C.00000002.3338094758.0000000000AFC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: RageMP131.exe, 0000000C.00000003.2427156911.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.0000000001290000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_933EE5DA
Source: MPGPH131.exe, 00000007.00000003.2210426857.0000000001785000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6b
Source: MPGPH131.exe, 00000007.00000002.3341384311.0000000001785000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}~
Source: RageMP131.exe, 0000000C.00000003.2427156911.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: hYrJbjnzVc.exe, 00000000.00000003.2142690858.00000000012D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b};
Source: MPGPH131.exe, 00000007.00000002.3341384311.0000000001785000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_dih
Source: MPGPH131.exe, 00000006.00000002.3339556281.0000000000987000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: RageMP131.exe, 00000008.00000003.2316246161.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000008.00000002.3338352457.00000000006FC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}4
Source: hYrJbjnzVc.exe, 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000q
Source: RageMP131.exe, 0000000C.00000003.2427156911.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000176D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 00000008.00000002.3338690809.000000000097C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_933EE5DA

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

Code function: 0_2_05020CC3 rdtsc

0_2_05020CC3

Source: hYrJbjnzVc.exe, hYrJbjnzVc.exe, 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmp

Binary or memory string: >Program Manager

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

Code function: 0_2_002B360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_002B360D

Source: C:\Users\user\Desktop\hYrJbjnzVc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: hYrJbjnzVc.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7080, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: hYrJbjnzVc.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7080, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	24 Virtualization/Sandbox Evasion	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	24 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	214 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hYrJbjnzVc.exe	53%	ReversingLabs	Win32.Trojan.RisePro
hYrJbjnzVc.exe	51%	Virustotal		Browse
hYrJbjnzVc.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	53%	ReversingLabs	Win32.Trojan.RisePro
C:\ProgramData\MPGPH131\MPGPH131.exe	51%	Virustotal		Browse
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	53%	ReversingLabs	Win32.Trojan.RisePro
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	51%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ipinfo.io/widget/demo/191.96.150.225T5	hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipinfo.io/g_Entries	RageMP131.exe, 00000008.00000002.3338690809.0000000000937000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipinfo.io/	RageMP131.exe, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.maxmind.com/en/locate-my-ip-address	RageMP131.exe	false	high
https://ipinfo.io/tG	RageMP131.exe, 00000008.00000002.3338690809.000000000094D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipinfo.io/5	RageMP131.exe, 0000000C.00000002.3338900504.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipinfo.io/M%	MPGPH131.exe, 00000006.00000002.3339556281.0000000000957000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.winimage.com/zLibDll	hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp	false	high
https://ipinfo.io/widget/demo/191.96.150.225	hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3339556281.0000000000987000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000177C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D30000.00000004.00000020.00020000.00000000.sdmp	false	high
https://t.me/RiseProSUPPORT	hYrJbjnzVc.exe, 00000000.00000002.3343201264.000000000125E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3339556281.000000000092E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3338690809.000000000090E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://t.me/RiseProSUPPORTD	MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipinfo.io/ameSpace=	hYrJbjnzVc.exe, 00000000.00000002.3343201264.0000000001290000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipinfo.io/widget/demo/191.96.150.225r2G	hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipinfo.io/widget/demo/191.96.150.225R	RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.47.93	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435364
Start date and time:	2024-05-02 15:48:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hYrJbjnzVc.exe renamed because original name is a hash value
Original Sample Name:	adb680e5c7586df1d183ad1ef4807648.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
15:49:01	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
15:49:01	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
15:49:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
15:49:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
15:49:25	API Interceptor	1226503x Sleep call for process: hYrJbjnzVc.exe modified
15:49:34	API Interceptor	1422309x Sleep call for process: MPGPH131.exe modified
15:49:44	API Interceptor	950349x Sleep call for process: RageMP131.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.45.47.93	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse
	RY5YJaMEWE.exe	Get hash	malicious	RisePro Stealer	Browse
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse
	0BzQNa8hYd.exe	Get hash	malicious	RisePro Stealer	Browse
	3CkMJ4UkNy.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.PWSX-gen.2624.6335.exe	Get hash	malicious	RisePro Stealer	Browse
	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse
	2zdult23rz.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	RY5YJaMEWE.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	0BzQNa8hYd.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	3CkMJ4UkNy.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	SecuriteInfo.com.Win32.PWSX-gen.2624.6335.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	34.117.186.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	KhbShPK91I.exe	Get hash	malicious	Unknown	Browse	193.233.132.56
	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	RY5YJaMEWE.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	MejqsB9tx9.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	0BzQNa8hYd.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	3CkMJ4UkNy.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	U8uFcjIjAR.exe	Get hash	malicious	LummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	193.233.132.234
	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93

Process:	C:\Users\user\Desktop\hYrJbjnzVc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2372608
Entropy (8bit):	7.919032959088412
Encrypted:	false
SSDEEP:	49152:JGY5918NqwTEgTcQnMbHNnl3sUngdXzd+DDLosT0ByPhO3l:GhTPMbFK5+DDLLWyPw
MD5:	ADB680E5C7586DF1D183AD1EF4807648
SHA1:	DF9C9E796C877100EBE80A457D57D9358401BE50
SHA-256:	597E094A98F56C0EF8B89CEDD7C96D14FCA1F5DD25E6E120525246D47DE6BA96
SHA-512:	D3B8383DE7A18EA724CBC3CDFEE753C45C0FF7289E338863492D8C7FFA9FB3193A7311A65E631156444E2516C515F679851E8EF7FA8F58344AE2B881EB6FFA0F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53% Antivirus: Virustotal, Detection: 51%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y...s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L.....2f...............'..............\...........@...........................\......Z$...@.................................^0..r....p......................8.[...............................[.................................@................... . .`..........................@....rsrc........p......................@....idata .....0......................@... ....@......................@...rtycizfs.P...PC..D..................@...ybcmmseg......\.......$.............@....taggant.0....\.."....$.............@...........................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\hYrJbjnzVc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\hYrJbjnzVc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2372608
Entropy (8bit):	7.919032959088412
Encrypted:	false
SSDEEP:	49152:JGY5918NqwTEgTcQnMbHNnl3sUngdXzd+DDLosT0ByPhO3l:GhTPMbFK5+DDLLWyPw
MD5:	ADB680E5C7586DF1D183AD1EF4807648
SHA1:	DF9C9E796C877100EBE80A457D57D9358401BE50
SHA-256:	597E094A98F56C0EF8B89CEDD7C96D14FCA1F5DD25E6E120525246D47DE6BA96
SHA-512:	D3B8383DE7A18EA724CBC3CDFEE753C45C0FF7289E338863492D8C7FFA9FB3193A7311A65E631156444E2516C515F679851E8EF7FA8F58344AE2B881EB6FFA0F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53% Antivirus: Virustotal, Detection: 51%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y...s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L.....2f...............'..............\...........@...........................\......Z$...@.................................^0..r....p......................8.[...............................[.................................@................... . .`..........................@....rsrc........p......................@....idata .....0......................@... ....@......................@...rtycizfs.P...PC..D..................@...ybcmmseg......\.......$.............@....taggant.0....\.."....$.............@...........................................................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\hYrJbjnzVc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\hYrJbjnzVc.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	3.0269868333592873
Encrypted:	false
SSDEEP:	3:LuTSyW:KHW
MD5:	EE8B418DF543DCFB14DBB6C7519D8A7A
SHA1:	1B04FAA0A7A3D4DFB8CBB4EA4F216E06079EAB31
SHA-256:	CE48C61ECBB0CC98FA7AAAA38C30B5287292A53E49CA7D73ECE624EDE62FD1A9
SHA-512:	F11F13CF79812936FE18F2C2485D4D7E9219513D3CBA9B46D0854538BCA2225D8FE1D486F9637C500085C62C2CDF2D8C3D1E7B56161EAA61231D5F7916EC4C60
Malicious:	false
Reputation:	low
Preview:	1714663095323

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.919032959088412
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hYrJbjnzVc.exe
File size:	2'372'608 bytes
MD5:	adb680e5c7586df1d183ad1ef4807648
SHA1:	df9c9e796c877100ebe80a457d57d9358401be50
SHA256:	597e094a98f56c0ef8b89cedd7c96d14fca1f5dd25e6e120525246d47de6ba96
SHA512:	d3b8383de7a18ea724cbc3cdfee753c45c0ff7289e338863492d8c7ffa9fb3193a7311a65e631156444e2516c515f679851e8ef7fa8f58344ae2b881eb6ffa0f
SSDEEP:	49152:JGY5918NqwTEgTcQnMbHNnl3sUngdXzd+DDLosT0ByPhO3l:GhTPMbFK5+DDLLWyPw
TLSH:	4CB533999F400DF3F5251D7811A1D77E92758DA7AB84C13B7AC67E2FBE36D80AA31008
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

File Icon


Icon Hash:	4c4d96ec0ce6c600

Static PE Info

General

Entrypoint:	0x9cb000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x663202DB [Wed May 1 08:52:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F96307F2D7Ah
movlps xmm4, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F96307F4D75h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax+edx*4+4D980FDDh], dh
xchg dword ptr [ebx], ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19305e	0x72	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x187000	0xb2a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5be338	0x10	rtycizfs
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5be2e8	0x18	rtycizfs
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x1803c4	0x40
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x186000	0xaa000	4d98df1064933d15e0a499c9306a9302	False	0.9882769416360294	Encore unsupported executable not stripped - version 8887	7.924289235236996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x187000	0xb2a0	0x1600	b2cc9fe16da2fe3883ed9d19a930ab13	False	0.9412286931818182	data	7.715353488316914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x193000	0x1000	0x200	8c29efdfbff94ae979a616a79e50cbd3	False	0.1640625	data	1.180504109820196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x194000	0x2a1000	0x200	f8889dc20c1d91e42593b253897ffdfa	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rtycizfs	0x435000	0x195000	0x194400	f376192d78e3e1cf7ad58b68460f20dc	False	0.9708051899737168	data	7.911667279717006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ybcmmseg	0x5ca000	0x1000	0x400	3b768ebd7847f76ac531056f1e75e381	False	0.7744140625	data	6.093256920081115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5cb000	0x3000	0x2200	86d2e08022f947422d806d63a54a2d69	False	0.06043198529411765	DOS executable (COM)	0.7066680315415986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5be348	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Russian	Russia	0.1320921985815603
RT_ICON	0x5be7b0	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1600	Russian	Russia	0.10465116279069768
RT_ICON	0x5bee68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Russian	Russia	0.08770491803278689
RT_ICON	0x5bf7f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Russian	Russia	0.05722326454033771
RT_ICON	0x5c0898	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Russian	Russia	0.03475103734439834
RT_ICON	0x5c2e40	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	Russian	Russia	0.02509447331128956
RT_ICON	0x5c7068	0x1aae	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.39780380673499266
RT_GROUP_ICON	0x5c8b16	0x68	data	Russian	Russia	0.7596153846153846
RT_VERSION	0x5c8b7e	0x398	OpenPGP Public Key	Russian	Russia	0.42282608695652174
RT_MANIFEST	0x5c8f16	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x5c91fc	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/02/24-15:51:00.791980	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49712	58709	192.168.2.6	147.45.47.93
05/02/24-15:51:00.553596	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49710	58709	192.168.2.6	147.45.47.93
05/02/24-15:51:01.432598	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49721	58709	192.168.2.6	147.45.47.93
05/02/24-15:49:19.512222	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49719	147.45.47.93	192.168.2.6
05/02/24-15:50:31.741030	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49712	147.45.47.93	192.168.2.6
05/02/24-15:50:32.037911	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49719	147.45.47.93	192.168.2.6
05/02/24-15:50:32.590411	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49721	147.45.47.93	192.168.2.6
05/02/24-15:49:30.619527	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49721	147.45.47.93	192.168.2.6
05/02/24-15:50:31.373536	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49710	147.45.47.93	192.168.2.6
05/02/24-15:50:31.755257	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49713	147.45.47.93	192.168.2.6
05/02/24-15:49:01.484930	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49710	147.45.47.93	192.168.2.6
05/02/24-15:49:08.939674	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49712	147.45.47.93	192.168.2.6
05/02/24-15:49:08.962696	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49713	147.45.47.93	192.168.2.6
05/02/24-15:49:02.615417	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49710	58709	192.168.2.6	147.45.47.93
05/02/24-15:51:01.135824	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49719	58709	192.168.2.6	147.45.47.93
05/02/24-15:51:00.823298	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49713	58709	192.168.2.6	147.45.47.93

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 15:49:01.105108023 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:01.294599056 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:01.294759989 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:01.484930038 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:01.525527000 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:02.615417004 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:02.852906942 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:05.448077917 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:05.681322098 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:08.562479973 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:08.562593937 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:08.750951052 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:49:08.750974894 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:49:08.751198053 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:08.751216888 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:08.773525000 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:08.777484894 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:08.939673901 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:49:08.962696075 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:49:08.994292974 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:09.009563923 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:49:09.009666920 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:49:09.088063955 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:12.658190966 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:12.721848011 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:12.900110006 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:49:12.963700056 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:49:19.134862900 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:19.323769093 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:49:19.323904991 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:19.355957985 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:19.512222052 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:49:19.587899923 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:49:19.713074923 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:22.636055946 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:22.868841887 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:49:30.242886066 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:30.431123972 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:49:30.431241989 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:30.446367025 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:30.619527102 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:49:30.681150913 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:49:30.697559118 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:33.760082960 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:33.994079113 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:49:35.729940891 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:35.962344885 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:41.979027987 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:41.979057074 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:41.979188919 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:42.212614059 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:42.212651014 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:49:42.212685108 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:49:45.103898048 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:45.337368011 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:48.300113916 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:48.365923882 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:48.366051912 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:48.540981054 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:49:48.602973938 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:48.603166103 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:49:51.760468960 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:51.760575056 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:51.760679960 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:51.760922909 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:51.993690014 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:51.993709087 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:49:51.993724108 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:49:51.993736982 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:49:54.903541088 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:54.907385111 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:54.907533884 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:55.134660959 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:55.149810076 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:49:55.149912119 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:49:58.026196957 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:58.026305914 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:58.026444912 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:58.026570082 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:49:58.259433985 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:49:58.259480000 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:49:58.259494066 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:49:58.259505987 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:00.307130098 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:00.540874958 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:01.167133093 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:01.167815924 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:01.167953014 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:01.399893999 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:01.399929047 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:01.399944067 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:04.291541100 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:04.291601896 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:04.291737080 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:04.291892052 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:04.524826050 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:04.524844885 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:04.525060892 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:04.525124073 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:06.572905064 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:06.806058884 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:07.416544914 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:07.416673899 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:07.416785002 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:07.416910887 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:07.650450945 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:07.650532961 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:07.650548935 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:07.650562048 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:09.698009014 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:09.931466103 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:10.557240009 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:10.557431936 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:10.557480097 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:10.557568073 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:10.790654898 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:10.790673971 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:10.790765047 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:10.790781021 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:12.823220015 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:13.056544065 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:13.697936058 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:13.697946072 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:13.698072910 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:13.698117971 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:13.931515932 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:13.931536913 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:13.931549072 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:13.931577921 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:15.963551998 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:16.196960926 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:16.838622093 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:16.838661909 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:16.838773966 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:16.838854074 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:17.073420048 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:17.073447943 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:17.073467970 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:17.073483944 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:19.104368925 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:19.337547064 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:19.964004993 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:19.964135885 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:19.964135885 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:19.964555025 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:20.212697983 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:20.212723017 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:20.212737083 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:20.212752104 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:22.229852915 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:22.468734980 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:23.104432106 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:23.104471922 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:23.104624987 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:23.104728937 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:23.337932110 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:23.337977886 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:23.338009119 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:23.338025093 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:25.354458094 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:25.587424040 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:26.229588032 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:26.229752064 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:26.229854107 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:26.229958057 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:26.463057041 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:26.463150978 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:26.463166952 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:26.463180065 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:28.495663881 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:28.728229046 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:29.355046034 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:29.355072021 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:29.355201960 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:29.355305910 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:29.587729931 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:29.587749004 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:29.587762117 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:29.587776899 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:31.373536110 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:31.448256016 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:31.638736010 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:31.741029978 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:31.755256891 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:31.838067055 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:31.868712902 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:31.869290113 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:32.037910938 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:32.228704929 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:32.590410948 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:32.666224003 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:34.510443926 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:34.743598938 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:34.870377064 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:34.870526075 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:35.103018045 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:35.103086948 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:35.167814016 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:35.399795055 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:35.729207039 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:35.962615967 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:37.635680914 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:37.868902922 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:38.010745049 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:38.010858059 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:38.243655920 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:38.243683100 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:38.292013884 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:38.525005102 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:38.870091915 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:39.104069948 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:40.244997025 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:40.343044043 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:40.511384010 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:40.526246071 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:40.666172981 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:40.728668928 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:40.820094109 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:41.041363001 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:41.138465881 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:41.275547028 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:43.370382071 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:43.602946997 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:43.651788950 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:43.670703888 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:43.884371996 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:43.899974108 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:43.948056936 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:44.181128979 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:44.276345968 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:44.509121895 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:45.932764053 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:45.978682995 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:46.200059891 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:46.215944052 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:46.275561094 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:46.338124037 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:46.479414940 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:46.541198969 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:46.761140108 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:46.969578981 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:49.057537079 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:49.290666103 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:49.338742018 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:49.354475975 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:49.572262049 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:49.587696075 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:49.604809999 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:49.837330103 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:49.897403002 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:50.134561062 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:52.182605028 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:52.415523052 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:52.479414940 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:52.494889975 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:52.712845087 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:52.728379965 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:52.744843960 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:52.978435993 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:53.010783911 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:53.243623972 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:54.264110088 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:54.436111927 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:54.526140928 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:54.541898012 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:54.728682041 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:54.775562048 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:54.863718033 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:55.041260004 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:55.170578003 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:50:55.275547028 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:57.401369095 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:57.634262085 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:50:57.651287079 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:57.682887077 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:57.884376049 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:50:57.915651083 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:50:57.995009899 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:58.227976084 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:50:58.291731119 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:50:58.525197983 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:51:00.553596020 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:00.790746927 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:51:00.791980028 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:00.823297977 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:01.024991035 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:51:01.056323051 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:51:01.135823965 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:01.368822098 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:51:01.432598114 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:01.666587114 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:51:08.702586889 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:51:08.805951118 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:09.200347900 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:51:09.216547012 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:51:09.244590044 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:09.275522947 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:10.198496103 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:51:10.244277954 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:14.527427912 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:51:14.599062920 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:18.604089022 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:51:18.681781054 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:18.919809103 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:51:18.934602976 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:51:18.978657007 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:19.041157007 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:19.432429075 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:51:19.478677034 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:19.759485006 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:51:19.931808949 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:25.104531050 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:51:25.181818008 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:25.354137897 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:51:25.370846987 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:51:25.431787014 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:25.478684902 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:25.685748100 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:51:25.744503021 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:26.104383945 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:51:26.181945086 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:30.292193890 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:51:30.369422913 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:30.560349941 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:51:30.577419996 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:51:30.681817055 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:30.744357109 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:30.775691986 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:51:30.931864977 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:30.994515896 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:51:31.181863070 CEST	49721	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:38.088047981 CEST	58709	49710	147.45.47.93	192.168.2.6
May 2, 2024 15:51:38.151268005 CEST	58709	49712	147.45.47.93	192.168.2.6
May 2, 2024 15:51:38.166227102 CEST	49710	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:38.166512012 CEST	58709	49713	147.45.47.93	192.168.2.6
May 2, 2024 15:51:38.228877068 CEST	49712	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:38.275569916 CEST	49713	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:38.358599901 CEST	58709	49719	147.45.47.93	192.168.2.6
May 2, 2024 15:51:38.513964891 CEST	58709	49721	147.45.47.93	192.168.2.6
May 2, 2024 15:51:38.541318893 CEST	49719	58709	192.168.2.6	147.45.47.93
May 2, 2024 15:51:38.598227978 CEST	49721	58709	192.168.2.6	147.45.47.93

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 15:51:03.077815056 CEST	49778	53	192.168.2.6	1.1.1.1
May 2, 2024 15:51:03.167844057 CEST	53	49778	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 2, 2024 15:51:03.077815056 CEST	192.168.2.6	1.1.1.1	0xf0dc	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 2, 2024 15:51:03.167844057 CEST	1.1.1.1	192.168.2.6	0xf0dc	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:48:53
Start date:	02/05/2024
Path:	C:\Users\user\Desktop\hYrJbjnzVc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hYrJbjnzVc.exe"
Imagebase:	0x280000
File size:	2'372'608 bytes
MD5 hash:	ADB680E5C7586DF1D183AD1EF4807648
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	15:48:59
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xf50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:48:59
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:48:59
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0xf50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:48:59
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:49:01
Start date:	02/05/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0xd30000
File size:	2'372'608 bytes
MD5 hash:	ADB680E5C7586DF1D183AD1EF4807648
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:49:01
Start date:	02/05/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0xd30000
File size:	2'372'608 bytes
MD5 hash:	ADB680E5C7586DF1D183AD1EF4807648
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	15:49:11
Start date:	02/05/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0xee0000
File size:	2'372'608 bytes
MD5 hash:	ADB680E5C7586DF1D183AD1EF4807648
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	15:49:21
Start date:	02/05/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0xee0000
File size:	2'372'608 bytes
MD5 hash:	ADB680E5C7586DF1D183AD1EF4807648
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	2.3%
Total number of Nodes:	1893
Total number of Limit Nodes:	30

Executed Functions

Function 00345940 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0034596B
socket.WS2_32(?,?,?,?,?,?,00406328,?,?), ref: 00345A0E
connect.WS2_32(00000000,003D6B31,?,?,?,?,00406328,?,?), ref: 00345A21
closesocket.WS2_32(00000000), ref: 00345A2D

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 9355f352cdf47716fdc6f7621c71dab46e5aa4935f006fa8da9fa15bb3554b82
Instruction ID: 30aeb2ab63d7cbd9d8eadfa2b99a1cb8096988e4f17596f82ebf30d09249b4d3
Opcode Fuzzy Hash: 9355f352cdf47716fdc6f7621c71dab46e5aa4935f006fa8da9fa15bb3554b82
Instruction Fuzzy Hash: 3431E4329157016BD7229F648C85B6BB7E5FFCA334F015F19F9A89B2D1E370A8048692

Uniqueness

Uniqueness Score: -1.00%

Function 05020CC3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000000), ref: 05020D1E

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: f1ecf87fff66698e3637a906a390eb8333071b61d92a9ec44f51fc7c29aa70b6
Instruction ID: 70b61f7ffa232b8a387fe17038e2e1d9644c0bf32d24362b2b3e274ac7d00cdc
Opcode Fuzzy Hash: f1ecf87fff66698e3637a906a390eb8333071b61d92a9ec44f51fc7c29aa70b6
Instruction Fuzzy Hash: AF4181EF28C330BDB652C5553B2DAFE66AFE6C67307308426F407D6A46E6940B8D1031

Uniqueness

Uniqueness Score: -1.00%

Function 00344EB0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000414,0000FFFF,00001006,?,00000008), ref: 00344F56
recv.WS2_32(?,00000004,00000002), ref: 00344F71
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00344FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00345014
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 003450B1

Part of subcall function 00345940: WSAStartup.WS2_32 ref: 0034596B
Part of subcall function 00345940: socket.WS2_32(?,?,?,?,?,?,00406328,?,?), ref: 00345A0E
Part of subcall function 00345940: connect.WS2_32(00000000,003D6B31,?,?,?,?,00406328,?,?), ref: 00345A21
Part of subcall function 00345940: closesocket.WS2_32(00000000), ref: 00345A2D

recv.WS2_32(00000000,?,00000008), ref: 003450CB
recv.WS2_32(?,00000004,00000008), ref: 003451D3
__Xtime_get_ticks.LIBCPMT ref: 003451DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003451E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00345261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00345269

Strings

(c@, xrefs: 00344F05

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID: (c@
API String ID: 301102601-4044601278
Opcode ID: 9c98d1fd36826b218f659fb52c493171bf33dd208ebeec7a7c7d3cbaec41a753
Instruction ID: 81542524b26278f064923c68c5667ba3516a59f926e419a49eeb025e6f88529b
Opcode Fuzzy Hash: 9c98d1fd36826b218f659fb52c493171bf33dd208ebeec7a7c7d3cbaec41a753
Instruction Fuzzy Hash: 31B19B71D043089FEB15DFA8CE89BADBBF5BB45310F144229E455BB2D2D7B06944CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00289280 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,003CA4DC,00000000,761B23A0,-00406880), ref: 002896C9

Strings

4oST, xrefs: 00289660
Ws2_32.dll, xrefs: 0028969A
4oST, xrefs: 0028962C

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: Send
String ID: 4oST$4oST$Ws2_32.dll
API String ID: 121738739-1839276265
Opcode ID: f1ad56e56af606425b27ed98268fb804f237dd580b04a8547d75453bee4a3344
Instruction ID: 495cabe56775346a813af6a4a4dd7eb0266ae0c55409f293860e4277b47b044d
Opcode Fuzzy Hash: f1ad56e56af606425b27ed98268fb804f237dd580b04a8547d75453bee4a3344
Instruction Fuzzy Hash: FF02FDB0D24298DFDF25DFA4C8907ACBBB0EF55314F284289E4856B6C6D7701986CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05020A2D Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 433
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: 6879a7f35283b78ba126314c2885cbe4270e6fe3ab5faacccaa82c01857d4022
Instruction ID: aeed2e2dd37488349e4d94ff086d10542953d0ff49ac3992fd6a34c8f0fa915f
Opcode Fuzzy Hash: 6879a7f35283b78ba126314c2885cbe4270e6fe3ab5faacccaa82c01857d4022
Instruction Fuzzy Hash: 4E9135EB14D330BDA252C5517B6DAFF6BAFE6D7730730842AF40BC6A42E2940B891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020A3C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: bbb12959755155084a91367bbf71c9647ee3d6369fac4f4162d104496bb79892
Instruction ID: eb6f7c2fa61b0033cf2eb8cea26736d398ebbae50b658665974af7bf93dfb73a
Opcode Fuzzy Hash: bbb12959755155084a91367bbf71c9647ee3d6369fac4f4162d104496bb79892
Instruction Fuzzy Hash: 9F8105EB18D330BDA252D5517B6DAFF67AFE6D7730730842AF40BD6A42E6940A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020A4C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: 6257d3e130c137423f41254d9f18f5e4a1d1ee1b2a3371fdd1a8f45493a75af7
Instruction ID: 4a2315096c4d6df329ff6e0ffc485f13c2a9fc099c36cc89e01fd72e2c63b728
Opcode Fuzzy Hash: 6257d3e130c137423f41254d9f18f5e4a1d1ee1b2a3371fdd1a8f45493a75af7
Instruction Fuzzy Hash: 918115EB18D330BDA252D5557B6DAFF67AFE6D77307308426F40BD6A02E6940A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020AD5 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: daef992244c287ffe9362e1ad476dc219e36c3208c80cc079250503f35cad94f
Instruction ID: a4fd2260e3f79a18798528c39f07ee63b0cd2ccc5503a4952448669e461f2cc8
Opcode Fuzzy Hash: daef992244c287ffe9362e1ad476dc219e36c3208c80cc079250503f35cad94f
Instruction Fuzzy Hash: 918117EB28D330BDA252D1557B6DAFF6BAFE6D77307308426F407D6A42E6D40A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020A6F Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: 108824dfdabb54d44f72f5003cf36eb6525b2a37f1b9ef03e1cab0571fb1bc6b
Instruction ID: 612741a8eaf18c92816813b95338d2f442d54e5375ab06c36ac691d4b2a24f49
Opcode Fuzzy Hash: 108824dfdabb54d44f72f5003cf36eb6525b2a37f1b9ef03e1cab0571fb1bc6b
Instruction Fuzzy Hash: A98116EB18D330BEA252D1557B6DAFF67AFE6D77307308426F40BD6A42E6D40A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020A84 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: 471967089208a7e96bb741da4a9256f994af26ca377f99b530c6d2588dd3f30e
Instruction ID: 62235a5df20b49c26eea309e81f8ccc530b5d6e12bff7b30dc0a25f0f221c516
Opcode Fuzzy Hash: 471967089208a7e96bb741da4a9256f994af26ca377f99b530c6d2588dd3f30e
Instruction Fuzzy Hash: 008106EB18C330BDA252D5557B6DAFFABAFE6D77307308426F407D6A42E6D40A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020AFF Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: 56924d68ddd99aa7dd661392c639426dd235256592a8e2c946b9b15f5db9ba34
Instruction ID: 1ba8e57dad61137861c8317f0792efcfccdc5afdcacd71e7546b218a33af751d
Opcode Fuzzy Hash: 56924d68ddd99aa7dd661392c639426dd235256592a8e2c946b9b15f5db9ba34
Instruction Fuzzy Hash: 098117EB18D330BDA652D5517B6DAFF66AFE6D7730730842AF407D6A42E2940B891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020AB1 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: 9a3e73b0ad9655cd3041c43b5fee13904b5aa98fcf785a45134104cc2a108083
Instruction ID: 0b70bd26f1bd638ba1bd8dc5b062134f17fa071739929d02dc68b3f50593613f
Opcode Fuzzy Hash: 9a3e73b0ad9655cd3041c43b5fee13904b5aa98fcf785a45134104cc2a108083
Instruction Fuzzy Hash: FD71F5EB18C330BDA252D5557B6DAFFA6AFE6C77307308426F40BD6A42E2D40B891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020B35 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: bd561b698a9b9adb2a86eaf20406cadb90a3b46dfac6bb14994e55cd3f23aa56
Instruction ID: 76d286df112f69ecd9b6ff6a34219f5ee9c6bccc3eaec0eadc52d33a712b4177
Opcode Fuzzy Hash: bd561b698a9b9adb2a86eaf20406cadb90a3b46dfac6bb14994e55cd3f23aa56
Instruction Fuzzy Hash: 0571F7FB18C331BEA252D5557B6DAFE67AFE6C7730730842AF407D6A42E2940B891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020B67 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: ab8af7cc53b3cf55fc972927a5aa53ac61b521a7deb5cfe706c6a84472d1bf56
Instruction ID: 29198ba2c50896c83bba820dbd36faa6ff7077d90ea5d1cd326c2bb1fae8e6d1
Opcode Fuzzy Hash: ab8af7cc53b3cf55fc972927a5aa53ac61b521a7deb5cfe706c6a84472d1bf56
Instruction Fuzzy Hash: F871F7EB18C334BDB652D5557B7DAFFA6AFE6C3730730842AF407D6942E2950A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020B6F Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: 86b6b162d304c77de07e1ce710deb57bb31c51d14379dfd26375a4d053715acb
Instruction ID: 3be16544fbab5198a42471952c7614e61693519339da02786445a89bbaaf9394
Opcode Fuzzy Hash: 86b6b162d304c77de07e1ce710deb57bb31c51d14379dfd26375a4d053715acb
Instruction Fuzzy Hash: F261D5EB18C334BDB652D5557B6DAFE66AFE6C27307308426F407D6A42E6940A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020B82 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: 32a1661c0b42caf9a2b069b1973daab1d8df8a639edd199e9e5890080c166083
Instruction ID: 1f4efdea64856c3ff0bcff04920c94e6594eb14c4119ebd7e22af722c145801f
Opcode Fuzzy Hash: 32a1661c0b42caf9a2b069b1973daab1d8df8a639edd199e9e5890080c166083
Instruction Fuzzy Hash: D061D4EB18C334BDB652D5557B6DAFE66AFE6C7730730842AF407D6A42E2D40A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020BA1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: 20266aa504d08b7bd239a7b0a9b1961b36daebf50e5aed3c302b40399621fc36
Instruction ID: 698c8fc4f8f7bb2dd3b82dc21a97ce7418de4f58aadad678f34c06da36a003ce
Opcode Fuzzy Hash: 20266aa504d08b7bd239a7b0a9b1961b36daebf50e5aed3c302b40399621fc36
Instruction Fuzzy Hash: 9651C1EB18C334BDB652D5553B6DAFE66AFE6C7730730842AF407D6A42E6D40B892031

Uniqueness

Uniqueness Score: -1.00%

Function 05020C1E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: f4b657fac6ad8bc74db6d61102c1e68fab41d84b8213f310b753a51605f58fd4
Instruction ID: c0460c246cf72c47d3090dd28d30c5c440922615307f3e4557d6fde5458aa10c
Opcode Fuzzy Hash: f4b657fac6ad8bc74db6d61102c1e68fab41d84b8213f310b753a51605f58fd4
Instruction Fuzzy Hash: 6451F6EB18C330BDB652D5557B6DAFF66AFE6C3730730842AF40BD6A42E6950A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020BB4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: d1fe23c482fda1b7c2191b83c0590838191f41d884cc22cbb4b7f2cf5164679e
Instruction ID: 9ecb524adc284173db7c0dcb7f4950ec6438dfc5afb6e7d79c1a6950e64b3a41
Opcode Fuzzy Hash: d1fe23c482fda1b7c2191b83c0590838191f41d884cc22cbb4b7f2cf5164679e
Instruction Fuzzy Hash: 0151E3FB18C334BDA652D5557B6DAFE66AFE6C2730730842AF407D6A02E2A40A891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020BCC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID: ]o[E
API String ID: 0-72463870
Opcode ID: ee5d8a08fc8ce57fb7c3a23fb2c70d61b75510b86a69ce34d717d2f9286df35b
Instruction ID: e11c809ed93dcdc60f95762fa1fb5860a3084c64ffa8cd9abb9eaa1e962f9cb5
Opcode Fuzzy Hash: ee5d8a08fc8ce57fb7c3a23fb2c70d61b75510b86a69ce34d717d2f9286df35b
Instruction Fuzzy Hash: 3B51C4EB18C334BDB652D5553B6DAFF66AFE6C6730730842AF407D6A02E6940B891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020C67 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: 7f7fd32a77f9235f30c3f711eb8169098453ace8ac96b5eb618292e7e8cfa0d2
Instruction ID: b6043bbf107a4cd69ac027f9a14f33e36409b525eba8bb366db0426875c5638f
Opcode Fuzzy Hash: 7f7fd32a77f9235f30c3f711eb8169098453ace8ac96b5eb618292e7e8cfa0d2
Instruction Fuzzy Hash: 3F51F5EB18C330BDB652C6553B3D6FF66AFE6C67307308426F40BD6A02E6940B891131

Uniqueness

Uniqueness Score: -1.00%

Function 05020C86 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: aee59544b197830fd12c4ad3748e9ab715af3003de855a3283c6845c40901f16
Instruction ID: 6eee511c783f863b32bc7c50814d819d8b84eeef032a11317d89c942369c5427
Opcode Fuzzy Hash: aee59544b197830fd12c4ad3748e9ab715af3003de855a3283c6845c40901f16
Instruction Fuzzy Hash: 1B41C5EB18C331BDB652C5657B2D6FF66AFE6C67307308426F40BD6A46E6940B891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020C95 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000000), ref: 05020D1E

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: 66b154ecd5cd2ef72c14148201c7a8519db00d7e0e562da56d3196768e7e7917
Instruction ID: fbf6cc06cf993fa6fef3ea4addf56259be233bfda5f76de19ac1bf3836cdab4f
Opcode Fuzzy Hash: 66b154ecd5cd2ef72c14148201c7a8519db00d7e0e562da56d3196768e7e7917
Instruction Fuzzy Hash: 3C41D6EB18D330BDB652C5557B2DAFF66AFE6C67307308426F40BD6A42E6A44B891031

Uniqueness

Uniqueness Score: -1.00%

Function 05020CB1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: 7b38f5b2910ed75b4a276d727dd1c57d9e022e570a27732292be3717f4ded08f
Instruction ID: 9af1d149a3d306a1a1468bd972c14d7174a5270d7e882bcda7fd690148ac8171
Opcode Fuzzy Hash: 7b38f5b2910ed75b4a276d727dd1c57d9e022e570a27732292be3717f4ded08f
Instruction Fuzzy Hash: 2D41A3EB28C330BDB652C5557B3DAFF66AFE6C67307308426F407D6A42E6940B895031

Uniqueness

Uniqueness Score: -1.00%

Function 05020D28 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000000), ref: 05020D1E

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: 44adbf4065764b1c378a61a530ab1fd9204c068229f4e59e9466595f20e65657
Instruction ID: 0e3c3d9c175cc56bded4df023f54621c974d39b1e5e9717f493148cf740ddd18
Opcode Fuzzy Hash: 44adbf4065764b1c378a61a530ab1fd9204c068229f4e59e9466595f20e65657
Instruction Fuzzy Hash: DD41A2EB28D330BDA652C5653B2DAFE66AFE6C67307308426F407D6902E6944B8D5031

Uniqueness

Uniqueness Score: -1.00%

Function 05020CD3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000000), ref: 05020D1E

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: 96c9e2cb20ce54f549a71e04ec635d794eaad4179147cf54039e63244d7bddf0
Instruction ID: 4d588f6343860bd66b3b51521e1c923d93a69808bbdc2167b7d7a1eb0c4ff9d8
Opcode Fuzzy Hash: 96c9e2cb20ce54f549a71e04ec635d794eaad4179147cf54039e63244d7bddf0
Instruction Fuzzy Hash: F941B3EB28D330BDB652C5553B2DAFFA66FE6C6730730842AF407D6906E6940B8D5031

Uniqueness

Uniqueness Score: -1.00%

Function 05020D5B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000000), ref: 05020D1E

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: c9ae980b4723c22bbd1f5c8e76879316a31f40f298963bfd6bd5c6a68a8d4672
Instruction ID: dbb677ed2dde780f146b8cb37a37ed3a533846be7c8c3a33c3df453e43dbf7a3
Opcode Fuzzy Hash: c9ae980b4723c22bbd1f5c8e76879316a31f40f298963bfd6bd5c6a68a8d4672
Instruction Fuzzy Hash: A3419FEB28D334BDB652C5513B29AFF666FE6C67307308426F407D6906E6940B8D5031

Uniqueness

Uniqueness Score: -1.00%

Function 05020D17 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(00000000), ref: 05020D1E

Strings

]o[E, xrefs: 05020EC3

Memory Dump Source

Source File: 00000000.00000002.3352765037.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_hYrJbjnzVc.jbxd

Similarity

API ID: CurrentProfile
String ID: ]o[E
API String ID: 2104809126-72463870
Opcode ID: 83bfde962885c0ab00f9185a994d225c3d2313e9b0583ffb4a05e9a0f78a283a
Instruction ID: bbc51247dee9b26465ed6d73a708a3cefee46da4337a03d92ac67c0cb68aed50
Opcode Fuzzy Hash: 83bfde962885c0ab00f9185a994d225c3d2313e9b0583ffb4a05e9a0f78a283a
Instruction Fuzzy Hash: AB418EEB68C334BDB652C5513B2DAFFA66FE6C6770730842AF807D6906E6944B8D1031

Uniqueness

Uniqueness Score: -1.00%

Function 002C9779 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002C98FE

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1b57b05c6ca9907024b5a08542e5726b78b716b8151125d8897d3d493bc11f44
Instruction ID: 4eda69af3089bbbd55bf88e490d6bcf52a6c3235c73a21c2ef83ef1d03571d9d
Opcode Fuzzy Hash: 1b57b05c6ca9907024b5a08542e5726b78b716b8151125d8897d3d493bc11f44
Instruction Fuzzy Hash: DA61A771C2410AAFDF119FA8CC48FEEBBB9AF45304F14025DE904A7205D772D9A5CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002C8DEF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,002C8CD6,00000000,?,003F7178,0000000C,002C8D92,?,?,?), ref: 002C8E45

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5c0fb2fe7649137a805c62f208b52e10877f14261e3600c62f50df5e21dd0a37
Instruction ID: 81595b79fdd88665014ebb1d688e057918499d83f18ae22e6e6a5574dfbb4274
Opcode Fuzzy Hash: 5c0fb2fe7649137a805c62f208b52e10877f14261e3600c62f50df5e21dd0a37
Instruction Fuzzy Hash: 4D116B336341105ADA253A345C45F7E27898F83734F3A471DFD18A71D2DF71ACA18591

Uniqueness

Uniqueness Score: -1.00%

Function 002C250C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,002C2616,?,?,?,?,?), ref: 002C2548

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1a6d5f3a877128eed20d7a18630c0adaa404b7b65eca2e5626488daf7b290933
Instruction ID: ec415c30eff59f170f1b0e3c052981403571fa7ef76a6a1537dcab838df0689e
Opcode Fuzzy Hash: 1a6d5f3a877128eed20d7a18630c0adaa404b7b65eca2e5626488daf7b290933
Instruction Fuzzy Hash: CF01D633620516AFDF099F59DC15E9F3B5ADB85364F64030CF8109B291EAB1ED628B90

Uniqueness

Uniqueness Score: -1.00%

Function 002832D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0028331F

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: 8d5f722a1627692d8c2683bb14f4e8f888b76b9a64e0d69e7a804d08e94686fe
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: 61F090765221059ACB18BF64D4159E9B3ECEE143A171009BAE88DC7292EB36DA648BD0

Uniqueness

Uniqueness Score: -1.00%

Function 002CA64C Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,002C9FD2,00000001,00000364,00000001,00000006,000000FF,?,002B4B2F,?,?,761B23A0,?), ref: 002CA68D

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fde05a53ad4b15ab0815d794262015bb9018f6d34496a34f5edbdd6277d99b11
Instruction ID: 987d3b43c7dc40c3201f1d8ee22da506abf44804f4ccdaab986c3578a747be6d
Opcode Fuzzy Hash: fde05a53ad4b15ab0815d794262015bb9018f6d34496a34f5edbdd6277d99b11
Instruction Fuzzy Hash: 1CF0E03217052A56DF225E729C05F5A374D6F41774B3D4319EC05A6150DA30DC308AE7

Uniqueness

Uniqueness Score: -1.00%

Function 002CB086 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,002B4B2F,?,?,761B23A0,?,?,00283522,?,?), ref: 002CB0B9

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c2de51053fdc4060ae0c76885b8387baeefa50bb8c367098521a84b44c8054eb
Instruction ID: 1094116d2f378a23b9878d9caf437fecf7964cf7a0fef39b2313177dec7f2ea8
Opcode Fuzzy Hash: c2de51053fdc4060ae0c76885b8387baeefa50bb8c367098521a84b44c8054eb
Instruction Fuzzy Hash: 57E065311706626AEA332B755C02F5F66499F423A1F150329FD25A70C2DB60DC7485E6

Uniqueness

Uniqueness Score: -1.00%

Function 05030572 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3352828127.0000000005030000.00000040.00001000.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ba3ab421257f2683ead65058a0a58019f8363fafcead79451c27c25d3f48ef
Instruction ID: ca78c99c8278a71dd6c35f231b384c8f50860f1a193686576a734ce2a4b7f5fc
Opcode Fuzzy Hash: b3ba3ab421257f2683ead65058a0a58019f8363fafcead79451c27c25d3f48ef
Instruction Fuzzy Hash: FF2192EB54E150AEF342C1423B7EAFE6B2EF1DA630334843BF442D5A06E2890B4D5132

Uniqueness

Uniqueness Score: -1.00%

Function 050305CD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3352828127.0000000005030000.00000040.00001000.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667f7a069aeaf00d36e9eb3c3a6b29759f2334420f6902de0c2ce99f88b62403
Instruction ID: ef1d282009123fce9bc114157699a90c49fe76e683a4fe0ff47898cd1361f06b
Opcode Fuzzy Hash: 667f7a069aeaf00d36e9eb3c3a6b29759f2334420f6902de0c2ce99f88b62403
Instruction Fuzzy Hash: E12171EB54E150BEE352C1423B7FAFE6B6EF1DA630334842BF403D590AE2890A4E5131

Uniqueness

Uniqueness Score: -1.00%

Function 05030550 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3352828127.0000000005030000.00000040.00001000.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f645def5621bee986644655b2116ed16030399117e5c460947aace6ffd846ea
Instruction ID: 0f5e3d530423c0fff46893300dbea9439fa867823dfa042ccd19014234d58244
Opcode Fuzzy Hash: 4f645def5621bee986644655b2116ed16030399117e5c460947aace6ffd846ea
Instruction Fuzzy Hash: 4411FCEB54A110AEF242D1477B7EAFF576FE1D67343308536F407D5A06A28806495135

Uniqueness

Uniqueness Score: -1.00%

Function 05030520 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3352828127.0000000005030000.00000040.00001000.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c3b1a149e181d74bec7f41db9b2754d6982d2ab246866832f06d3b2124f506
Instruction ID: e4a8f8dad2785d3e834a1065940480e562f6e31829c15b0acc2c57f7ce4f9761
Opcode Fuzzy Hash: a7c3b1a149e181d74bec7f41db9b2754d6982d2ab246866832f06d3b2124f506
Instruction Fuzzy Hash: 6511B9EB58E120BDF242D1477B7EAFF5A6FE1D6630331843BF407D4A0AA2880B596135

Uniqueness

Uniqueness Score: -1.00%

Function 0503053F Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3352828127.0000000005030000.00000040.00001000.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f3a2f016250f1304c40f41a3c3e700a68d9de3f4aa0072dfb3423b5300e37b
Instruction ID: 8c383ddb76c298c03896c5c1410292e9a9cd9cbe487389bfb30dd8de5be3d514
Opcode Fuzzy Hash: 76f3a2f016250f1304c40f41a3c3e700a68d9de3f4aa0072dfb3423b5300e37b
Instruction Fuzzy Hash: 7411AAEB54E110BDF242D1477B7EAFF5B6FE1E6630331842BF407D4A0AA2980B495135

Uniqueness

Uniqueness Score: -1.00%

Function 0503052F Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3352828127.0000000005030000.00000040.00001000.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259de822b3edaa15a36d1709850e5651b694618cb65c9a742a84525eb1dc7a41
Instruction ID: 149563fd35a36c42265429b1b479d43b4a10af60c1aed7d97a37dd85ae50214b
Opcode Fuzzy Hash: 259de822b3edaa15a36d1709850e5651b694618cb65c9a742a84525eb1dc7a41
Instruction Fuzzy Hash: 3E110AEB14E110BDF242D5473B7EAFF9B2FE1E6630331852BF407D0A0AA2880B492135

Uniqueness

Uniqueness Score: -1.00%

Function 050305FD Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3352828127.0000000005030000.00000040.00001000.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7fd358a991dde7c4f5bc274d2e6b78ea42732962c15ef0b5b049180605af67
Instruction ID: bae12f52ad5d381c8ce1cbe98daf24b37d6d1cf1309e96ffb519473e83754507
Opcode Fuzzy Hash: da7fd358a991dde7c4f5bc274d2e6b78ea42732962c15ef0b5b049180605af67
Instruction Fuzzy Hash: 97011E9A58F220AEE342C053777FAFF6A1FA1D62303304427F047D4A1AA28806495135

Uniqueness

Uniqueness Score: -1.00%

Function 050305DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3352828127.0000000005030000.00000040.00001000.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5030000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b50fdc5187e6acd3c0b5063ebef353c11ee8768033d4b5fd867d9c600921f40
Instruction ID: e114fcb2025cf14b5250e67aa776fdd59cc4cb79e89e30e7d21ba03a21242ba1
Opcode Fuzzy Hash: 4b50fdc5187e6acd3c0b5063ebef353c11ee8768033d4b5fd867d9c600921f40
Instruction Fuzzy Hash: 4F016DEB58E210AEE251D0473B7FBFF6B2FA2D67303308536F407D4A0AA29846891135

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002D47AD Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002D49C4

Strings

1#IND, xrefs: 002D48B2
1#INF, xrefs: 002D48E3
1#SNAN, xrefs: 002D48B9
1#QNAN, xrefs: 002D48C0

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1ee5cb320022b006097ba24bc950d5cc53934a106b8e26c44597d3252ee7982d
Instruction ID: ad040cb4e450824a3ec6cd1fbd47adec060c45a0b36856d47647c99ab19be3f4
Opcode Fuzzy Hash: 1ee5cb320022b006097ba24bc950d5cc53934a106b8e26c44597d3252ee7982d
Instruction Fuzzy Hash: 04D23871E286298FDB65CE28DC447EAB7B5EB44305F1441EBD40DE7240EBB8AE918F41

Uniqueness

Uniqueness Score: -1.00%

Function 002BC950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: 6d9f64699db35a5d709955e1054630f09c80c6ad13a571fa69b28b10230d3a61
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: E9024A75E1021A9BDF14CFA8C8806EEFBB5FF48354F24826AE919E7341D731A951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002B360D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,002B3067,?,?,?,?,003451DF), ref: 002B3645

Strings

`-(, xrefs: 002B363F

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: Time$FilePreciseSystem
String ID: `-(
API String ID: 1802150274-2718556199
Opcode ID: 2f065f1dba1aeff056f7bae12f8a5ab869a90a6483fd8866dd0b8e78287449d0
Instruction ID: 2556395afc15c4f0fab4571e82972fab8d1e2a1a9937613f6cb5cffc55c86373
Opcode Fuzzy Hash: 2f065f1dba1aeff056f7bae12f8a5ab869a90a6483fd8866dd0b8e78287449d0
Instruction Fuzzy Hash: 1DF0A072954A64EFCB028F54ED00B9AB7A9E708B60F00412AE812A3380CB74A9008B84

Uniqueness

Uniqueness Score: -1.00%

Function 00370350 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690fff19cae11bde70d7cac225175747591ec89f021af3f2a4867c014ffe7925
Instruction ID: be6223f40796075db0f0e9048445d0476cbfeff21b2d8edd95e34a9580f7fb89
Opcode Fuzzy Hash: 690fff19cae11bde70d7cac225175747591ec89f021af3f2a4867c014ffe7925
Instruction Fuzzy Hash: 1F627DB1E00245DBDB2ACF59C1846AEBBF1AF49304F25C1A9D958AB342C379D946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002AF570 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2deecbe3ee60a011d5856fdee5848cba5150375c33bcb85bf53e5887f2a007a
Instruction ID: db33884100ef429bbb2b1f8c07f5f93b64bfc258d5db8ab8b3fcac5e89aa4f7d
Opcode Fuzzy Hash: c2deecbe3ee60a011d5856fdee5848cba5150375c33bcb85bf53e5887f2a007a
Instruction Fuzzy Hash: 92E11372E2122A9FCB05CFA8C9816ADFBF1FF89310F1942A9D815B7340D674AD55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002C035F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff80ae3ed7b9b33536ecd7c96537dbae06d2a19d1f2da790e03b52f42df09ed
Instruction ID: d38de2a00e97f4ab371ac73d76f11d7f5efdea5e27f690bd2d777a250b37a24f
Opcode Fuzzy Hash: eff80ae3ed7b9b33536ecd7c96537dbae06d2a19d1f2da790e03b52f42df09ed
Instruction Fuzzy Hash: 13C1C77092064BCFCB38CE68C4C4FAABBA5AB45300F24471DDA9A97692C370A965CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002CDA74 Relevance: .3, Instructions: 270COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc2051830bf6674c63d767e75128be2bbc928b4c7c861e1ba1602f74144c581
Instruction ID: c545c2d8e6560d6dfba9b773582f1dc2511d62987d1792fd0f74639f774764e1
Opcode Fuzzy Hash: ddc2051830bf6674c63d767e75128be2bbc928b4c7c861e1ba1602f74144c581
Instruction Fuzzy Hash: 6FB11E325206099FD719CF28C486F657BE0FF45364F25866DE89ACF2A1C375E9A1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002D8BA0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b160d844c0b78d5481140c498d4975edf5715b823a6c793699a04c6bcbd980
Instruction ID: 07fea855b740f73d0be71ea0a9445bdfccdb667acc09cb01d26627447a8c1e57
Opcode Fuzzy Hash: 34b160d844c0b78d5481140c498d4975edf5715b823a6c793699a04c6bcbd980
Instruction Fuzzy Hash: AA8113B0D202469FDB15DF68D9817FEBBB5EB1A300F1401AAD855A7382CB359D19CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0036CFC0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa84d5402d9434341112bd7b80800dffdf85b9f8f9c5775b187ba39a5730a205
Instruction ID: 8b8d04e723e618ab16e607af0a81c606155c81704992adc42eae6bd79dac6363
Opcode Fuzzy Hash: fa84d5402d9434341112bd7b80800dffdf85b9f8f9c5775b187ba39a5730a205
Instruction Fuzzy Hash: 6A6143316201A44FEB29CF1EFDD44363B66A38E3117858729EA81CF2D5C635E926D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 002BA918 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction ID: 5a80e53f456e4af0e1563eee03b3dbf6c93c562ceac95ba29e1f375cf2af8ef3
Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction Fuzzy Hash: F6518D72D1021AEFDF14CF98C941AEEBBB2FF88340F198459E915AB201D734AE50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 002B7190 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 92ec3a190daff4e1f2ddc577f546d5836f77e5b3aa2c8405e81b9963649bb179
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 1F117D7723808343D6148E3DDCB46F7A7A5EBC53A0B2D837AD4864BB44D162E970EA10

Uniqueness

Uniqueness Score: -1.00%

Function 0029A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0029A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0029A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0029A0E7
__Getctype.LIBCPMT ref: 0029A1C5
std::_Facet_Register.LIBCPMT ref: 0029A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0029A223

Strings

PG(, xrefs: 0029A1BF
E(, xrefs: 0029A1AE
PD(, xrefs: 0029A19A

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD($PG($E(
API String ID: 1102183713-3837786662
Opcode ID: 7cc412a25d1e361999d2f0144c5a5169a95b2ff29f2ad980f8e2fe0ad5f89506
Instruction ID: 90a29f69e988ff8fa7a8172a1b2a523f5472d8192f0fc04de7f5268bcda54637
Opcode Fuzzy Hash: 7cc412a25d1e361999d2f0144c5a5169a95b2ff29f2ad980f8e2fe0ad5f89506
Instruction Fuzzy Hash: A85188B1D11749CBCB11DF58C94579EBBB4EB00314F148259D845AB381D774AA54CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 002B72C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002B72F7
___except_validate_context_record.LIBVCRUNTIME ref: 002B72FF
_ValidateLocalCookies.LIBCMT ref: 002B7388
__IsNonwritableInCurrentImage.LIBCMT ref: 002B73B3
_ValidateLocalCookies.LIBCMT ref: 002B7408

Strings

`-(, xrefs: 002B73CC
csm, xrefs: 002B739D
W+, xrefs: 002B73A5, 002B73AE, 002B73BF

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-($csm$W+
API String ID: 1170836740-2085452324
Opcode ID: 7323e3feaebb3fd741e87507acb111bbe175d95f074ae6bff21b33988357e8b4
Instruction ID: c8f8da5b47a60e46a737a66261cfbf2c14a02545d7995256ff5a7d1dc7395eeb
Opcode Fuzzy Hash: 7323e3feaebb3fd741e87507acb111bbe175d95f074ae6bff21b33988357e8b4
Instruction Fuzzy Hash: 2641D434A2420A9BCF10DF68C884ADEBBF5AF84354F148196ED189B392D771E921DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0029C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0029C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0029C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0029C4A4
std::_Facet_Register.LIBCPMT ref: 0029C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0029C5C4

Strings

PD(, xrefs: 0029C54E
E(, xrefs: 0029C562

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E($PD(
API String ID: 459529453-515452378
Opcode ID: 2ae59970e8fb3bc1ad59714c4c5f1fd8210a29d919684adaa5662deca0baca4a
Instruction ID: a1192b2601c4265fec2a57d40b86a2276e8da42f112f2e639f3ed54df40ee670
Opcode Fuzzy Hash: 2ae59970e8fb3bc1ad59714c4c5f1fd8210a29d919684adaa5662deca0baca4a
Instruction Fuzzy Hash: 4551DDB1910245DBDF11EF58C944BAEBBF4FB00314F248199E845AB381D7B5AA14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002CBB58 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002CBBDE

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction ID: c76f8f1658383787365a932078c73a75a43320c08d240083600c40feb2585a69
Opcode Fuzzy Hash: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction Fuzzy Hash: A0B147329203569FDB128F68CC83FEE7BA5EF55710F14425AE905AF282D7749D21CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002B2719 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002B2720
std::_Lockit::_Lockit.LIBCPMT ref: 002B272B
std::_Lockit::~_Lockit.LIBCPMT ref: 002B2799

Part of subcall function 002B287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 002B2894

std::locale::_Setgloballocale.LIBCPMT ref: 002B2746

Strings

`-(, xrefs: 002B2768, 002B278C

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-(
API String ID: 677527491-2718556199
Opcode ID: 0755426444010a2dbd867aa9bd402cc8e6b5a78d55433f12be157a81fe968f5b
Instruction ID: f1231f0864a78fc870b93347b4b2be71b59535cd042a57bdd47321889664b37a
Opcode Fuzzy Hash: 0755426444010a2dbd867aa9bd402cc8e6b5a78d55433f12be157a81fe968f5b
Instruction Fuzzy Hash: 0501BC39A10624DBCB06EB20D9459BEB7B1FF84790B084019E80167391CF74AE26DFC9

Uniqueness

Uniqueness Score: -1.00%

Function 00287350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0028750C
___std_exception_destroy.LIBVCRUNTIME ref: 00287522

Strings

[json.exception., xrefs: 002873A1
)(, xrefs: 00287502, 0028751C

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )($[json.exception.
API String ID: 4194217158-969352199
Opcode ID: 94e48d9748d52b1fd1b4b7e1c9da28fec416643cd57367806c554680978b73b9
Instruction ID: d3207bcef46f40d32ea8b575a349446069101cf75722d734473247b88109d076
Opcode Fuzzy Hash: 94e48d9748d52b1fd1b4b7e1c9da28fec416643cd57367806c554680978b73b9
Instruction Fuzzy Hash: 9651D0B1C15748DFDB01EFA8C905B9EBBB4EF15314F144269E850A72C2E7B85A44CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00284900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0028499F

Strings

ios_base::failbit set, xrefs: 00284828, 00284941
ios_base::eofbit set, xrefs: 00284946
ios_base::badbit set, xrefs: 00284937, 00284962

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 0479399a05964987ccad0aa7b0229fe8ad08cf473082da2b2619c2adabbf40b8
Instruction ID: 262eaf7a9613330dbbdc42d77cfd2fa0e2aefe29321c2fdcb09d74097e59a528
Opcode Fuzzy Hash: 0479399a05964987ccad0aa7b0229fe8ad08cf473082da2b2619c2adabbf40b8
Instruction Fuzzy Hash: 5F115C769246956BC721FF5CCC02FA7738CD700710F044629FE58872C1EB749920CB92

Uniqueness

Uniqueness Score: -1.00%

Function 002836E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00283819
___std_exception_destroy.LIBVCRUNTIME ref: 002838F0

Strings

)(, xrefs: 002837ED, 002838EA

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )(
API String ID: 2970364248-3070208227
Opcode ID: 29abb5c0319fd7a884b40f4a0b2bd8ae44cbee7ead2e679362329c77a9e491d9
Instruction ID: 090d2c0b7e41fc36d948f95e860a0b1eb811547343405dd33349bb18e8972e50
Opcode Fuzzy Hash: 29abb5c0319fd7a884b40f4a0b2bd8ae44cbee7ead2e679362329c77a9e491d9
Instruction Fuzzy Hash: 5A6188B1C01248DFDB01DF98C948B9DFBB4FF19720F14825AE854AB282D7B55A54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002847F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0028499F

Strings

ios_base::failbit set, xrefs: 00284828
ios_base::badbit set, xrefs: 00284937, 00284962

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 62be972b4652b0ce603318f7bc4f7f0bc936cbb96095d795413fe79d40291959
Instruction ID: b91ecf628314e497cd24b78f7453190087f12d001f8edfe90b149ff930b4baae
Opcode Fuzzy Hash: 62be972b4652b0ce603318f7bc4f7f0bc936cbb96095d795413fe79d40291959
Instruction Fuzzy Hash: 384133B5C21649AFCB04EF58CD45BAEBBB8EB05710F24821DF514AB3C1D7759A10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00284040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00284061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002840C4

Strings

bad locale name, xrefs: 002840E6

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 654fabdf89c9d551c2752838d911c01d9722d524f9dba29e71d70eb7da46a118
Instruction ID: 1c6a3e1cd1e8d538b9cfbc0bbe43b6e9ba0e35c8366254cb249ff248917825ed
Opcode Fuzzy Hash: 654fabdf89c9d551c2752838d911c01d9722d524f9dba29e71d70eb7da46a118
Instruction Fuzzy Hash: 7211D370805BC4DED321CF68C50478BBFF4AF15714F14868DE09597B81D3B9AA08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00296590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002965C9
___std_exception_copy.LIBVCRUNTIME ref: 002965FC

Strings

)(, xrefs: 002965BA, 002965ED

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )(
API String ID: 2659868963-3070208227
Opcode ID: 2d94d029d06c05f60753f51a7c0bf5b82c3f36310ff2fa5245fa50d3fbb4bf8f
Instruction ID: a0a821e54ac8442c7ea4a7e0c14bf8189deb21c33d0e0e57232f9897cb9c31b0
Opcode Fuzzy Hash: 2d94d029d06c05f60753f51a7c0bf5b82c3f36310ff2fa5245fa50d3fbb4bf8f
Instruction Fuzzy Hash: 87115EB6900648EBCB01DF99D980B86F7F8FF0A720F10876AE91497741E774A540CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00287A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00287A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00287A72

Strings

)(, xrefs: 00287A52, 00287A6C

Memory Dump Source

Source File: 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.3337979999.0000000000280000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3338326862.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.0000000000407000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.000000000069E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339682785.00000000006B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340418581.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340757491.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.000000000083F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3340911744.000000000084A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3341142745.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_hYrJbjnzVc.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )(
API String ID: 4194217158-3070208227
Opcode ID: 1b14407632b6f9e701efd16555413caaeb6519270da299ec1e59752315e7fd9e
Instruction ID: 96c0fca2b15f296d66e42c3dcc325e822e8adae585b9ac70311c276584f61e1c
Opcode Fuzzy Hash: 1b14407632b6f9e701efd16555413caaeb6519270da299ec1e59752315e7fd9e
Instruction Fuzzy Hash: ADF062B1C05748DFC711DF98D90178DFBF8EB06724F50065AE454A3781D7B556048B92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MPGPH131.exePID: 6976, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	0%
Total number of Nodes:	1811
Total number of Limit Nodes:	28

Executed Functions

Function 00DF4EB0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003F4,0000FFFF,00001006,?,00000008), ref: 00DF4F56
recv.WS2_32(?,00000004,00000002), ref: 00DF4F71
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00DF4FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00DF5014
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00DF50B0

Part of subcall function 00DF5940: WSAStartup.WS2_32 ref: 00DF596B
Part of subcall function 00DF5940: socket.WS2_32(?,?,?,?,?,?,00EB6328,?,?), ref: 00DF5A0E
Part of subcall function 00DF5940: connect.WS2_32(00000000,00E86B31,?,?,?,?,00EB6328,?,?), ref: 00DF5A22
Part of subcall function 00DF5940: closesocket.WS2_32(00000000), ref: 00DF5A2D

recv.WS2_32(00000000,?,00000008), ref: 00DF50CB
recv.WS2_32(?,00000004,00000008), ref: 00DF51D3
__Xtime_get_ticks.LIBCPMT ref: 00DF51DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF51E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00DF5261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00DF5269

Strings

(c, xrefs: 00DF4F05

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID: (c
API String ID: 301102601-1781735918
Opcode ID: ee007994f5ea041a7c6919a9058a197909c7d483615e1440852a7b8b0da49fc6
Instruction ID: 0fc12df7a719e3c435792504b28f5379a69fe153a7bb24a65319d061ae4a99b3
Opcode Fuzzy Hash: ee007994f5ea041a7c6919a9058a197909c7d483615e1440852a7b8b0da49fc6
Instruction Fuzzy Hash: DBB1BB70D003089FEB14DFA8DC89BAEBBB1EF45304F144218E654BB2E2D7B45948DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D39280 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00E7A4DC,00000000,761B23A0,-00EB6880), ref: 00D396C9

Strings

4oST, xrefs: 00D39660
Ws2_32.dll, xrefs: 00D3969A
4oST, xrefs: 00D3962C

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: Send
String ID: 4oST$4oST$Ws2_32.dll
API String ID: 121738739-1839276265
Opcode ID: 78de2c4e534ae89187583c175fe626b7bf0438045e1a264f4c37563ac9ff4613
Instruction ID: ebe7f5bfad850d432c2270ee04006131c097adad647919464ad1a51ca74e18a8
Opcode Fuzzy Hash: 78de2c4e534ae89187583c175fe626b7bf0438045e1a264f4c37563ac9ff4613
Instruction Fuzzy Hash: 4402D070D04288DFDF25CFA4C8A07EDFBB0EF55710F244289E4856B686D7B05986CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5940 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00DF596B
socket.WS2_32(?,?,?,?,?,?,00EB6328,?,?), ref: 00DF5A0E
connect.WS2_32(00000000,00E86B31,?,?,?,?,00EB6328,?,?), ref: 00DF5A22
closesocket.WS2_32(00000000), ref: 00DF5A2D

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: b5c772f6d29a28b27fd8506a53116ef48f0215fa8c47b4fbead83912e7d80fc6
Instruction ID: d2dc8e7514cb218c11dd757ae374f246f8b706c69434c0652b72f6c2ca075f5d
Opcode Fuzzy Hash: b5c772f6d29a28b27fd8506a53116ef48f0215fa8c47b4fbead83912e7d80fc6
Instruction Fuzzy Hash: 8631F5325047045BC7209B659C85A7BB7E4FFC5334F056F19FAA8A32E0E370A81486A2

Uniqueness

Uniqueness Score: -1.00%

Function 04C4082D Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 45a5265308ad8ca71f2d95ee942cc40d8b237767682fe26feb6d85315dea5b24
Instruction ID: 81a00d081dd075f466e801a922d966870d82178e63671abea716d44f3ab77dcf
Opcode Fuzzy Hash: 45a5265308ad8ca71f2d95ee942cc40d8b237767682fe26feb6d85315dea5b24
Instruction Fuzzy Hash: B59190EB78C114BDB242C1832B60AFB676ED6D67307348437FA07C6542F2946E8E2172

Uniqueness

Uniqueness Score: -1.00%

Function 04C407D3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 6571cdda9f31f7165aaacee49cd1b15722f2945ae727fb3a548e22c80779dd0f
Instruction ID: 07f4b144e7221bcb628696985cafa2a3becacccc2c32a6eee37dd75dd90d0e7b
Opcode Fuzzy Hash: 6571cdda9f31f7165aaacee49cd1b15722f2945ae727fb3a548e22c80779dd0f
Instruction Fuzzy Hash: F89180EB78C114BDB142C1832B60AFB576ED6D67307348437FA07C6542F2946E8E6172

Uniqueness

Uniqueness Score: -1.00%

Function 04C407CE Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 7e87bfcbf5e1e134e96051c156710e3dc03c2746f94c9589e0b8e8ab00a0b9b8
Instruction ID: 9647f9ec236685a8be693dbc97b40c94acb984a0bd8eac40e5e7e1f82eddc2a9
Opcode Fuzzy Hash: 7e87bfcbf5e1e134e96051c156710e3dc03c2746f94c9589e0b8e8ab00a0b9b8
Instruction Fuzzy Hash: F9918FEB78C124BDB242C1832B60AF7676ED6D67307348437FA07C6542F2946E8E6172

Uniqueness

Uniqueness Score: -1.00%

Function 04C40847 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: a4f73dda63c77cd2402050a0b7702809b37d5047035fe9ea2c0b45f318c847de
Instruction ID: 11cbdba8a412e9d4e42c8e39c4ba571869d00beea510823462638b6a54b826c2
Opcode Fuzzy Hash: a4f73dda63c77cd2402050a0b7702809b37d5047035fe9ea2c0b45f318c847de
Instruction Fuzzy Hash: 6391A2EB78C114BDB242C1876B60AFB676ED6D67307348437FA07C6542F2946E8E2172

Uniqueness

Uniqueness Score: -1.00%

Function 04C4080A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: a2b6268db7cffb7a5ea9cf524f395a60d04d9194eddba9c4f778a7bbdb094f4b
Instruction ID: 31971836770aa28f12c26db1939c3b223f59ee1d9d5701427b1e33b3ae2a2aa5
Opcode Fuzzy Hash: a2b6268db7cffb7a5ea9cf524f395a60d04d9194eddba9c4f778a7bbdb094f4b
Instruction Fuzzy Hash: 9991B1EB78C114BDB242C1932B60AF7676ED6D6730734847BFA07C6142F2942E8E6132

Uniqueness

Uniqueness Score: -1.00%

Function 04C407F5 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 86862e4c3dc5c33510404b79fc32f82ba7c1922a5d42a8a280d50ebbcee66c6c
Instruction ID: 6439cd81823af13645d205cd451b0325b5fcb7be66494b99274f768cdbb2d3ce
Opcode Fuzzy Hash: 86862e4c3dc5c33510404b79fc32f82ba7c1922a5d42a8a280d50ebbcee66c6c
Instruction Fuzzy Hash: 699191EB78C115BDB242C1872B60AF7676ED6D67307348437FA07C6542F2946E8E2172

Uniqueness

Uniqueness Score: -1.00%

Function 04C40873 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 500bdd921f45adc9fcc48f2c272e6133500800758e84bbd12582dd02749e3ea0
Instruction ID: 10680728a192c1d533ed24fc43902eddb392c26ff8fbb802b66e2270dcb490d9
Opcode Fuzzy Hash: 500bdd921f45adc9fcc48f2c272e6133500800758e84bbd12582dd02749e3ea0
Instruction Fuzzy Hash: 0091A2EB78C154BDB242C1932B20AF7576ED6D67307348437FA07C6542F2946E8E6131

Uniqueness

Uniqueness Score: -1.00%

Function 04C40863 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 438
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: f6c9529c66d902aad383361e42631a621d791121aeb07d93766a3b48c9281bbf
Instruction ID: b8e8f7e42ed1e442c3b54984238e10f31683a6939084e6314389664b622c80d2
Opcode Fuzzy Hash: f6c9529c66d902aad383361e42631a621d791121aeb07d93766a3b48c9281bbf
Instruction Fuzzy Hash: 728180EB78C115BDB242C1932B60AFB576ED6D67307348437FA07C6542F2946E8E6132

Uniqueness

Uniqueness Score: -1.00%

Function 04C40888 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 431
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 04110d2b0fbbec23685106ee56e2aa5271d99515c83e5e0cdeedf42908e56ee3
Instruction ID: afed95c93a5808add8c4aa1fa3f3dbe2af1039d2fea3efb00ec81d518e20f9d2
Opcode Fuzzy Hash: 04110d2b0fbbec23685106ee56e2aa5271d99515c83e5e0cdeedf42908e56ee3
Instruction Fuzzy Hash: 998191EB78C124BDB242C1932B60AFB576ED6D67307348477FA07C6542F2942E8E6132

Uniqueness

Uniqueness Score: -1.00%

Function 04C408C1 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 421
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: ae3e4568d92fda394de71c398400649b06fbeb8f44f23ba0772e1f16440e30d2
Instruction ID: b098ef2fdf829c2b4d7f0516ac86c5396a350ce83b22a5d6e01012937ae9f63b
Opcode Fuzzy Hash: ae3e4568d92fda394de71c398400649b06fbeb8f44f23ba0772e1f16440e30d2
Instruction Fuzzy Hash: 2C8191EB78C124BDB242C1972B60AF7676ED6D67307348437FA07C6542F2946E8E2132

Uniqueness

Uniqueness Score: -1.00%

Function 04C408A8 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 4595fa1450a7ac4c8cb187882e01f6dd4e938cb27d6e59b395eca2b02ef9109a
Instruction ID: 1fd40d1076e65191b7427df1ae8b37ae9386c2c1afa61ca513c526a03d326b32
Opcode Fuzzy Hash: 4595fa1450a7ac4c8cb187882e01f6dd4e938cb27d6e59b395eca2b02ef9109a
Instruction Fuzzy Hash: 108190EB78C154BDB242C1972B60AFB676ED6D67307348437FA07C6542F2946E8E2132

Uniqueness

Uniqueness Score: -1.00%

Function 04C4091D Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: a2e89d935d1ea53debeed9d071de0ea008623df919554f0bb6931a271ed82e1d
Instruction ID: 6f339e1fe9d94da94725d526d67b5f5ecc72c6e9fff362d68dc1cfd624cfaa4e
Opcode Fuzzy Hash: a2e89d935d1ea53debeed9d071de0ea008623df919554f0bb6931a271ed82e1d
Instruction Fuzzy Hash: FF818FEB78C125BDB202C1932F60AF7676ED6D67707348467FA07C6542F2946E8E2132

Uniqueness

Uniqueness Score: -1.00%

Function 04C408DC Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: e1d0cb4674c309924bcb449001bfba276dcb24e45811cd1a948e63c42bceb5fe
Instruction ID: a259260722715fc237d0ddc6205bf7049002325c3c2ec8501f2353ea77ba1779
Opcode Fuzzy Hash: e1d0cb4674c309924bcb449001bfba276dcb24e45811cd1a948e63c42bceb5fe
Instruction Fuzzy Hash: 388180EB78C125BDB242D1932B60AF7676ED6D67307348427FA07C6542F2946E8E2132

Uniqueness

Uniqueness Score: -1.00%

Function 04C408EE Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 402COMMON

Download Yara Rule

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 681a8fb2d74d3615f361ed02b9a65164f3cb7d0dbc27934b6f5707e4e0b36ab1
Instruction ID: bc74bfe898b920d50a8cffca779326adcd63cc838ae6e3e1426aa0d98a1f6fb5
Opcode Fuzzy Hash: 681a8fb2d74d3615f361ed02b9a65164f3cb7d0dbc27934b6f5707e4e0b36ab1
Instruction Fuzzy Hash: 28718DEB78C125BCB242C1932B60AF7676ED6D67307348437FA07C6542F2946E8E2132

Uniqueness

Uniqueness Score: -1.00%

Function 04C40937 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 9cae3089284124bb169d69483a98d0e20cc83b501e80268b25713207a8feb468
Instruction ID: 9113d05f49c19a7cb57689ec3c6d760eeac303143cc776d00c768713b364b3f5
Opcode Fuzzy Hash: 9cae3089284124bb169d69483a98d0e20cc83b501e80268b25713207a8feb468
Instruction Fuzzy Hash: 12718EEB78C125BCB202C1932B20AF7676ED6C67307348477FA07C6542F2946E8E2172

Uniqueness

Uniqueness Score: -1.00%

Function 04C40947 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: bd5d6f04869c3d78bec0f69720e3ba1c7714286d283eb6ece160fcace8e433a9
Instruction ID: a319e54b4542aea3dec552fd6999480fcf9e8c9f2ca5e615884a0d25c8dc61fd
Opcode Fuzzy Hash: bd5d6f04869c3d78bec0f69720e3ba1c7714286d283eb6ece160fcace8e433a9
Instruction Fuzzy Hash: 457171EB78C125BDB112C1932B20AF7576ED6D67707348477FA07C6542F2946E8E2131

Uniqueness

Uniqueness Score: -1.00%

Function 04C40960 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: bebddb559aa83c151787b28af73cfba70fa8e2dc45e801dbd4b4adfdaa7bfb58
Instruction ID: 227a5cc894b3c6f95792d6b2c732a8bbf9305313a7e89c8a885c6b548a785269
Opcode Fuzzy Hash: bebddb559aa83c151787b28af73cfba70fa8e2dc45e801dbd4b4adfdaa7bfb58
Instruction Fuzzy Hash: C47180EB78C125BDB202D1932B20AF7676ED6C67307348477FA07C6542F6946E8E2132

Uniqueness

Uniqueness Score: -1.00%

Function 04C409AA Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID:
String ID: EYjN
API String ID: 0-3767897494
Opcode ID: 0ae0a53b4081d7cc87d3c71aa3dedb235d4b7ab6d2f3b3d107b551931de72543
Instruction ID: 9fca8c29b929e248150bf363d74f0f04e8528930a22b91631453ca5037ba1fcc
Opcode Fuzzy Hash: 0ae0a53b4081d7cc87d3c71aa3dedb235d4b7ab6d2f3b3d107b551931de72543
Instruction Fuzzy Hash: F1617DEB78C165BDB202D1932B20EF7676ED6C27707348467FA07C6542E2946E8E2032

Uniqueness

Uniqueness Score: -1.00%

Function 04C409C0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: EYjN
API String ID: 2104809126-3767897494
Opcode ID: 2c2091c49caf7b1cca757667b4ef19d0ad6fe0b2b64f5e5f9e05ff2b084d2af5
Instruction ID: 853338bed05e70be27dc43841ebb50a2296fadcb931339069a380302262d1086
Opcode Fuzzy Hash: 2c2091c49caf7b1cca757667b4ef19d0ad6fe0b2b64f5e5f9e05ff2b084d2af5
Instruction Fuzzy Hash: C4616BEB38C165BCB252D1932B20AF7576ED6C27707348437FA07C6542E2886E8E2032

Uniqueness

Uniqueness Score: -1.00%

Function 04C40A11 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(4E6A5945), ref: 04C40AFF

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: EYjN
API String ID: 2104809126-3767897494
Opcode ID: 0fa11144f647eb951a5ec6593a1136b318516ef5c765207dcf319ebaf33aa937
Instruction ID: 77f47669f3913e1d9a3bdaa13663c81f9d3229c29564f0e487e28b4c2e7e7ff6
Opcode Fuzzy Hash: 0fa11144f647eb951a5ec6593a1136b318516ef5c765207dcf319ebaf33aa937
Instruction Fuzzy Hash: 7951A0EB78C165BDB212D1532B60AFB676ED6C67707348477FA07C6542F2846E8E2032

Uniqueness

Uniqueness Score: -1.00%

Function 04C409F3 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: EYjN
API String ID: 2104809126-3767897494
Opcode ID: 155d0195983a561a05248fc21f52528c4f0305393b2814585fd47a3410e89cd8
Instruction ID: 53ae5b0845fec2af541e303523ca602dab5db35b977d4744ef584ab97c7d75f4
Opcode Fuzzy Hash: 155d0195983a561a05248fc21f52528c4f0305393b2814585fd47a3410e89cd8
Instruction Fuzzy Hash: 4B51A0EB78C125BDB212D1532B60AF7676ED6C27307348477FA07C6542F2946E8D2072

Uniqueness

Uniqueness Score: -1.00%

Function 04C40A38 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 304COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(4E6A5945), ref: 04C40AFF

Strings

EYjN, xrefs: 04C40A4E

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: EYjN
API String ID: 2104809126-3767897494
Opcode ID: 28290fc5587fd84335d2f9a9f9e84cb4d2d7ff0291acb9f8ffa5cf575633a8dd
Instruction ID: 3511def05560f6d242d0afa935b3a52df5317726f03bef5304f6a4cb6b1263b8
Opcode Fuzzy Hash: 28290fc5587fd84335d2f9a9f9e84cb4d2d7ff0291acb9f8ffa5cf575633a8dd
Instruction Fuzzy Hash: 6C518EEB78C165BDB25291532F60AF75B6ED6C67303348477FA07C6542E2882E8D2032

Uniqueness

Uniqueness Score: -1.00%

Function 04C40AAA Relevance: 1.8, APIs: 1, Instructions: 286COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(4E6A5945), ref: 04C40AFF

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e80b03e18815f7181b6ee24d159ba4b32205b9c426ed059b76f660dacb46431f
Instruction ID: 871b677b25940aa6ffdadd3829d834355a89015eb2ba7cafdbe589dc1f3eeeb1
Opcode Fuzzy Hash: e80b03e18815f7181b6ee24d159ba4b32205b9c426ed059b76f660dacb46431f
Instruction Fuzzy Hash: 30516FEB78C165BCB21291532F60EFB576ED6C67307348477FA07C6542E2892E8E2172

Uniqueness

Uniqueness Score: -1.00%

Function 04C40AD2 Relevance: 1.8, APIs: 1, Instructions: 276COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(4E6A5945), ref: 04C40AFF

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 91a327e84ab5c7122417ae70f721eb4cc598c0e90afa8d2b13e069bd93f7bc5e
Instruction ID: 0752b39fb82d7d37ca2786445e4cfb960edf077fcd592d050688f7847571efee
Opcode Fuzzy Hash: 91a327e84ab5c7122417ae70f721eb4cc598c0e90afa8d2b13e069bd93f7bc5e
Instruction Fuzzy Hash: 89514BEB38D125BCB25291533F60EFB676ED6C67307348827FA07C5545E2886E8E2072

Uniqueness

Uniqueness Score: -1.00%

Function 04C40A66 Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(4E6A5945), ref: 04C40AFF

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3ce3889c3cbbe5e0ae511fe7be5c81913a264f298efdb803a00d334e5f125207
Instruction ID: dcedb777863c90b8fdfe5e9cc261ead684f34c9f6c9823ad625ffa3b512d2382
Opcode Fuzzy Hash: 3ce3889c3cbbe5e0ae511fe7be5c81913a264f298efdb803a00d334e5f125207
Instruction Fuzzy Hash: 07514AEB38D125BCB15291532B60EFB576ED6C67307348867FA07C5546E6886E8E2032

Uniqueness

Uniqueness Score: -1.00%

Function 04C40A80 Relevance: 1.8, APIs: 1, Instructions: 264COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(4E6A5945), ref: 04C40AFF

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b12ca2b662ff466593b9a1a33c148abbd3a1007eb5a72ab6948ad8d8167b5c06
Instruction ID: 5d6e948cc0a3bdcd6ed048f9db46a98f0f4b77f516ae6f0742916485994b46f4
Opcode Fuzzy Hash: b12ca2b662ff466593b9a1a33c148abbd3a1007eb5a72ab6948ad8d8167b5c06
Instruction Fuzzy Hash: 0D514AEB38D125BCB11291533B60EFB676ED6D67303348867FA07C5546E6882E8E6072

Uniqueness

Uniqueness Score: -1.00%

Function 04C40A95 Relevance: 1.8, APIs: 1, Instructions: 261COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(4E6A5945), ref: 04C40AFF

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fbbae316bb4df2e01876670b2deb228c729d202048b44884ca78320fd69e5158
Instruction ID: c6b9c6807325ae7c6747b819a3fd59a2c62eec76412c0a019b6cad885a06263f
Opcode Fuzzy Hash: fbbae316bb4df2e01876670b2deb228c729d202048b44884ca78320fd69e5158
Instruction Fuzzy Hash: 6E414CEB38D165BCB15291533F60EFB676ED5C67303348467FA07C5546E6882E8E2072

Uniqueness

Uniqueness Score: -1.00%

Function 04C40AED Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(4E6A5945), ref: 04C40AFF

Memory Dump Source

Source File: 00000006.00000002.3352629188.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c40000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4dcad374802921a8e3844475e4ea69d78a2d16a71d43eb988a4a7b6c9d37cc55
Instruction ID: a5f8ff5f48cb3a47ead6059d128825f3b8343d6c0e9889336b921f509627f598
Opcode Fuzzy Hash: 4dcad374802921a8e3844475e4ea69d78a2d16a71d43eb988a4a7b6c9d37cc55
Instruction Fuzzy Hash: DA415EEB38D125BCB21291533F60EFB676ED6C67303348467FA07C6506E6942E8D6076

Uniqueness

Uniqueness Score: -1.00%

Function 00D79779 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D798FE

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a3d17a50cecb1133a9740ecacb0fd6408b792b2ecfc1ff27d8a9375a3a629e1b
Instruction ID: 861e017a4d8ef9edd99e8666fae770da89f34b94273609d0694c36c5475e6347
Opcode Fuzzy Hash: a3d17a50cecb1133a9740ecacb0fd6408b792b2ecfc1ff27d8a9375a3a629e1b
Instruction Fuzzy Hash: 1761C273C04119AFDF15DFA8C851AEEFBB9AF09304F184159E948A7216E332D901CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D78DEF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00D78CD6,00000000,?,00EA7178,0000000C,00D78D92,?,?,?), ref: 00D78E45

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 918c6da22df5b090ef3158e329386264e2344ea54a803533f6b576571f7fd1e1
Instruction ID: 54a8e1daea235444fc7a64e19081e1819ea12a9ef1dd4d93bcd4820302bcf834
Opcode Fuzzy Hash: 918c6da22df5b090ef3158e329386264e2344ea54a803533f6b576571f7fd1e1
Instruction Fuzzy Hash: 30116F3364015055D6253234984EB7E674DCB86734F3D869DF91CD71C2FF229C80A1B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D7250C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00D72616,?,?,?,?,?), ref: 00D72548

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 45b825afd8d076c98fbb72279f06090966fa4e086c2f6d0f6ca77f702a7ecb8b
Instruction ID: ace87421f4402f6de3e3ce8f5f8831a6af1bf641222c32b7e6e9b9d74210e674
Opcode Fuzzy Hash: 45b825afd8d076c98fbb72279f06090966fa4e086c2f6d0f6ca77f702a7ecb8b
Instruction Fuzzy Hash: E0014933610155AFCF09DF19DC11CAE3B19DF85324B384248FC14AB291F671EE418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D332D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D3331F

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: d96ecb890acfc2df5fde90d066479fd60f9863e2c308ca2a15aeeb36e3577e43
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: AEF0E9725401049BCB147FA4D5158E9B3E8EF243A1B14497BE88DC7212EF26DA90C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A64C Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00D79FD2,00000001,00000364,00000001,00000006,000000FF,?,00D64B2F,?,?,761B23A0,?), ref: 00D7A68E

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dea6b48c0fb666550dd1886f182c3ee9047098990b47764d0422f8636f26c2bc
Instruction ID: b9f0c9253706667e40ff85054445dafb3718fed851ffb040b7b605bc74cce30e
Opcode Fuzzy Hash: dea6b48c0fb666550dd1886f182c3ee9047098990b47764d0422f8636f26c2bc
Instruction Fuzzy Hash: 3AF05436510A256A9B226A6A9C05A6E374DEBC1760B1DC216F80CAA190FA24E80585F6

Uniqueness

Uniqueness Score: -1.00%

Function 00D7B086 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00D64B2F,?,?,761B23A0,?,?,00D33522,?,?), ref: 00D7B0B9

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9e8b7dc75988cbdab669e380a96db8c36d743de80b4f8c072001972045ec97ff
Instruction ID: 08be0d83fb552d2fe8c60ccb252977bf9a87a4564f2d4d35e903e5b3f7753f1e
Opcode Fuzzy Hash: 9e8b7dc75988cbdab669e380a96db8c36d743de80b4f8c072001972045ec97ff
Instruction Fuzzy Hash: EEE06D311006216AEA3127765C00BAF264AEF433B0F198623FE6CA70D2FB60DC4081F1

Uniqueness

Uniqueness Score: -1.00%

Function 04C50242 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f100ec84f59066e8cade3141510d4bb18e5d6433a77fb03d1bcf9168429dd249
Instruction ID: f9fc32e11398579ae9ed1b592a382065ad94fd8ed2fd6f15309aa81401c5e529
Opcode Fuzzy Hash: f100ec84f59066e8cade3141510d4bb18e5d6433a77fb03d1bcf9168429dd249
Instruction Fuzzy Hash: B521D3BB24C114BEA15295836B15AFE7B6FF5C33307388426F807D6523F2951AC9307A

Uniqueness

Uniqueness Score: -1.00%

Function 04C501F7 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae78cc0bc9b1375b5ee0cc7645b8be185707ed9c9466e241f7eae8256243afd
Instruction ID: e74a4cbbfdc9e3e2f7dc0b8f01b725da54f63497f436c3766e7de594d68d5d08
Opcode Fuzzy Hash: 9ae78cc0bc9b1375b5ee0cc7645b8be185707ed9c9466e241f7eae8256243afd
Instruction Fuzzy Hash: BE1102AB34C114BE514205476F156FE6A1FF5C633073D8016FC4BD6623B2946BC8703A

Uniqueness

Uniqueness Score: -1.00%

Function 04C501DA Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd618eaa55252e04a794da6c71717bc91da0098d60b669a7e2c25411983bb3d
Instruction ID: 38e5753908e654acfe7de3bbd397e5fbd17213c8f51b4223e665fbf885e78bd6
Opcode Fuzzy Hash: 6fd618eaa55252e04a794da6c71717bc91da0098d60b669a7e2c25411983bb3d
Instruction Fuzzy Hash: 73110ABB24C204EF914206436A562FE7B5BF697330738441AF847D6223F66426C9753A

Uniqueness

Uniqueness Score: -1.00%

Function 04C50217 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eaa0d2ae5a0d851222a39c25e249c61a960c00694069436dd6cfedf41f63d56
Instruction ID: cfde0f90e02757cd7cd2c47c1245ff1be20e7477b992f716205ba1988ed1b020
Opcode Fuzzy Hash: 2eaa0d2ae5a0d851222a39c25e249c61a960c00694069436dd6cfedf41f63d56
Instruction Fuzzy Hash: 8F11E9AB24C604EF81420543AE556FE7B6BB68633073C401AFC07D6633B29427C8753A

Uniqueness

Uniqueness Score: -1.00%

Function 04C5029A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c109cb1ad2604d674f0cde3733c977317a272b02d8dcd686e63186cd96ed4b
Instruction ID: c58e13a9449a6af6e9610070b4162277086d51e94ca9e8a61c8c3f5dc53fbaf5
Opcode Fuzzy Hash: 48c109cb1ad2604d674f0cde3733c977317a272b02d8dcd686e63186cd96ed4b
Instruction Fuzzy Hash: FE01B1AB28C214AE92421553AA555FE3F1BE58773073C8406FC4BD5633B2852AC8757A

Uniqueness

Uniqueness Score: -1.00%

Function 04C50267 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e29a1ed0e8e299f15306b8faef1c9a1945cfdb20fe096a78f17f51047fca45
Instruction ID: 08dfe5ae47b17c567ce4dc295cbcbb03f4757505dd47a3bd1fdfd8a6d904c016
Opcode Fuzzy Hash: 58e29a1ed0e8e299f15306b8faef1c9a1945cfdb20fe096a78f17f51047fca45
Instruction Fuzzy Hash: F501D1AB28C214FF51421543AA465FE7A1FF69673073C8412FC0BE6632B2952AC8347A

Uniqueness

Uniqueness Score: -1.00%

Function 04C50283 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7555beb5711f338676d4edfb9b458925c1e0a2f17c10422251cb0edbb4a00b
Instruction ID: 13486fe4e76d0e646f20cba1425a8a46b0c4031c83ccdf0b2ef1b762a5be187a
Opcode Fuzzy Hash: cf7555beb5711f338676d4edfb9b458925c1e0a2f17c10422251cb0edbb4a00b
Instruction Fuzzy Hash: 43F0F4AB28C204FE81021543AB555FE6B1FF6963307388412FC47E5626B29426C9743A

Uniqueness

Uniqueness Score: -1.00%

Function 04C50277 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67edb12df72c5de56bc992d68ce416ab5a45b0aff080d9246c9b2614a17c61e
Instruction ID: 5c5dfe3d9005f447af4c9db23fc37e3abefffcef0b497fe848debc5fa02512a7
Opcode Fuzzy Hash: c67edb12df72c5de56bc992d68ce416ab5a45b0aff080d9246c9b2614a17c61e
Instruction Fuzzy Hash: E2F028AB24C214FF814215436B065FE6B1FF69733073C8402FC47E5622729427C8343A

Uniqueness

Uniqueness Score: -1.00%

Function 04C502E1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9e7486416fd6ef4ed98dec9e7ec78d43425ad15464c79ca2c543c86130c0b8
Instruction ID: e5a4875da052eb94080877bcdc5aa441eace2a9d8c94cc69014dfa84e8a924ba
Opcode Fuzzy Hash: 2d9e7486416fd6ef4ed98dec9e7ec78d43425ad15464c79ca2c543c86130c0b8
Instruction Fuzzy Hash: F4F024B728C610AF9252555357091FEBB2FF6833307388426F803C2822B3882BC9343A

Uniqueness

Uniqueness Score: -1.00%

Function 04C502FA Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61650f24fa75212222d9455eb68a48e5b6a322953d2a45246e56b3c2d4ad7a3a
Instruction ID: 1c80e31c6f0c578daf96eb1f4f7bfdd4339aca310ab30aeda7d68ed9db8400c8
Opcode Fuzzy Hash: 61650f24fa75212222d9455eb68a48e5b6a322953d2a45246e56b3c2d4ad7a3a
Instruction Fuzzy Hash: 33E09AEB248618AF600256432B18AFF672EF9C33303388426F807C6422B6C41ACD303A

Uniqueness

Uniqueness Score: -1.00%

Function 04C50311 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6bb3551ae1463cde4634cd58348e1c5a9eafdc496dad6dff0d0413bdd8d7d88
Instruction ID: afb9e3d9cf580c09719e013e7ac5955c3b68642ef529fa6fe0cea34e4eb56c10
Opcode Fuzzy Hash: e6bb3551ae1463cde4634cd58348e1c5a9eafdc496dad6dff0d0413bdd8d7d88
Instruction Fuzzy Hash: 0CE048A7248511BFA0524A4727185FE571EF5D3731338C827F847D5913B68527CD3536

Uniqueness

Uniqueness Score: -1.00%

Function 04C50324 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3352691322.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c50000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdd403d0f50e0466a8e07a50dd541dd03dbd094cc9860cce8da40f7e0608e76
Instruction ID: c2bffe3f4828d02eaa1a088fd467c30426274354dead5ca19bc4069d9bd47bcb
Opcode Fuzzy Hash: 3bdd403d0f50e0466a8e07a50dd541dd03dbd094cc9860cce8da40f7e0608e76
Instruction Fuzzy Hash: BEE08CEB28C1107EB00246832B09AFAA71EF5D3730338C827F847C1413A2891BCD3036

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D6C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: 822493bed64289690c4b9e760dec192b6e3be34b8d38d3966396461561cfe354
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: 53024B71E112199FDF14CFA8C8806AEFBF1FF48314F25826AE959E7340D731A9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D7BB58 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D7BBDE

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction ID: 6ac9909c2ab2deadf8966eb2e6a96b8f88ecabeaa7a595ee24b1eb0957d32f5a
Opcode Fuzzy Hash: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction Fuzzy Hash: 43B104729002559FDB228F68CC82BEE7BA5EF55360F18C157E949AB382E774D901C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D672C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D672F7
___except_validate_context_record.LIBVCRUNTIME ref: 00D672FF
_ValidateLocalCookies.LIBCMT ref: 00D67388
__IsNonwritableInCurrentImage.LIBCMT ref: 00D673B3
_ValidateLocalCookies.LIBCMT ref: 00D67408

Strings

csm, xrefs: 00D6739D

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a32203a777392eea07b1abcb2da8b7cf1a2b5f679c86771f8e6f5f9edb969b0e
Instruction ID: a0dee32716cabd8a6040127881849418e052c2c87085626860683389e7232b61
Opcode Fuzzy Hash: a32203a777392eea07b1abcb2da8b7cf1a2b5f679c86771f8e6f5f9edb969b0e
Instruction Fuzzy Hash: 4D419334A0420D9FCF10DF69C885A9EBBA5EF44318F188155EC28AB352DB71ED15DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4A09D
std::_Lockit::_Lockit.LIBCPMT ref: 00D4A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4A0E7
__Getctype.LIBCPMT ref: 00D4A1C5
std::_Facet_Register.LIBCPMT ref: 00D4A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4A223

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: ea669c24d6074018bea35690f89d4072cbb5e919ae0dcb6bc5f8c006737e3ddf
Instruction ID: f407ba745d1b7fca995098d4cf35ecc7fe35028143da6b4ab16c3a35c7914e05
Opcode Fuzzy Hash: ea669c24d6074018bea35690f89d4072cbb5e919ae0dcb6bc5f8c006737e3ddf
Instruction Fuzzy Hash: 795175B1D40749CFDB10DF98C941BAEBBF0EB14314F188259E845AB391D774AA48CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4C45A
std::_Lockit::_Lockit.LIBCPMT ref: 00D4C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C4A4
std::_Facet_Register.LIBCPMT ref: 00D4C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C5C4

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 81639a337ff9908acc89664b060bc76286af9b0aa0adeec5ca7dacd6235a6021
Instruction ID: 4af6cb20e2a9c0c4c158a56c99a078be4a77891c9b41650f44bc3bf0487a3926
Opcode Fuzzy Hash: 81639a337ff9908acc89664b060bc76286af9b0aa0adeec5ca7dacd6235a6021
Instruction Fuzzy Hash: B051ACB0901249DFDB11DF98C945BAEBBF0FF00314F288159E849AB381D779AA05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D34900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D3499F

Strings

ios_base::badbit set, xrefs: 00D34937, 00D34962
ios_base::failbit set, xrefs: 00D34828, 00D34941
ios_base::eofbit set, xrefs: 00D34946

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 17f1f03d725ff68d3e8070488d6b613be4297954b89218142c10b58e43a3083b
Instruction ID: 821ec15aa68e1157febce3e5a0f544e2e097fdef38470767272cdab600b8830f
Opcode Fuzzy Hash: 17f1f03d725ff68d3e8070488d6b613be4297954b89218142c10b58e43a3083b
Instruction Fuzzy Hash: 06112CB29447487BCB10DE58DC03B967398DB45710F08452DFA589B2C1EB39B900CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D62719 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D62720
std::_Lockit::_Lockit.LIBCPMT ref: 00D6272B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D62799

Part of subcall function 00D6287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D62894

std::locale::_Setgloballocale.LIBCPMT ref: 00D62746

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 749e5b65d137289c198f486e48c28e3d47698b393b8fc43fdce78376e0657658
Instruction ID: cdc45f09202b1a3b954ae6b4ccb6bc9084e5a4ac73124eb45e6debdd3ebdaada
Opcode Fuzzy Hash: 749e5b65d137289c198f486e48c28e3d47698b393b8fc43fdce78376e0657658
Instruction Fuzzy Hash: B001BC36A00A109FDB06AB20DC41A7E7BA1FF94780B184109E80127386CF74AA06CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D37350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D3750C
___std_exception_destroy.LIBVCRUNTIME ref: 00D37522

Strings

[json.exception., xrefs: 00D373A1

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 431e4370529a1b4a051d7e12eb2f5832c433563090fdd43c274c82602ae34c97
Instruction ID: b947de9e7765512361509c34759a1b5e3bf3a910da4c0bf26b5dd4d5a43790fc
Opcode Fuzzy Hash: 431e4370529a1b4a051d7e12eb2f5832c433563090fdd43c274c82602ae34c97
Instruction Fuzzy Hash: C651F0B1D00748AFDB10DFA8D905BAEBBB4EF11314F144269E854A7382E7B85A44CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D347F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D3499F

Strings

ios_base::badbit set, xrefs: 00D34937, 00D34962
ios_base::failbit set, xrefs: 00D34828

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 74cff98f67c8304312bc4fb57ef7bf697da2f9e055e1d5205d8b6039f6e52be8
Instruction ID: e5096f2c14c2c72e7f4454dc5c4be0872893aada90495cd473f49c4617e86040
Opcode Fuzzy Hash: 74cff98f67c8304312bc4fb57ef7bf697da2f9e055e1d5205d8b6039f6e52be8
Instruction Fuzzy Hash: FE41F5B1900648AFCB04DF58CD46BAEB7B8EF45710F18825DF554AB281D779AA40CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D34040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D34061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D340C4

Strings

bad locale name, xrefs: 00D340E6

Memory Dump Source

Source File: 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000006.00000002.3340632023.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3340659649.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341185125.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3341333728.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3343537371.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346256466.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346302341.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346555140.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3346606111.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d30000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: ddc45b0576a55a337209f2e8a88c8ea466b114e4ca1f00f194bad706dca1a438
Instruction ID: 3131b17ea144b5c72e107f9d85fa95e456a7107684d54d689a9483f07d93dd63
Opcode Fuzzy Hash: ddc45b0576a55a337209f2e8a88c8ea466b114e4ca1f00f194bad706dca1a438
Instruction Fuzzy Hash: B511B170905B84EFD721CF68C50574BBFE4AF15714F14868DD09597B81D3B9AA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MPGPH131.exePID: 6864, Parent PID: 1064COMMON

Executed Functions

Function 00DF4EB0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003D4,0000FFFF,00001006,?,00000008), ref: 00DF4F57
recv.WS2_32(?,00000004,00000002), ref: 00DF4F71
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00DF4FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00DF5014
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00DF50B1

Part of subcall function 00DF5940: WSAStartup.WS2_32 ref: 00DF596B
Part of subcall function 00DF5940: socket.WS2_32(?,?,?,?,?,?,00EB6328,?,?), ref: 00DF5A0E
Part of subcall function 00DF5940: connect.WS2_32(00000000,00E86B31,?,?,?,?,00EB6328,?,?), ref: 00DF5A21
Part of subcall function 00DF5940: closesocket.WS2_32(00000000), ref: 00DF5A2D

recv.WS2_32(00000000,?,00000008), ref: 00DF50CB
recv.WS2_32(?,00000004,00000008), ref: 00DF51D3
__Xtime_get_ticks.LIBCPMT ref: 00DF51DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF51E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00DF5261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00DF5269

Strings

(c, xrefs: 00DF4F05

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID: (c
API String ID: 301102601-1781735918
Opcode ID: b856ea915698e747263fe5823512dd3b8292feef7e9d802d2f37518c52e71e25
Instruction ID: a5d1ef92e241d4a26057d7499fe4943a6f2d65df6abdd139141d272aa0b4a386
Opcode Fuzzy Hash: b856ea915698e747263fe5823512dd3b8292feef7e9d802d2f37518c52e71e25
Instruction Fuzzy Hash: C3B1BB70D003089FEB15DFA8DC89BAEBBB1EF45304F144219E654BB2E2D7B45948DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D39280 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00E7A4DC,00000000,761B23A0,-00EB6880), ref: 00D396C9

Strings

Ws2_32.dll, xrefs: 00D3969A
4oST, xrefs: 00D3962C
4oST, xrefs: 00D39660

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: Send
String ID: 4oST$4oST$Ws2_32.dll
API String ID: 121738739-1839276265
Opcode ID: 2c732921267c28d31662cdb165469a1dbfcf1703554fa1fffe4f9a0c45e32f5d
Instruction ID: f06353974da7628559c5e5393399d831831a3975bbd54d61c534a24dfa035991
Opcode Fuzzy Hash: 2c732921267c28d31662cdb165469a1dbfcf1703554fa1fffe4f9a0c45e32f5d
Instruction Fuzzy Hash: ED02D070D04288DFDF25CF94C8A07EDFBB0EF55710F244289E4856B686D7B05986CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5940 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00DF596B
socket.WS2_32(?,?,?,?,?,?,00EB6328,?,?), ref: 00DF5A0E
connect.WS2_32(00000000,00E86B31,?,?,?,?,00EB6328,?,?), ref: 00DF5A21
closesocket.WS2_32(00000000), ref: 00DF5A2D

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 8fa640b79531ef98e9d5538c023b47182c81e33dd307e36d8ca5c1c4af744881
Instruction ID: c2487e3d588b2589350d17f8d9d46d7715ea480192ee045faea08ae933a9e12c
Opcode Fuzzy Hash: 8fa640b79531ef98e9d5538c023b47182c81e33dd307e36d8ca5c1c4af744881
Instruction Fuzzy Hash: 9731F5315057045BC7209B649C85A7BB7E4FFC5734F156F19FAA8A31E0D370A81486A2

Uniqueness

Uniqueness Score: -1.00%

Function 05760A51 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05760A39

Memory Dump Source

Source File: 00000007.00000002.3352877562.0000000005760000.00000040.00001000.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5760000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6248a16e8726160a6eee81833c14142dd0ac167e567f4b5b4b892245aaedda5f
Instruction ID: e9c5c4a98ff1592fb53ada124efee2f418a5dae76a4dcb591b7ee10b933b510d
Opcode Fuzzy Hash: 6248a16e8726160a6eee81833c14142dd0ac167e567f4b5b4b892245aaedda5f
Instruction Fuzzy Hash: 9941F1EF58D224BDA102C1412F68AF6676FE6D67703308466FC0BD6601E6D40E896171

Uniqueness

Uniqueness Score: -1.00%

Function 057609DF Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05760A39

Memory Dump Source

Source File: 00000007.00000002.3352877562.0000000005760000.00000040.00001000.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5760000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 519963e71a3a3e32e24d32711f9581463d5b99883b9e7aa2788316723658750f
Instruction ID: 83c372c5696adb14a4346c274e611412df130a06e3534748cb2e332ac357999c
Opcode Fuzzy Hash: 519963e71a3a3e32e24d32711f9581463d5b99883b9e7aa2788316723658750f
Instruction Fuzzy Hash: BE41BDEF58D224BDA102C1812F6CAF6676FE6C77703308466FC0BE6602E6D40E897131

Uniqueness

Uniqueness Score: -1.00%

Function 057609EE Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05760A39

Memory Dump Source

Source File: 00000007.00000002.3352877562.0000000005760000.00000040.00001000.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5760000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9ef447a1d54b4ba71bcb0f30241741b4117260254d0e0e5248ecafb984105dab
Instruction ID: be87a79ebd5da8387fe70dd414403d968c3f662c53b7457397f0052cd320a351
Opcode Fuzzy Hash: 9ef447a1d54b4ba71bcb0f30241741b4117260254d0e0e5248ecafb984105dab
Instruction Fuzzy Hash: E241D2EF54D224BDA102C1816F6CAFA676FE7D67703308466FC0BD6602E6E40E896171

Uniqueness

Uniqueness Score: -1.00%

Function 05760A1D Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05760A39

Memory Dump Source

Source File: 00000007.00000002.3352877562.0000000005760000.00000040.00001000.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5760000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 93918d5679f9659d38f2ebacecc4c6b3617567a64fa0be1306c769ef670ec8df
Instruction ID: 225a95dc35256b0b8305533f01f04b5eb70c15ddb9b81b335e6a5b8de342f61d
Opcode Fuzzy Hash: 93918d5679f9659d38f2ebacecc4c6b3617567a64fa0be1306c769ef670ec8df
Instruction Fuzzy Hash: 1441F3EB54D224BDA202C1802F6CAF66B6FE6D777033080A6FC0BD6642E7D50E8D6171

Uniqueness

Uniqueness Score: -1.00%

Function 00D79779 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D798FE

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2ef198cc961aaac779997507715dd042a80d7871dbaf3b05e25ca0a6b658a863
Instruction ID: e3e20c9ca43d7defe2bfe16e8734cc18326e5987f88dc894bb01f841b47f4d23
Opcode Fuzzy Hash: 2ef198cc961aaac779997507715dd042a80d7871dbaf3b05e25ca0a6b658a863
Instruction Fuzzy Hash: B361D173C04119AFDF11DFA8C855AEEFBB9AF09304F188149E908A7212E732D901CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05760A0B Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05760A39

Memory Dump Source

Source File: 00000007.00000002.3352877562.0000000005760000.00000040.00001000.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5760000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 35c43822dc5bc8ea36558de59eeefbac648d2f84a3166496ec9ce0a37daea286
Instruction ID: c144f9287ae8c39f8805fd90d985e09386e44345a1c74640518ee6aaf17a9b1a
Opcode Fuzzy Hash: 35c43822dc5bc8ea36558de59eeefbac648d2f84a3166496ec9ce0a37daea286
Instruction Fuzzy Hash: B341D2EB58D224BDA202C1852F6CAF66B6FE6C77703308066FC0BD6502E7D40E896171

Uniqueness

Uniqueness Score: -1.00%

Function 00D78DEF Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00D78CD6,00000000,?,00EA7178,0000000C,00D78D92,?,?,?), ref: 00D78E45

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0e397fd7e4cb173958d0d6a4e577087d75275782bafd45be55fea8a20ba78bb8
Instruction ID: 30ab05d154d9ef25ee20e9cfdb751348f786e2f8efc0e65de6744148ede1e8fb
Opcode Fuzzy Hash: 0e397fd7e4cb173958d0d6a4e577087d75275782bafd45be55fea8a20ba78bb8
Instruction Fuzzy Hash: AE110833A442605ACA662234984EB7E674DCB86734F3D869DF91CD71C2FF229C8191B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7250C Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00D72616,?,?,?,?,?), ref: 00D72548

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 28f5b4d1e6c968a1a568a81df5e0fac028bfdc86db0186ad478c7ceca221d79e
Instruction ID: 3219854714ac0f7e0828defb1c0dece87cd1d9d6d2f0e281e326ea38a7fbbacb
Opcode Fuzzy Hash: 28f5b4d1e6c968a1a568a81df5e0fac028bfdc86db0186ad478c7ceca221d79e
Instruction Fuzzy Hash: 2E012633610255AFCF098F19DC15CAE3B19DB85324B284248F8049B291FA71EE428BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D332D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D3331F

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: d96ecb890acfc2df5fde90d066479fd60f9863e2c308ca2a15aeeb36e3577e43
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: AEF0E9725401049BCB147FA4D5158E9B3E8EF243A1B14497BE88DC7212EF26DA90C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A64C Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00D79FD2,00000001,00000364,00000001,00000006,000000FF,?,00D64B2F,?,?,761B23A0,?), ref: 00D7A68D

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bf9d61f89d9a8dc4931f654318ca184f44bbdf2f3dceae7f6e57d9e6f9f1e3b9
Instruction ID: fc5d3eaedb759ec1820b48753540c3a6994754e149837ad16c5187d8fceb5f5b
Opcode Fuzzy Hash: bf9d61f89d9a8dc4931f654318ca184f44bbdf2f3dceae7f6e57d9e6f9f1e3b9
Instruction Fuzzy Hash: 69F0E932510E216ADB226A6E9C05E5E374DAFC1770B1DC226F80CAA1A0FA20EC0085F7

Uniqueness

Uniqueness Score: -1.00%

Function 00D7B086 Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00D64B2F,?,?,761B23A0,?,?,00D33522,?,?), ref: 00D7B0B8

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 508a64a63c9e6221e243bd65db310fa1c8af988616e241a05ca0ec172ea50803
Instruction ID: cab3fe606f10eaa3c6caba9ca1e70929ad7c967a994ff2e059d5bf4a3f5f45ed
Opcode Fuzzy Hash: 508a64a63c9e6221e243bd65db310fa1c8af988616e241a05ca0ec172ea50803
Instruction Fuzzy Hash: B6E06D311416216AEA3126769C00BAF264AEF433B0F298223FD6CA70D2FB60DC0081F1

Uniqueness

Uniqueness Score: -1.00%

Function 0577008B Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3352930613.0000000005770000.00000040.00001000.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5770000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446b85f94506d5ba4413216299452c7a54812176e53d01b20c82e4699d95096f
Instruction ID: 1f97564c426c9ce5c21dc67a7cf38fc56e61ee5c4ce4d442f0aa4c8f31f989c8
Opcode Fuzzy Hash: 446b85f94506d5ba4413216299452c7a54812176e53d01b20c82e4699d95096f
Instruction Fuzzy Hash: 1F218BEB2580647DEE02D1527A5CBFB2F6FE796730B308426F047C6583E19405C6B972

Uniqueness

Uniqueness Score: -1.00%

Function 0577007E Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3352930613.0000000005770000.00000040.00001000.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5770000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0ba3fd133d8564de02694ad2ac6110eb9b9bf8dea44007e87e94024455ba51
Instruction ID: fb912467636bc9a53cda4b58b7eefb86ba6b2d5c7a3e5debbcf429c5a90d941c
Opcode Fuzzy Hash: 1e0ba3fd133d8564de02694ad2ac6110eb9b9bf8dea44007e87e94024455ba51
Instruction Fuzzy Hash: 921148EB15C1247EA442D0567B58BFB6F5FE7D7770B308427F007C2642E29805887872

Uniqueness

Uniqueness Score: -1.00%

Function 057700CD Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3352930613.0000000005770000.00000040.00001000.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5770000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91eb2c10da637dbf8d360f53186e552870c2bde18852f1d5c7596af4e989a773
Instruction ID: 53116017eac4cea128f454d9c61b4df59b6217eac69fce64673d4e08e26ee274
Opcode Fuzzy Hash: 91eb2c10da637dbf8d360f53186e552870c2bde18852f1d5c7596af4e989a773
Instruction Fuzzy Hash: 2E0147FB5681247DB541E1667A58BFB5B5EE7D67B0B30842BB007C2542D68409883831

Uniqueness

Uniqueness Score: -1.00%

Function 057700F9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3352930613.0000000005770000.00000040.00001000.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5770000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4bd7cfc8d3cc7281cef923527fba75110934ea08c7e5b1132923f100219d77
Instruction ID: 429dd44dd4fd864e5b5586f8e136ffaee3c1c983718ed734cb576ddff07e5cde
Opcode Fuzzy Hash: ad4bd7cfc8d3cc7281cef923527fba75110934ea08c7e5b1132923f100219d77
Instruction Fuzzy Hash: BEF022FB1190157DB510D1567B68BFBA76EE2DAB70B308827F00BD3A42D6940A8D2832

Uniqueness

Uniqueness Score: -1.00%

Function 057700E5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3352930613.0000000005770000.00000040.00001000.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5770000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c687e4c7903b83d29a1d55c406b1269d811fee2aabd1e02ed92124736b13f65f
Instruction ID: aa9d1e5639c93b60baba68679086f1fa12279fae119d101804e5ca99b35283e2
Opcode Fuzzy Hash: c687e4c7903b83d29a1d55c406b1269d811fee2aabd1e02ed92124736b13f65f
Instruction Fuzzy Hash: E20121FB1191586EA540D1627B58BFF6B2EE7D6B70B30882AF007C2542D694098E2532

Uniqueness

Uniqueness Score: -1.00%

Function 05770102 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3352930613.0000000005770000.00000040.00001000.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5770000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a494867bb7470fc78c825d4310479c5f5de22256a5b8a5471158362324644c22
Instruction ID: 00fb91babbd7fa9a3024fc8048c92bc5397307c67fde45471083b3253553be26
Opcode Fuzzy Hash: a494867bb7470fc78c825d4310479c5f5de22256a5b8a5471158362324644c22
Instruction Fuzzy Hash: E0F022EB1290147DB441D2667B58BFBA72EE7D6B30B308827F007C2942D79409892432

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D6C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: 822493bed64289690c4b9e760dec192b6e3be34b8d38d3966396461561cfe354
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: 53024B71E112199FDF14CFA8C8806AEFBF1FF48314F25826AE959E7340D731A9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D7BB58 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D7BBDE

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction ID: 6ac9909c2ab2deadf8966eb2e6a96b8f88ecabeaa7a595ee24b1eb0957d32f5a
Opcode Fuzzy Hash: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction Fuzzy Hash: 43B104729002559FDB228F68CC82BEE7BA5EF55360F18C157E949AB382E774D901C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D672C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D672F7
___except_validate_context_record.LIBVCRUNTIME ref: 00D672FF
_ValidateLocalCookies.LIBCMT ref: 00D67388
__IsNonwritableInCurrentImage.LIBCMT ref: 00D673B3
_ValidateLocalCookies.LIBCMT ref: 00D67408

Strings

csm, xrefs: 00D6739D

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a32203a777392eea07b1abcb2da8b7cf1a2b5f679c86771f8e6f5f9edb969b0e
Instruction ID: a0dee32716cabd8a6040127881849418e052c2c87085626860683389e7232b61
Opcode Fuzzy Hash: a32203a777392eea07b1abcb2da8b7cf1a2b5f679c86771f8e6f5f9edb969b0e
Instruction Fuzzy Hash: 4D419334A0420D9FCF10DF69C885A9EBBA5EF44318F188155EC28AB352DB71ED15DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4A09D
std::_Lockit::_Lockit.LIBCPMT ref: 00D4A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4A0E7
__Getctype.LIBCPMT ref: 00D4A1C5
std::_Facet_Register.LIBCPMT ref: 00D4A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4A223

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: ea669c24d6074018bea35690f89d4072cbb5e919ae0dcb6bc5f8c006737e3ddf
Instruction ID: f407ba745d1b7fca995098d4cf35ecc7fe35028143da6b4ab16c3a35c7914e05
Opcode Fuzzy Hash: ea669c24d6074018bea35690f89d4072cbb5e919ae0dcb6bc5f8c006737e3ddf
Instruction Fuzzy Hash: 795175B1D40749CFDB10DF98C941BAEBBF0EB14314F188259E845AB391D774AA48CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4C45A
std::_Lockit::_Lockit.LIBCPMT ref: 00D4C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C4A4
std::_Facet_Register.LIBCPMT ref: 00D4C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C5C4

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 81639a337ff9908acc89664b060bc76286af9b0aa0adeec5ca7dacd6235a6021
Instruction ID: 4af6cb20e2a9c0c4c158a56c99a078be4a77891c9b41650f44bc3bf0487a3926
Opcode Fuzzy Hash: 81639a337ff9908acc89664b060bc76286af9b0aa0adeec5ca7dacd6235a6021
Instruction Fuzzy Hash: B051ACB0901249DFDB11DF98C945BAEBBF0FF00314F288159E849AB381D779AA05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D34900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D3499F

Strings

ios_base::badbit set, xrefs: 00D34937, 00D34962
ios_base::failbit set, xrefs: 00D34828, 00D34941
ios_base::eofbit set, xrefs: 00D34946

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 17f1f03d725ff68d3e8070488d6b613be4297954b89218142c10b58e43a3083b
Instruction ID: 821ec15aa68e1157febce3e5a0f544e2e097fdef38470767272cdab600b8830f
Opcode Fuzzy Hash: 17f1f03d725ff68d3e8070488d6b613be4297954b89218142c10b58e43a3083b
Instruction Fuzzy Hash: 06112CB29447487BCB10DE58DC03B967398DB45710F08452DFA589B2C1EB39B900CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D62719 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D62720
std::_Lockit::_Lockit.LIBCPMT ref: 00D6272B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D62799

Part of subcall function 00D6287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D62894

std::locale::_Setgloballocale.LIBCPMT ref: 00D62746

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 749e5b65d137289c198f486e48c28e3d47698b393b8fc43fdce78376e0657658
Instruction ID: cdc45f09202b1a3b954ae6b4ccb6bc9084e5a4ac73124eb45e6debdd3ebdaada
Opcode Fuzzy Hash: 749e5b65d137289c198f486e48c28e3d47698b393b8fc43fdce78376e0657658
Instruction Fuzzy Hash: B001BC36A00A109FDB06AB20DC41A7E7BA1FF94780B184109E80127386CF74AA06CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D37350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D3750C
___std_exception_destroy.LIBVCRUNTIME ref: 00D37522

Strings

[json.exception., xrefs: 00D373A1

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 431e4370529a1b4a051d7e12eb2f5832c433563090fdd43c274c82602ae34c97
Instruction ID: b947de9e7765512361509c34759a1b5e3bf3a910da4c0bf26b5dd4d5a43790fc
Opcode Fuzzy Hash: 431e4370529a1b4a051d7e12eb2f5832c433563090fdd43c274c82602ae34c97
Instruction Fuzzy Hash: C651F0B1D00748AFDB10DFA8D905BAEBBB4EF11314F144269E854A7382E7B85A44CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D347F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D3499F

Strings

ios_base::badbit set, xrefs: 00D34937, 00D34962
ios_base::failbit set, xrefs: 00D34828

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 74cff98f67c8304312bc4fb57ef7bf697da2f9e055e1d5205d8b6039f6e52be8
Instruction ID: e5096f2c14c2c72e7f4454dc5c4be0872893aada90495cd473f49c4617e86040
Opcode Fuzzy Hash: 74cff98f67c8304312bc4fb57ef7bf697da2f9e055e1d5205d8b6039f6e52be8
Instruction Fuzzy Hash: FE41F5B1900648AFCB04DF58CD46BAEB7B8EF45710F18825DF554AB281D779AA40CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D34040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D34061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D340C4

Strings

bad locale name, xrefs: 00D340E6

Memory Dump Source

Source File: 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000007.00000002.3338074043.0000000000D30000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3338357309.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339420181.0000000000EBF000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000000EC4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001112000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.000000000114E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001157000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3339709367.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340450990.0000000001166000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340755543.00000000012EE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012EF000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F4000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3340797928.00000000012F7000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341125594.00000000012FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3341177961.00000000012FB000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: ddc45b0576a55a337209f2e8a88c8ea466b114e4ca1f00f194bad706dca1a438
Instruction ID: 3131b17ea144b5c72e107f9d85fa95e456a7107684d54d689a9483f07d93dd63
Opcode Fuzzy Hash: ddc45b0576a55a337209f2e8a88c8ea466b114e4ca1f00f194bad706dca1a438
Instruction Fuzzy Hash: B511B170905B84EFD721CF68C50574BBFE4AF15714F14868DD09597B81D3B9AA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RageMP131.exePID: 3992, Parent PID: 4004COMMON

Executed Functions

Function 00FA4EB0 Relevance: 16.8, APIs: 11, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003FC,0000FFFF,00001006,?,00000008), ref: 00FA4F57
recv.WS2_32(?,00000004,00000002), ref: 00FA4F71
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00FA4FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00FA5014
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00FA50B0

Part of subcall function 00FA5940: WSAStartup.WS2_32 ref: 00FA596B
Part of subcall function 00FA5940: socket.WS2_32(?,?,?,?,?,?,01066328,?,?), ref: 00FA5A0E
Part of subcall function 00FA5940: connect.WS2_32(00000000,01036B31,?,?,?,?,01066328,?,?), ref: 00FA5A22
Part of subcall function 00FA5940: closesocket.WS2_32(00000000), ref: 00FA5A2D

recv.WS2_32(00000000,?,00000008), ref: 00FA50CB
recv.WS2_32(?,00000004,00000008), ref: 00FA51D3
__Xtime_get_ticks.LIBCPMT ref: 00FA51DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA51E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00FA5261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00FA5269

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID:
API String ID: 301102601-0
Opcode ID: a14caddb7d022bfcb6df697abf8f1be0c7c602e63dae466fffc6c01e313a8e90
Instruction ID: 4a686754c2ec3dcbf0a2da9cf7a3d0bce0178a00e9c55d99c10fc0bc1ca77e2d
Opcode Fuzzy Hash: a14caddb7d022bfcb6df697abf8f1be0c7c602e63dae466fffc6c01e313a8e90
Instruction Fuzzy Hash: FBB1ADB1D04308DFEB24DFA4CC89BADBBF5EB45710F204219E494AB2D2D77A5944DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00EE9280 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0102A4DC,00000000,761B23A0,-01066880), ref: 00EE96C9

Strings

4oST, xrefs: 00EE9660
Ws2_32.dll, xrefs: 00EE969A
4oST, xrefs: 00EE962C

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: Send
String ID: 4oST$4oST$Ws2_32.dll
API String ID: 121738739-1839276265
Opcode ID: c543706cb0730a57533f6e5257682f6231cacfdbde459ca37ce6adb39335b47c
Instruction ID: b35fc5e71e1aaf027704c7c0109c6f199024d60a098b2c5589539551b4c5f6e0
Opcode Fuzzy Hash: c543706cb0730a57533f6e5257682f6231cacfdbde459ca37ce6adb39335b47c
Instruction Fuzzy Hash: C902EB70E04288DFDF25CFA5C8907ACBBB0EF55314F24428DE8857B686C7741A86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5940 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00FA596B
socket.WS2_32(?,?,?,?,?,?,01066328,?,?), ref: 00FA5A0E
connect.WS2_32(00000000,01036B31,?,?,?,?,01066328,?,?), ref: 00FA5A22
closesocket.WS2_32(00000000), ref: 00FA5A2D

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 26766c300b19d71ffa1a405774362fa1058e2c72d63a0c4acc7bbd66f4b5b44b
Instruction ID: 3a9b0d59eb2c4622dca833789f1af8adcbb51e72a0d8587189577ace91b8b2d4
Opcode Fuzzy Hash: 26766c300b19d71ffa1a405774362fa1058e2c72d63a0c4acc7bbd66f4b5b44b
Instruction Fuzzy Hash: 37310771A057015BC7209F648C89B6BB7E4FFC6734F101F1DF9A8932D0D37598049692

Uniqueness

Uniqueness Score: -1.00%

Function 04D80000 Relevance: 1.7, APIs: 1, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b8489db28cdd7c2a0dbee52366f5cf8e2e8897f7f8eb3e6a588e7c9f0106c5
Instruction ID: d567db08257cf14c98cdc5f94ae0a97ecc9020d3e551c64c0111d7beec192646
Opcode Fuzzy Hash: d5b8489db28cdd7c2a0dbee52366f5cf8e2e8897f7f8eb3e6a588e7c9f0106c5
Instruction Fuzzy Hash: A34179EB34C214BDB213A5816B54AFB677DE6D6730732882EF883D2002F2D4AE4D2171

Uniqueness

Uniqueness Score: -1.00%

Function 04D80023 Relevance: 1.7, APIs: 1, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade9fb08730e53d91e085f0fd1d3c41ba2c93ac474f070b4a1a76d678b0c63f5
Instruction ID: e2e6fb6499906c477857a9e418ca66b4dd976df8121586781e3f706d121be0ab
Opcode Fuzzy Hash: ade9fb08730e53d91e085f0fd1d3c41ba2c93ac474f070b4a1a76d678b0c63f5
Instruction Fuzzy Hash: 61415BEB74C114BDB213A5816B54BFB677DE6D6B30732846AF843D2006F2D4AA4E2131

Uniqueness

Uniqueness Score: -1.00%

Function 04D80010 Relevance: 1.7, APIs: 1, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 82ce2e06fe0d5f2b03c4f3f7e442a0ab8fd2de81d377ec4c79b4ca7dc48beb7a
Instruction ID: b792543dd8f6f977a8b83ff59026f0bb7b11d89bf4f5926ec317bf6449ccd0e7
Opcode Fuzzy Hash: 82ce2e06fe0d5f2b03c4f3f7e442a0ab8fd2de81d377ec4c79b4ca7dc48beb7a
Instruction Fuzzy Hash: 17415BEB74C224BDB213A5816B54AFB677DE6D6730732842AF843D2006F2D49E4E2131

Uniqueness

Uniqueness Score: -1.00%

Function 04D80049 Relevance: 1.7, APIs: 1, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dd95b09082cf450e2ebc4008c0888fd80ffc608c151615d1d3b381295303c684
Instruction ID: 1996df986b012708145bb98641c4d3c471fcd971ecaae5e5738c806b0ae44572
Opcode Fuzzy Hash: dd95b09082cf450e2ebc4008c0888fd80ffc608c151615d1d3b381295303c684
Instruction Fuzzy Hash: 71416CEB74C114BCB203A5916B54BFB677DE6D6730732846AF843D6006F2D49E8D2071

Uniqueness

Uniqueness Score: -1.00%

Function 04D80066 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e3619bb962846884d7f15f3b25dec6daf2386a1ce618c117989f4af75541f521
Instruction ID: f6e4320e8717aab6629c5fcd8d2fc3a4aa99b10e72e1f7dcea9408a5b097217e
Opcode Fuzzy Hash: e3619bb962846884d7f15f3b25dec6daf2386a1ce618c117989f4af75541f521
Instruction Fuzzy Hash: 7D413AEB74C124BCB203A5826B54BFB677DE6D6730732846AF847D2406F2D49B8E2171

Uniqueness

Uniqueness Score: -1.00%

Function 00F29779 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F298FE

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: dfeb19a03e0b72736068ad708f99b5a8754766af374acf3438ebc61c4dd815fe
Instruction ID: 226f9ed719b3937da6e89233887c951f695643a366cbe24519dff38848911b6c
Opcode Fuzzy Hash: dfeb19a03e0b72736068ad708f99b5a8754766af374acf3438ebc61c4dd815fe
Instruction Fuzzy Hash: 7261DA72C08129AFDF11DFA8EC40AEE7BB9AF09324F140159E904A7246D775D941EB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D80088 Relevance: 1.7, APIs: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 781e418afe041fa80e8a991f4cd71fd7da36a69b582e00dee45bce99835f5509
Instruction ID: 65f92a376184a99034305d7d758e72204f1fdb30033be364cdf2807de99eb3e8
Opcode Fuzzy Hash: 781e418afe041fa80e8a991f4cd71fd7da36a69b582e00dee45bce99835f5509
Instruction Fuzzy Hash: 5B313AEB74C114BCB203A9816B54BFB677DE6D6730732846AF847D2406F2D49B8E2171

Uniqueness

Uniqueness Score: -1.00%

Function 04D800B8 Relevance: 1.7, APIs: 1, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b6c8b3b76d9cd7ca43afb7899555ee6f903822db28c23b8b60c2a80def8df161
Instruction ID: 94dcb1a4c3adf893e7e27be25f95b14feb5266327fb4efe0df515cadba8fb419
Opcode Fuzzy Hash: b6c8b3b76d9cd7ca43afb7899555ee6f903822db28c23b8b60c2a80def8df161
Instruction Fuzzy Hash: 76319AEB74C224BCB603A9916B14AFA677DE6D3730732847AF843D2006F2D49A4E2171

Uniqueness

Uniqueness Score: -1.00%

Function 04D800E7 Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7b6a47e516569f314a7d9249f5bde3e19830ae7d7168e0045dffd0f5ec4a3746
Instruction ID: 94136cf91e93b99ed679f1c50893ab5508b930cea8e4e57c78314683a2a81ed8
Opcode Fuzzy Hash: 7b6a47e516569f314a7d9249f5bde3e19830ae7d7168e0045dffd0f5ec4a3746
Instruction Fuzzy Hash: B8215EEB74C215BCB613A9916B54BFB677DE6D6730732846AF843D2002F2D49B4D2071

Uniqueness

Uniqueness Score: -1.00%

Function 04D800FB Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8034314d5e699c2ba034621f378d11fb4793edf27dc99d22dd94dcc41dd3ac6f
Instruction ID: 7604b705265f8bf61d613e988b958558c0b2626f377dc724fae5839741cad96b
Opcode Fuzzy Hash: 8034314d5e699c2ba034621f378d11fb4793edf27dc99d22dd94dcc41dd3ac6f
Instruction Fuzzy Hash: 07216BEB74C215BCB613A9916B54AFB677DE5D2730732846AF843D2402F2D49B8D2071

Uniqueness

Uniqueness Score: -1.00%

Function 04D80115 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2e936e78d313e3180cebbc14c2a6a441f338006ef45fe84b52506bdc5364e540
Instruction ID: f8ccbada7c663a79b2e19611dac30518e3e7216a4c128264d8c185ea3d7796f1
Opcode Fuzzy Hash: 2e936e78d313e3180cebbc14c2a6a441f338006ef45fe84b52506bdc5364e540
Instruction Fuzzy Hash: 59217CEB74C225BCB613A9916B14AFB677DE5D3730732846AF443D6102F2D4AB8D2071

Uniqueness

Uniqueness Score: -1.00%

Function 04D80197 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d831730751d000904ab29c470baf02998f19a642a5a862ddcdef04370b9d3d74
Instruction ID: bb547e24da7338459cf764b135dd2632cd4ee047c07e08cb95157f771389bc68
Opcode Fuzzy Hash: d831730751d000904ab29c470baf02998f19a642a5a862ddcdef04370b9d3d74
Instruction Fuzzy Hash: D521A1EB74C215BCA213A9916B14BFAA77DE6D7730732846AF843D6002F2D4AB4D2471

Uniqueness

Uniqueness Score: -1.00%

Function 04D80138 Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d50b5fc729da7a23029849ef931e5c7b04db114fb09f081e10a9ca3ebebc1bde
Instruction ID: ceb2f85f17aaf790608c26afc6500d8d8a955ba07344c39e3e6a098bbfab9e12
Opcode Fuzzy Hash: d50b5fc729da7a23029849ef931e5c7b04db114fb09f081e10a9ca3ebebc1bde
Instruction Fuzzy Hash: 0221AFEB74C214BDA213A9916B14BFA677DE6D7730732847AF843E6102F2D49B4D2070

Uniqueness

Uniqueness Score: -1.00%

Function 04D8016C Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f16705e3c49586805a8e257f5f724f03210470caef0acca5f1f777f73f775668
Instruction ID: 66dc9c5175b48b1543e224d2bbd1f1bb386cc4254914a5d806d62e0813e4ac68
Opcode Fuzzy Hash: f16705e3c49586805a8e257f5f724f03210470caef0acca5f1f777f73f775668
Instruction Fuzzy Hash: CF119DEB64C211BCF213A9916B14BFA6B7DE6D2730732846EF443D6102F2D49B4D2171

Uniqueness

Uniqueness Score: -1.00%

Function 04D80186 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8120b2ed04fc4fda3ff59f9124e03a4e5e22ceb25513c4b693df9f197f3505bf
Instruction ID: b39490a34d7dbcf9ef7124a9a24c5eea9c07869eef6bd3905baee241cc7ef97a
Opcode Fuzzy Hash: 8120b2ed04fc4fda3ff59f9124e03a4e5e22ceb25513c4b693df9f197f3505bf
Instruction Fuzzy Hash: AF115EEB74C211BCB203A9916B58AFB6B7DE5D2730332886AF443D6505F2D49B4D2070

Uniqueness

Uniqueness Score: -1.00%

Function 04D801A8 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D801BF

Memory Dump Source

Source File: 00000008.00000002.3352104310.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0ed74d6a08a7759f9998945e636b7c8931ed1da5120e9710f074bb6cbbbd0270
Instruction ID: 9e3a10fdcf202cb3def3a6fa097c442439cdf26b8bfcd70c35b40f834291bcd3
Opcode Fuzzy Hash: 0ed74d6a08a7759f9998945e636b7c8931ed1da5120e9710f074bb6cbbbd0270
Instruction Fuzzy Hash: E51191EB748214BCA203A5916B58BFAA77DE6D2730732847AF443E2505F2D49B4D2070

Uniqueness

Uniqueness Score: -1.00%

Function 00F28DEF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F28CD6,00000000,?,01057178,0000000C,00F28D92,?,?,?), ref: 00F28E45

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 26cf4bf3b9094097ebddaa8988286ec8816932c05c4c3cdda39689768cd672ad
Instruction ID: a385430c8c0f8220787a1eba8e7a36719ddf380347a2aa352f42c2403b8ce795
Opcode Fuzzy Hash: 26cf4bf3b9094097ebddaa8988286ec8816932c05c4c3cdda39689768cd672ad
Instruction Fuzzy Hash: 21112F33E0653456E63521B47C46B7E374D8B927B4F3B0659F814A71D2DE29AC82B190

Uniqueness

Uniqueness Score: -1.00%

Function 00F2250C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00F22616,?,?,?,?,?), ref: 00F22548

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3b98fb07cb91978e997d37e8bf7a7bffc437a5fc8650f81af8ba0330dad4924d
Instruction ID: 6485ae9c3e4581b2f1ded6c71ff48094b1be3a5ddd91b52260af760091690ea9
Opcode Fuzzy Hash: 3b98fb07cb91978e997d37e8bf7a7bffc437a5fc8650f81af8ba0330dad4924d
Instruction Fuzzy Hash: 3A0149336201257FCF19CF19EC52D9E3B19DB81334B384208F8109B291E675ED51AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE32D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00EE331F

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: e0d60eb349ea39bf7c47352d77c8fa6ce64f775574e129306e8dc4ddb07ca503
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: E6F02472100108DBCB146F75D809CE9B3E8EF143A1710097AE89CE7212EB2ADA809BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2B086 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00F14B2F,?,?,761B23A0,?,?,00EE3522,?,?), ref: 00F2B0B9

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f56f0eeae70a29449f966604ce156f264aebd978159cbab6207af0f05ea65963
Instruction ID: fbc7e82be9d4713031f28f6c8e29bed187251e3319c03f552dbfa9ff509c2874
Opcode Fuzzy Hash: f56f0eeae70a29449f966604ce156f264aebd978159cbab6207af0f05ea65963
Instruction Fuzzy Hash: 60E06D329026316AEA33A6B57C05B6F3749EF427B0F190121FE24A70C1DF28DC40A1E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F1C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: 72fd7202fcea208793c3da3b84e4c0570227d7c24e8642cedffc544939c0b87d
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: E1023B71E412199BDF14CFA9D8806EEBBF1FF48324F248269D919E7380D731AD819B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EFA09D
std::_Lockit::_Lockit.LIBCPMT ref: 00EFA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00EFA0E7
__Getctype.LIBCPMT ref: 00EFA1C5
std::_Facet_Register.LIBCPMT ref: 00EFA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00EFA223

Strings

PG, xrefs: 00EFA1BF
E, xrefs: 00EFA1AE
PD, xrefs: 00EFA19A

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD$PG$E
API String ID: 1102183713-3756609794
Opcode ID: aab0cc738f37cbe9c9535c931c33d2fd39ddf3c154bc2bc446f97df8bc8c311d
Instruction ID: fcb204dc5daeb52866930640c04df1eec54ae523214d9a9c913690869c039267
Opcode Fuzzy Hash: aab0cc738f37cbe9c9535c931c33d2fd39ddf3c154bc2bc446f97df8bc8c311d
Instruction Fuzzy Hash: 6551A8B0D01259DFDB20CF98C9417AEBBB4BB00714F18826DD885AB391D779AE44CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F172C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F172F7
___except_validate_context_record.LIBVCRUNTIME ref: 00F172FF
_ValidateLocalCookies.LIBCMT ref: 00F17388
__IsNonwritableInCurrentImage.LIBCMT ref: 00F173B3
_ValidateLocalCookies.LIBCMT ref: 00F17408

Strings

" Yk, xrefs: 00F17372, 00F173EF
`-, xrefs: 00F173CC
csm, xrefs: 00F1739D

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: " Yk$`-$csm
API String ID: 1170836740-2743354744
Opcode ID: 3dbde307851a4881d6a586a9a3ff1d2ecc6f7f7d1e351879b48bd45b2078f379
Instruction ID: 9fc2deefddc9ad5e3bd827ce5aab939c348583ba65c6a8fe563c629b5c493246
Opcode Fuzzy Hash: 3dbde307851a4881d6a586a9a3ff1d2ecc6f7f7d1e351879b48bd45b2078f379
Instruction Fuzzy Hash: 2941A634E043099BCF10EF69C884ADEBBB5AF44324F148155FC189B352DB75D981EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EFC430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EFC45A
std::_Lockit::_Lockit.LIBCPMT ref: 00EFC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00EFC4A4
std::_Facet_Register.LIBCPMT ref: 00EFC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00EFC5C4

Strings

PD, xrefs: 00EFC54E
E, xrefs: 00EFC562

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E$PD
API String ID: 459529453-4195941332
Opcode ID: b61fbdf34898064d4e0776105a9ad7140a6068162e9b57dd61385dcf8d9da799
Instruction ID: 772ccedb06100e01e71930ef81637d4e2f5194d408760917b29a68d93e25b3d5
Opcode Fuzzy Hash: b61fbdf34898064d4e0776105a9ad7140a6068162e9b57dd61385dcf8d9da799
Instruction Fuzzy Hash: DD519FB0900258DFDB21DF98C944BAEBBF0FB00714F348159E595AB381D77AAA45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2BB58 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F2BBDE

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction ID: 7780c9766bd11b65cb46b35bd2ae4d7fa6b0f95ba70b5e0f0024d40862159b55
Opcode Fuzzy Hash: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction Fuzzy Hash: ECB15732D007759FDB218F24DC82BEE7BA5EF55360F158155ED04AF282D7789901E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F12719 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00F12720
std::_Lockit::_Lockit.LIBCPMT ref: 00F1272B
std::_Lockit::~_Lockit.LIBCPMT ref: 00F12799

Part of subcall function 00F1287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00F12894

std::locale::_Setgloballocale.LIBCPMT ref: 00F12746

Strings

`-, xrefs: 00F12768, 00F1278C

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-
API String ID: 677527491-2038111592
Opcode ID: 658776ac60dba29e95c195e1ed3101aed3cf512b83bedcbbfe5cdc5d2591d3c3
Instruction ID: c1d9868e0adbcf76c7a22bc0aef562c6b0878f5b92ab5e0270d3372e8d71fd7a
Opcode Fuzzy Hash: 658776ac60dba29e95c195e1ed3101aed3cf512b83bedcbbfe5cdc5d2591d3c3
Instruction Fuzzy Hash: 3E01BC75A002209BCB09EB60C8455BD7BB1BF84BA0B088009E84157385CF78AE92EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A6A9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F2A85E

Part of subcall function 00F2B086: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00F14B2F,?,?,761B23A0,?,?,00EE3522,?,?), ref: 00F2B0B9

__freea.LIBCMT ref: 00F2A871
__freea.LIBCMT ref: 00F2A87E

Strings

" Yk, xrefs: 00F2A6B0

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID: " Yk
API String ID: 2243444508-2720768132
Opcode ID: 88f66833408e155d4ed57f60c18743fbaa9b6de0b08571bfc3803d9bc3bc9c92
Instruction ID: 50e8a042383bf17fe164c3e4773d15b3c303fdf49e80d897a1af1984cf3ac336
Opcode Fuzzy Hash: 88f66833408e155d4ed57f60c18743fbaa9b6de0b08571bfc3803d9bc3bc9c92
Instruction Fuzzy Hash: 9051E672A00226AFEB215F64EC85EFB3BA9DF84760F150128FD05E6151EB34DC52F662

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00EE750C
___std_exception_destroy.LIBVCRUNTIME ref: 00EE7522

Strings

), xrefs: 00EE7502, 00EE751C
[json.exception., xrefs: 00EE73A1

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )$[json.exception.
API String ID: 4194217158-1768919221
Opcode ID: ff0270d93c32449ddaa9fb3980c4dc93047469222e5d958a40322e13772aab38
Instruction ID: 0168660a548facac41d33ec035fcc13f6ed68320b5db229d1c4cb42068e88c55
Opcode Fuzzy Hash: ff0270d93c32449ddaa9fb3980c4dc93047469222e5d958a40322e13772aab38
Instruction Fuzzy Hash: 1B51CFB1D042889FDB00DFA8CD05B9EBBF4EF51314F144269E854AB282E7B85A44D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00EE499F

Strings

ios_base::eofbit set, xrefs: 00EE4946
ios_base::failbit set, xrefs: 00EE4828, 00EE4941
ios_base::badbit set, xrefs: 00EE4937, 00EE4962

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: d03ead5eed8096f33f1742a28478e628eb5df25f341fcfd746a65d4178517b46
Instruction ID: 65a63939f362c9978889a6d1c3d7ef7660ef732d0797351b0316a7dde93124aa
Opcode Fuzzy Hash: d03ead5eed8096f33f1742a28478e628eb5df25f341fcfd746a65d4178517b46
Instruction Fuzzy Hash: 761129F2904688BBCB10DE5DEC42B96739CEB45710F044669FD98B72C2EA35A900D796

Uniqueness

Uniqueness Score: -1.00%

Function 00EE36E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00EE3819
___std_exception_destroy.LIBVCRUNTIME ref: 00EE38F0

Strings

), xrefs: 00EE37ED, 00EE38EA

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )
API String ID: 2970364248-2934624886
Opcode ID: 56e7ee72c96b7a3829f5594d5cc31c61c2e065e6e60f216ca773ba39a203f7f0
Instruction ID: 2be47082885ac62cebf1f8ead2620ef3052c8b4b736cfabcf97204fb1c6633e9
Opcode Fuzzy Hash: 56e7ee72c96b7a3829f5594d5cc31c61c2e065e6e60f216ca773ba39a203f7f0
Instruction Fuzzy Hash: F76189B1D00258DFDB14CF98C948B9DFBB4FF58324F148259E854BB282D7B55A84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE47F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00EE499F

Strings

ios_base::failbit set, xrefs: 00EE4828
ios_base::badbit set, xrefs: 00EE4937, 00EE4962

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 4e144f3690b2e536f2e9a4abf8d6189152886989c7cedbdfeecc19f7935dc9a2
Instruction ID: 30cac973552674c3a3c654078d4f333de3dcd4ce832ae2774caa39c8c37cdcde
Opcode Fuzzy Hash: 4e144f3690b2e536f2e9a4abf8d6189152886989c7cedbdfeecc19f7935dc9a2
Instruction Fuzzy Hash: F24101B1900288ABCB04DF69CC45BAEBBF8EB45710F14825DF454BB382D775AA00DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EE4061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00EE40C4

Strings

bad locale name, xrefs: 00EE40E6

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 242190953e814f941779ea5059ec7335afd62a7269a4a0091cb29ceb2c73007e
Instruction ID: 0a361bede260366bacd68d240575a90c4f933af2437b93e0ab889637e6a5874a
Opcode Fuzzy Hash: 242190953e814f941779ea5059ec7335afd62a7269a4a0091cb29ceb2c73007e
Instruction Fuzzy Hash: 1A11D3B0905BC4DED721CFA8C90478BBFF4AF15714F14869DE09597B81D3B9AA04C792

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00EF65C9
___std_exception_copy.LIBVCRUNTIME ref: 00EF65FC

Strings

), xrefs: 00EF65BA, 00EF65ED

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )
API String ID: 2659868963-2934624886
Opcode ID: 80035c20609282a71bc875d013ec7be81933b4a88d491c62ab3208981e333fc5
Instruction ID: e5f5babede17e87bb98c029d3f8547f18819ac5b23c6c3f694796235e4af498d
Opcode Fuzzy Hash: 80035c20609282a71bc875d013ec7be81933b4a88d491c62ab3208981e333fc5
Instruction Fuzzy Hash: 65112EB5900648EBCB15CF99C980B86F7FCFB59720F10876AE95497641E774A540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00EE7A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00EE7A72

Strings

), xrefs: 00EE7A52, 00EE7A6C

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )
API String ID: 4194217158-2934624886
Opcode ID: 16d7c0e4796cebb205c5b6bd63252cb387e9a0bc4ef5b97fd6e5eaa68825a7a6
Instruction ID: c941d6a45f55f47e8724ea66b04de343fc52953cbcddea1d93731e32500db8d0
Opcode Fuzzy Hash: 16d7c0e4796cebb205c5b6bd63252cb387e9a0bc4ef5b97fd6e5eaa68825a7a6
Instruction Fuzzy Hash: 7FF06DB1905748EFC710DF98C90178DBBFCEB45B24F50066AE8A4E3780D77966048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F1360D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00F13067,?,?,?,?,00FA51DF), ref: 00F13645

Strings

" Yk, xrefs: 00F1361F
`-, xrefs: 00F1363F

Memory Dump Source

Source File: 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000008.00000002.3340080174.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340135861.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340478076.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3340597184.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3341457310.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343395123.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3343450432.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3344362930.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3345064536.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ee0000_RageMP131.jbxd

Similarity

API ID: Time$FilePreciseSystem
String ID: " Yk$`-
API String ID: 1802150274-3396297887
Opcode ID: f3836966f2640ca0ba67f546a96a7bf89bd741895001a6e143fe2b6141fd78b4
Instruction ID: a1e7020600245f9ec9114aab2c557485cfc790f462e2ade0740a3e2201f1d2ee
Opcode Fuzzy Hash: f3836966f2640ca0ba67f546a96a7bf89bd741895001a6e143fe2b6141fd78b4
Instruction Fuzzy Hash: D3F06532A446A4EFCB119F55DC05F99B7A9F708F60F11412AE852D7784DB79A9009B80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RageMP131.exePID: 7080, Parent PID: 4004COMMON

Executed Functions

Function 00FA4EB0 Relevance: 16.8, APIs: 11, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003E0,0000FFFF,00001006,?,00000008), ref: 00FA4F57
recv.WS2_32(?,00000004,00000002), ref: 00FA4F71
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00FA4FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00FA5014
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00FA50B0

Part of subcall function 00FA5940: WSAStartup.WS2_32 ref: 00FA596A
Part of subcall function 00FA5940: socket.WS2_32(?,?,?,?,?,?,01066328,?,?), ref: 00FA5A0E
Part of subcall function 00FA5940: connect.WS2_32(00000000,01036B31,?,?,?,?,01066328,?,?), ref: 00FA5A21
Part of subcall function 00FA5940: closesocket.WS2_32(00000000), ref: 00FA5A2D

recv.WS2_32(00000000,?,00000008), ref: 00FA50CB
recv.WS2_32(?,00000004,00000008), ref: 00FA51D3
__Xtime_get_ticks.LIBCPMT ref: 00FA51DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA51E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00FA5261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00FA5269

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
String ID:
API String ID: 301102601-0
Opcode ID: 98c65aa0bf86f2255bceec0d93320c9ba4ba7270f55d922bbf15caa44f804fa3
Instruction ID: d6bba0f83edd258ec69373b4f42b7e820f0d56bcad554f3d159c95f4246492a6
Opcode Fuzzy Hash: 98c65aa0bf86f2255bceec0d93320c9ba4ba7270f55d922bbf15caa44f804fa3
Instruction Fuzzy Hash: 4FB1AEB1D00308DFEB24DFA4CD89BADBBB5FB45710F204219E494AB2D2D77A5944DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00EE9280 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0102A4DC,00000000,761B23A0,-01066880), ref: 00EE96C9

Strings

4oST, xrefs: 00EE962C
4oST, xrefs: 00EE9660
Ws2_32.dll, xrefs: 00EE969A

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: Send
String ID: 4oST$4oST$Ws2_32.dll
API String ID: 121738739-1839276265
Opcode ID: 1476c099a8ea749ce7b31b2cf5567bb057f3c728d1bc78c95b4c2db0cf9d49e3
Instruction ID: 76ecf45683fbfdc8c1e97cbab7cf2632301cdfec2774fa8a49058a11e159eee7
Opcode Fuzzy Hash: 1476c099a8ea749ce7b31b2cf5567bb057f3c728d1bc78c95b4c2db0cf9d49e3
Instruction Fuzzy Hash: C902DA70E04288DFCF25CFA4C8907ACBBB0EF55314F244289E8857B686D7741A86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5940 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00FA596A
socket.WS2_32(?,?,?,?,?,?,01066328,?,?), ref: 00FA5A0E
connect.WS2_32(00000000,01036B31,?,?,?,?,01066328,?,?), ref: 00FA5A21
closesocket.WS2_32(00000000), ref: 00FA5A2D

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: ee3049776f3e03f06002833078ddfe9db936e2d81b5592968ff27cbc93fc41fd
Instruction ID: b014de7f2dba4cf93563dd0f8d93fa47b9cfa069b7f30810d463224e8c3d69db
Opcode Fuzzy Hash: ee3049776f3e03f06002833078ddfe9db936e2d81b5592968ff27cbc93fc41fd
Instruction Fuzzy Hash: C7310772A057015BC7209F648C89B6BB7E8FFCA734F101F1DF9A8931D0D37598049692

Uniqueness

Uniqueness Score: -1.00%

Function 00F29779 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F298FE

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6224bda4925643a7d1f3144d22ff1c62994d7fb75f26ca2ae111efac172e2403
Instruction ID: 1255251ff783324553651b094a929eaf648fece0622c525f1be42dca69fdc57f
Opcode Fuzzy Hash: 6224bda4925643a7d1f3144d22ff1c62994d7fb75f26ca2ae111efac172e2403
Instruction Fuzzy Hash: 3461EB72C08129AFDF11DFA8EC44EEE7BB9BF09324F180149E900A7246D375D941EB50

Uniqueness

Uniqueness Score: -1.00%

Function 05150196 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 19a2609ecdd55a4e5fa4eab6b4f7af072f833925da7605f4a9ee661bae4eb84b
Instruction ID: b2fbd271137a0463095d3589092382b2bc521dfe80b1576ef72499e371abc396
Opcode Fuzzy Hash: 19a2609ecdd55a4e5fa4eab6b4f7af072f833925da7605f4a9ee661bae4eb84b
Instruction Fuzzy Hash: 382103E790C124ED772AC5C11B88AF667AFEA8E3703724066BD27D6601E3E45F8D0171

Uniqueness

Uniqueness Score: -1.00%

Function 05150187 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b45b9355640da2c55af23e39e7818cb2ed313ca2e2f4f3f8cbf07d2f74b90975
Instruction ID: 9e15a208379d48c9b3b99360f84cf0dcdf911699f2b5aa66243b6d2ef7109445
Opcode Fuzzy Hash: b45b9355640da2c55af23e39e7818cb2ed313ca2e2f4f3f8cbf07d2f74b90975
Instruction Fuzzy Hash: 2321D6A750C224EDB72AC5C15B496F667AEEA8E3707724066BD27D2601E3F41E8C0171

Uniqueness

Uniqueness Score: -1.00%

Function 051501C7 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: cbc8cc37da67053cd854d8b1925f74d4c17735813b2dd61b70b328621adc13d7
Instruction ID: 0701253338992943785b0e89eafe0937902150f09e3a179e17f55bfac0d6daee
Opcode Fuzzy Hash: cbc8cc37da67053cd854d8b1925f74d4c17735813b2dd61b70b328621adc13d7
Instruction Fuzzy Hash: A22122A790C224EEA37AC6D10B486F667ABAA9F3307724066BD2396501E3F01E8C0171

Uniqueness

Uniqueness Score: -1.00%

Function 051501F2 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b86ac79a56f1bcbeba4f284d3a937b87cb8dcc42c3fb41fda103ea51b7a660c7
Instruction ID: 0b686ed515bb6f53044a042d1e9601f119f7d2bb708b9cca561a7f513c3aae53
Opcode Fuzzy Hash: b86ac79a56f1bcbeba4f284d3a937b87cb8dcc42c3fb41fda103ea51b7a660c7
Instruction Fuzzy Hash: E21108AB90C114EDA76AC6C15B186F6676EA68F3707764076BD23D6101E3F01F8D4131

Uniqueness

Uniqueness Score: -1.00%

Function 0515020D Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dbf532ed936abff1dc374952cf321e524d33553c7341cb71c6980bc390eaaf91
Instruction ID: 1789be3ec031c95dbb836a031113c58c5cdb0270b1cc45fd89fdcc21c18d8f26
Opcode Fuzzy Hash: dbf532ed936abff1dc374952cf321e524d33553c7341cb71c6980bc390eaaf91
Instruction Fuzzy Hash: 581127A750C114EDA72AC6C15708AF6A76EEA8F3707724472BD13D6101E3F01E8C4531

Uniqueness

Uniqueness Score: -1.00%

Function 05150297 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 264006926374d90303e48177ecd8cf5adf7f33bb89f80e2eeb3057b44eaf1e88
Instruction ID: 05e03aef7c360b5ac9bd4eb1451ae414ac0fb92f3263677916cd5d95a2bc683c
Opcode Fuzzy Hash: 264006926374d90303e48177ecd8cf5adf7f33bb89f80e2eeb3057b44eaf1e88
Instruction Fuzzy Hash: 5C1127E790C264EDA766C1C40709AF66B6FEA8E7707764066FD13C6101E3F40E8D8571

Uniqueness

Uniqueness Score: -1.00%

Function 05150229 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6b5a247197c64134697269beced961130d5246fc9d80cc47263f4316b958d35f
Instruction ID: 069cdc5a682596fcf75ec821a21ab396b8ea95a5acf76ac38bcff0837599a4f8
Opcode Fuzzy Hash: 6b5a247197c64134697269beced961130d5246fc9d80cc47263f4316b958d35f
Instruction Fuzzy Hash: C4115BE790C258EEA756C1D40A59AF66BAE9A8F3707724076FD13D7102E3B00D488171

Uniqueness

Uniqueness Score: -1.00%

Function 051501EB Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2069e830a8143a965962a1f9d51266b830763f5577d3d8765a241643afe53aaa
Instruction ID: 656665b8e12ceef2754002c3f7651432a0c7682c4aeb3efe5b31f6c751fc19cd
Opcode Fuzzy Hash: 2069e830a8143a965962a1f9d51266b830763f5577d3d8765a241643afe53aaa
Instruction Fuzzy Hash: 50113AE780C264EDA76AC1D00649AF667AF9A8F3707724076FD13D6101E3F00D8C4171

Uniqueness

Uniqueness Score: -1.00%

Function 051502AF Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e28e2cf53b30ce5011cd78f88d9d8511f1779d8146670a14c7138ff0b01a9a25
Instruction ID: ddfbb52d88de580ff3bcb899315405866def686e8acfd50f79bdfe5862c81b17
Opcode Fuzzy Hash: e28e2cf53b30ce5011cd78f88d9d8511f1779d8146670a14c7138ff0b01a9a25
Instruction Fuzzy Hash: 8C019CE790C124EEAB1AD6D58699BF62BABDA8E3707330066FD03C7101E3B04DC94561

Uniqueness

Uniqueness Score: -1.00%

Function 05150263 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 57afe6dceb976a835f77ad7c0f2a170acb74e4eb5e5b881c2fac9b9bf5f73fd9
Instruction ID: ed53e0ddc0988d6716dd53233968966713371a4d7952321c9fd76258decdc527
Opcode Fuzzy Hash: 57afe6dceb976a835f77ad7c0f2a170acb74e4eb5e5b881c2fac9b9bf5f73fd9
Instruction Fuzzy Hash: E40168A390C264EEE72AC1D00A586F627AB9A8F3307264067AD23CA201E7B00D884132

Uniqueness

Uniqueness Score: -1.00%

Function 00F28DEF Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F28CD6,00000000,?,01057178,0000000C,00F28D92,?,?,?), ref: 00F28E45

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e34978cc719c2105f4576b8e74ec186658d6b6c9af7cf8391cb6432c41005f82
Instruction ID: 97b1334dad14eaf796074a6c3206dc273412a534eb74aa0fef33f2f51c967436
Opcode Fuzzy Hash: e34978cc719c2105f4576b8e74ec186658d6b6c9af7cf8391cb6432c41005f82
Instruction Fuzzy Hash: 18114233E0653459E63521B47C4ABBE378D8B927B4F3B065DF814A71D2DE299CC27190

Uniqueness

Uniqueness Score: -1.00%

Function 0515027D Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dd199aac3bc00f8f015829aaee613aa0f0208e20d676fef4a70c49b8b1d345f2
Instruction ID: 84a684986aa9d1a79081656fd13162aa8bb0b0b6d6cacc69a69e411c0baad5dc
Opcode Fuzzy Hash: dd199aac3bc00f8f015829aaee613aa0f0208e20d676fef4a70c49b8b1d345f2
Instruction Fuzzy Hash: 5C017BE790C154EEA716C5D54659BFA2BAADACE3707274466BE038B100E3B04DC84561

Uniqueness

Uniqueness Score: -1.00%

Function 05150270 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(5C32B243), ref: 0515028D

Memory Dump Source

Source File: 0000000C.00000002.3352890589.0000000005150000.00000040.00001000.00020000.00000000.sdmp, Offset: 05150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5150000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7e83c57c15605dd99c26de0e011116e64b878d923874f375c4ea287aaa6ef2a6
Instruction ID: 6f1eb0a81a98b9d0e73e9da6ba5d1507922931201a04d5d697d25f40a116743f
Opcode Fuzzy Hash: 7e83c57c15605dd99c26de0e011116e64b878d923874f375c4ea287aaa6ef2a6
Instruction Fuzzy Hash: 7BF07DA390C124DEA729C5D407457F667AB9A8E3707230062BE13DB200E3F00E8C4132

Uniqueness

Uniqueness Score: -1.00%

Function 00F2250C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00F22616,?,?,?,?,?), ref: 00F22548

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b6694411b62d138f0fe8100f90ceaee20ca9f2fdae59df577543f18ef5bf509d
Instruction ID: 44d2d880a4f5b2145e42d1957bf3826e0041e01819e4f3bbe4d2334dbef60a24
Opcode Fuzzy Hash: b6694411b62d138f0fe8100f90ceaee20ca9f2fdae59df577543f18ef5bf509d
Instruction Fuzzy Hash: B0014933610125BFCF19CF18EC56DAE3B19DB81330B384208F8109B291E675EE419B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE32D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00EE331F

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: e0d60eb349ea39bf7c47352d77c8fa6ce64f775574e129306e8dc4ddb07ca503
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: E6F02472100108DBCB146F75D809CE9B3E8EF143A1710097AE89CE7212EB2ADA809BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A64C Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00F29FD2,00000001,00000364,00000001,00000006,000000FF,?,00F14B2F,?,?,761B23A0,?), ref: 00F2A68E

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 31f6f83a07125cd935c685362f9d7c00ab3e8e5931cb91eed464b41599a3f1c0
Instruction ID: 4806e45798d3a0f9fea84059695dd7f6a6b8c72e51cc297c8046c834f93c4add
Opcode Fuzzy Hash: 31f6f83a07125cd935c685362f9d7c00ab3e8e5931cb91eed464b41599a3f1c0
Instruction Fuzzy Hash: 97F0E9329106326F9B225A62BC05F6B3F49AF41770B1D4112FC089A190DB38D801AAE7

Uniqueness

Uniqueness Score: -1.00%

Function 00F2B086 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00F14B2F,?,?,761B23A0,?,?,00EE3522,?,?), ref: 00F2B0B9

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f56f0eeae70a29449f966604ce156f264aebd978159cbab6207af0f05ea65963
Instruction ID: fbc7e82be9d4713031f28f6c8e29bed187251e3319c03f552dbfa9ff509c2874
Opcode Fuzzy Hash: f56f0eeae70a29449f966604ce156f264aebd978159cbab6207af0f05ea65963
Instruction Fuzzy Hash: 60E06D329026316AEA33A6B57C05B6F3749EF427B0F190121FE24A70C1DF28DC40A1E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F1C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: 72fd7202fcea208793c3da3b84e4c0570227d7c24e8642cedffc544939c0b87d
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: E1023B71E412199BDF14CFA9D8806EEBBF1FF48324F248269D919E7380D731AD819B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EFA09D
std::_Lockit::_Lockit.LIBCPMT ref: 00EFA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00EFA0E7
__Getctype.LIBCPMT ref: 00EFA1C5
std::_Facet_Register.LIBCPMT ref: 00EFA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00EFA223

Strings

PD, xrefs: 00EFA19A
E, xrefs: 00EFA1AE
PG, xrefs: 00EFA1BF

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD$PG$E
API String ID: 1102183713-3756609794
Opcode ID: aab0cc738f37cbe9c9535c931c33d2fd39ddf3c154bc2bc446f97df8bc8c311d
Instruction ID: fcb204dc5daeb52866930640c04df1eec54ae523214d9a9c913690869c039267
Opcode Fuzzy Hash: aab0cc738f37cbe9c9535c931c33d2fd39ddf3c154bc2bc446f97df8bc8c311d
Instruction Fuzzy Hash: 6551A8B0D01259DFDB20CF98C9417AEBBB4BB00714F18826DD885AB391D779AE44CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F172C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F172F7
___except_validate_context_record.LIBVCRUNTIME ref: 00F172FF
_ValidateLocalCookies.LIBCMT ref: 00F17388
__IsNonwritableInCurrentImage.LIBCMT ref: 00F173B3
_ValidateLocalCookies.LIBCMT ref: 00F17408

Strings

csm, xrefs: 00F1739D
`-, xrefs: 00F173CC

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-$csm
API String ID: 1170836740-3034041616
Opcode ID: 3dbde307851a4881d6a586a9a3ff1d2ecc6f7f7d1e351879b48bd45b2078f379
Instruction ID: 9fc2deefddc9ad5e3bd827ce5aab939c348583ba65c6a8fe563c629b5c493246
Opcode Fuzzy Hash: 3dbde307851a4881d6a586a9a3ff1d2ecc6f7f7d1e351879b48bd45b2078f379
Instruction Fuzzy Hash: 2941A634E043099BCF10EF69C884ADEBBB5AF44324F148155FC189B352DB75D981EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EFC430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EFC45A
std::_Lockit::_Lockit.LIBCPMT ref: 00EFC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00EFC4A4
std::_Facet_Register.LIBCPMT ref: 00EFC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00EFC5C4

Strings

PD, xrefs: 00EFC54E
E, xrefs: 00EFC562

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E$PD
API String ID: 459529453-4195941332
Opcode ID: b61fbdf34898064d4e0776105a9ad7140a6068162e9b57dd61385dcf8d9da799
Instruction ID: 772ccedb06100e01e71930ef81637d4e2f5194d408760917b29a68d93e25b3d5
Opcode Fuzzy Hash: b61fbdf34898064d4e0776105a9ad7140a6068162e9b57dd61385dcf8d9da799
Instruction Fuzzy Hash: DD519FB0900258DFDB21DF98C944BAEBBF0FB00714F348159E595AB381D77AAA45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2BB58 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F2BBDE

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction ID: 7780c9766bd11b65cb46b35bd2ae4d7fa6b0f95ba70b5e0f0024d40862159b55
Opcode Fuzzy Hash: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction Fuzzy Hash: ECB15732D007759FDB218F24DC82BEE7BA5EF55360F158155ED04AF282D7789901E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F12719 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00F12720
std::_Lockit::_Lockit.LIBCPMT ref: 00F1272B
std::_Lockit::~_Lockit.LIBCPMT ref: 00F12799

Part of subcall function 00F1287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00F12894

std::locale::_Setgloballocale.LIBCPMT ref: 00F12746

Strings

`-, xrefs: 00F12768, 00F1278C

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-
API String ID: 677527491-2038111592
Opcode ID: 658776ac60dba29e95c195e1ed3101aed3cf512b83bedcbbfe5cdc5d2591d3c3
Instruction ID: c1d9868e0adbcf76c7a22bc0aef562c6b0878f5b92ab5e0270d3372e8d71fd7a
Opcode Fuzzy Hash: 658776ac60dba29e95c195e1ed3101aed3cf512b83bedcbbfe5cdc5d2591d3c3
Instruction Fuzzy Hash: 3E01BC75A002209BCB09EB60C8455BD7BB1BF84BA0B088009E84157385CF78AE92EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00EE750C
___std_exception_destroy.LIBVCRUNTIME ref: 00EE7522

Strings

), xrefs: 00EE7502, 00EE751C
[json.exception., xrefs: 00EE73A1

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )$[json.exception.
API String ID: 4194217158-1768919221
Opcode ID: ff0270d93c32449ddaa9fb3980c4dc93047469222e5d958a40322e13772aab38
Instruction ID: 0168660a548facac41d33ec035fcc13f6ed68320b5db229d1c4cb42068e88c55
Opcode Fuzzy Hash: ff0270d93c32449ddaa9fb3980c4dc93047469222e5d958a40322e13772aab38
Instruction Fuzzy Hash: 1B51CFB1D042889FDB00DFA8CD05B9EBBF4EF51314F144269E854AB282E7B85A44D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00EE499F

Strings

ios_base::failbit set, xrefs: 00EE4828, 00EE4941
ios_base::badbit set, xrefs: 00EE4937, 00EE4962
ios_base::eofbit set, xrefs: 00EE4946

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: d03ead5eed8096f33f1742a28478e628eb5df25f341fcfd746a65d4178517b46
Instruction ID: 65a63939f362c9978889a6d1c3d7ef7660ef732d0797351b0316a7dde93124aa
Opcode Fuzzy Hash: d03ead5eed8096f33f1742a28478e628eb5df25f341fcfd746a65d4178517b46
Instruction Fuzzy Hash: 761129F2904688BBCB10DE5DEC42B96739CEB45710F044669FD98B72C2EA35A900D796

Uniqueness

Uniqueness Score: -1.00%

Function 00EE36E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00EE3819
___std_exception_destroy.LIBVCRUNTIME ref: 00EE38F0

Strings

), xrefs: 00EE37ED, 00EE38EA

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )
API String ID: 2970364248-2934624886
Opcode ID: 56e7ee72c96b7a3829f5594d5cc31c61c2e065e6e60f216ca773ba39a203f7f0
Instruction ID: 2be47082885ac62cebf1f8ead2620ef3052c8b4b736cfabcf97204fb1c6633e9
Opcode Fuzzy Hash: 56e7ee72c96b7a3829f5594d5cc31c61c2e065e6e60f216ca773ba39a203f7f0
Instruction Fuzzy Hash: F76189B1D00258DFDB14CF98C948B9DFBB4FF58324F148259E854BB282D7B55A84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE47F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00EE499F

Strings

ios_base::failbit set, xrefs: 00EE4828
ios_base::badbit set, xrefs: 00EE4937, 00EE4962

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 4e144f3690b2e536f2e9a4abf8d6189152886989c7cedbdfeecc19f7935dc9a2
Instruction ID: 30cac973552674c3a3c654078d4f333de3dcd4ce832ae2774caa39c8c37cdcde
Opcode Fuzzy Hash: 4e144f3690b2e536f2e9a4abf8d6189152886989c7cedbdfeecc19f7935dc9a2
Instruction Fuzzy Hash: F24101B1900288ABCB04DF69CC45BAEBBF8EB45710F14825DF454BB382D775AA00DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EE4061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00EE40C4

Strings

bad locale name, xrefs: 00EE40E6

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 242190953e814f941779ea5059ec7335afd62a7269a4a0091cb29ceb2c73007e
Instruction ID: 0a361bede260366bacd68d240575a90c4f933af2437b93e0ab889637e6a5874a
Opcode Fuzzy Hash: 242190953e814f941779ea5059ec7335afd62a7269a4a0091cb29ceb2c73007e
Instruction Fuzzy Hash: 1A11D3B0905BC4DED721CFA8C90478BBFF4AF15714F14869DE09597B81D3B9AA04C792

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00EF65C9
___std_exception_copy.LIBVCRUNTIME ref: 00EF65FC

Strings

), xrefs: 00EF65BA, 00EF65ED

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )
API String ID: 2659868963-2934624886
Opcode ID: 80035c20609282a71bc875d013ec7be81933b4a88d491c62ab3208981e333fc5
Instruction ID: e5f5babede17e87bb98c029d3f8547f18819ac5b23c6c3f694796235e4af498d
Opcode Fuzzy Hash: 80035c20609282a71bc875d013ec7be81933b4a88d491c62ab3208981e333fc5
Instruction Fuzzy Hash: 65112EB5900648EBCB15CF99C980B86F7FCFB59720F10876AE95497641E774A540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE7A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00EE7A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00EE7A72

Strings

), xrefs: 00EE7A52, 00EE7A6C

Memory Dump Source

Source File: 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, Offset: 00EE0000, based on PE: true

Associated: 0000000C.00000002.3340427755.0000000000EE0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340478716.0000000001062000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.0000000001067000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3340826541.000000000106F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001074000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012C2000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.00000000012FE000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001307000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3341151629.0000000001315000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3343463702.0000000001316000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346149762.000000000149E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.000000000149F000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A4000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346209804.00000000014A7000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346402716.00000000014AA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3346488774.00000000014AB000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ee0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )
API String ID: 4194217158-2934624886
Opcode ID: 16d7c0e4796cebb205c5b6bd63252cb387e9a0bc4ef5b97fd6e5eaa68825a7a6
Instruction ID: c941d6a45f55f47e8724ea66b04de343fc52953cbcddea1d93731e32500db8d0
Opcode Fuzzy Hash: 16d7c0e4796cebb205c5b6bd63252cb387e9a0bc4ef5b97fd6e5eaa68825a7a6
Instruction Fuzzy Hash: 7FF06DB1905748EFC710DF98C90178DBBFCEB45B24F50066AE8A4E3780D77966048BA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hYrJbjnzVc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
hYrJbjnzVc.exe

Function 00345940 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Function 00344EB0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 284
networksleepCOMMON

Function 00289280 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 383
networkCOMMON

Function 05020A2D Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 433
COMMON

Function 05020A3C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 415
COMMON

Function 05020A4C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 411
COMMON

Function 05020AD5 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 411
COMMON

Function 05020A6F Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 406
COMMON

Function 05020A84 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 401
COMMON

Function 05020AFF Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 389
COMMON

Function 05020AB1 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 378
COMMON

Function 05020B35 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 355
COMMON

Function 05020B67 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 352
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre