Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1460423
MD5:b7e7f713ce1c717b6ae28904971e37e5
SHA1:c18c91d091956967f5937ce5bd1555ea6494309f
SHA256:f44b54751b7158902476013aed1fbcfec96bc0ab19b3303d088dec97f418885e
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Steals Internet Explorer cookies
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4536 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B7E7F713CE1C717B6AE28904971E37E5)
    • schtasks.exe (PID: 6900 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6444 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 3308 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: B7E7F713CE1C717B6AE28904971E37E5)
    • WerFault.exe (PID: 7588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 7112 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: B7E7F713CE1C717B6AE28904971E37E5)
  • RageMP131.exe (PID: 7264 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: B7E7F713CE1C717B6AE28904971E37E5)
  • RageMP131.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: B7E7F713CE1C717B6AE28904971E37E5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\EfSAyduNP94O7VkIcUcjXr_.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: file.exe PID: 4536JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 4536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

              Snort Signatures

              Timestamp:06/21/24-00:21:07.716237
              SID:2046269
              Source Port:49701
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:18.191477
              SID:2046269
              Source Port:49702
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:22.433823
              SID:2046266
              Source Port:58709
              Destination Port:49716
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:04.001309
              SID:2049060
              Source Port:49701
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:08.912466
              SID:2046266
              Source Port:58709
              Destination Port:49703
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:09.145970
              SID:2046267
              Source Port:58709
              Destination Port:49703
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:29.885372
              SID:2046266
              Source Port:58709
              Destination Port:49721
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:04.598857
              SID:2046266
              Source Port:58709
              Destination Port:49701
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:08.254846
              SID:2046267
              Source Port:58709
              Destination Port:49701
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:09.129736
              SID:2046267
              Source Port:58709
              Destination Port:49702
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:08.889682
              SID:2046266
              Source Port:58709
              Destination Port:49702
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/go.exeEAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/mine/amadka.exerisepro3JAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/go.exepAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/lenin.exenAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: phishing
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 47%
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 47%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004C6B00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,14_2_004C6B00
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49725 version: TLS 1.2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6000 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,14_2_004C6000
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,14_2_004E6770
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,14_2_00493F40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00431F9C FindClose,FindFirstFileExW,GetLastError,14_2_00431F9C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,14_2_00432022
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,14_2_004938D0

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.7:49701 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49701
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49701 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.7:49701
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49702
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49703
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.7:49702
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.7:49703
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49702 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49716
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49721
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
              Source: global trafficTCP traffic: 192.168.2.7:49701 -> 77.91.77.66:58709
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 172.67.75.166 172.67.75.166
              Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
              Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: unknownDNS query: name: ipinfo.io
              Source: unknownDNS query: name: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C7B00 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,0_2_004C7B00
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficDNS traffic detected: DNS query: ipinfo.io
              Source: global trafficDNS traffic detected: DNS query: db-ip.com
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
              Source: MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exeE
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exep
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exen
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exerisepro3J
              Source: Amcache.hve.21.drString found in binary or memory: http://upx.sf.net
              Source: file.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33Ap
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33K
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33SE
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33i
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33z
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/n
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/w
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33r
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/&
              Source: file.exe, 00000000.00000002.1408683703.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
              Source: file.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EB0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.335
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33o
              Source: file.exe, 00000000.00000002.1408683703.0000000000FBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33s
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/y
              Source: file.exe, 00000000.00000002.1408683703.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33%
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33h
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t._
              Source: file.exe, 00000000.00000002.1408683703.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, EfSAyduNP94O7VkIcUcjXr_.zip.14.drString found in binary or memory: https://t.me/RiseProSUPPORT
              Source: MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT-
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTMP=C:
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTOCESSOR_IDENTIFIER=Intel%q
              Source: MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTv
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.14.drString found in binary or memory: https://t.me/risepro_bot
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot33
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botB
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botL
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botO
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botZ
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botq
              Source: MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.y
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1419793250.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/g
              Source: MPGPH131.exe, 0000000E.00000003.1420362412.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1419793250.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.14.dr, D87fZN3R3jFeplaces.sqlite.15.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: MPGPH131.exe, 0000000E.00000003.1420362412.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1419793250.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.00000000057A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/#
              Source: MPGPH131.exe, 0000000E.00000003.1420362412.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1419793250.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.14.dr, D87fZN3R3jFeplaces.sqlite.15.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49725 version: TLS 1.2
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004E5FF0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,705374A0,DeleteObject,DeleteObject,ReleaseDC,14_2_004E5FF0

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049F0D00_2_0049F0D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AA2000_2_004AA200
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D3A00_2_0049D3A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053F5500_2_0053F550
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FAD000_2_004FAD00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049AF600_2_0049AF60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043C9600_2_0043C960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043A9280_2_0043A928
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004371A00_2_004371A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044036F0_2_0044036F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A43200_2_004A4320
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00458BB00_2_00458BB0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004963B00_2_004963B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EEC400_2_004EEC40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EFC400_2_004EFC40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534D400_2_00534D40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00546D200_2_00546D20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00545DE00_2_00545DE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042F5800_2_0042F580
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004526100_2_00452610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A36100_2_004A3610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00458E300_2_00458E30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004986B00_2_004986B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005477600_2_00547760
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2FD00_2_004F2FD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E77E00_2_004E77E0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0044002D14_2_0044002D
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DF03014_2_004DF030
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049F0D014_2_0049F0D0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004AA20014_2_004AA200
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049D3A014_2_0049D3A0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004963B014_2_004963B0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049044014_2_00490440
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DE43014_2_004DE430
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0053F55014_2_0053F550
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004D760014_2_004D7600
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004986B014_2_004986B0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0040B8E014_2_0040B8E0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00481C1014_2_00481C10
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004FAD0014_2_004FAD00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00493F4014_2_00493F40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049AF6014_2_0049AF60
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF0014_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049308014_2_00493080
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004371A014_2_004371A0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0044036F14_2_0044036F
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004A432014_2_004A4320
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004845E014_2_004845E0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0042F58014_2_0042F580
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004A361014_2_004A3610
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_005486C014_2_005486C0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0054776014_2_00547760
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004E77E014_2_004E77E0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004547BF14_2_004547BF
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0043C96014_2_0043C960
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0043A92814_2_0043A928
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0044DA8614_2_0044DA86
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00458BB014_2_00458BB0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004EEC4014_2_004EEC40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004EFC4014_2_004EFC40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00534D4014_2_00534D40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00546D2014_2_00546D20
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00545DE014_2_00545DE0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00458E3014_2_00458E30
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00541F0014_2_00541F00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004F2FD014_2_004F2FD0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0041ACE0 appears 86 times
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 0041ACE0 appears 77 times
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 824
              Source: file.exeBinary or memory string: OriginalFilename vs file.exe
              Source: file.exe, 00000000.00000000.1250380943.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
              Source: file.exe, 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
              Source: file.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9981028117541766
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9910126879699248
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.990234375
              Source: file.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9981028117541766
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9910126879699248
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.990234375
              Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9981028117541766
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9910126879699248
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.990234375
              Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/33@2/3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E77E0 CopyFileA,GetLastError,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,0_2_004E77E0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3308
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user~1\AppData\Local\Temp\rage131MP.tmpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: file.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: MPGPH131.exe, 0000000E.00000003.1436387408.00000000057A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1420287683.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1420362412.000000000578D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.000000000578D000.00000004.00000020.00020000.00000000.sdmp, XV6CMo7Jg4S7Login Data For Account.14.dr, diymrzMDsfMULogin Data.14.dr, 4k4Hzk2ExswRLogin Data.14.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 824
              Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: file.exeStatic file information: File size 3288080 > 1048576
              Source: file.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x26b400
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .themida
              Source: file.exeStatic PE information: section name: .boot
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name: .themida
              Source: RageMP131.exe.0.drStatic PE information: section name: .boot
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
              Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064E8B4 push 5171531Fh; mov dword ptr [esp], ebp0_2_008CC8C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064E8B4 push edi; mov dword ptr [esp], ebx0_2_008CC8C4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0064E8B4 push 5171531Fh; mov dword ptr [esp], ebp14_2_008CC8C0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0064E8B4 push edi; mov dword ptr [esp], ebx14_2_008CC8C4
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00433F59 push ecx; ret 14_2_00433F6C
              Source: file.exeStatic PE information: section name: entropy: 7.974899357034606
              Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.974899357034606
              Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.974899357034606
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Found stalling execution ending in API Sleep call
              Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleepgraph_0-36643
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleepgraph_14-53648
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
              Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-36642
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_14-53669
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_14-46125
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-36788
              Source: C:\Users\user\Desktop\file.exe TID: 6348Thread sleep count: 34 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6348Thread sleep count: 37 > 30Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3216Thread sleep count: 81 > 30Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6756Thread sleep count: 83 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7268Thread sleep count: 136 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7624Thread sleep count: 45 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6000 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,14_2_004C6000
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,14_2_004E6770
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,14_2_00493F40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00431F9C FindClose,FindFirstFileExW,GetLastError,14_2_00431F9C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,14_2_00432022
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,14_2_004938D0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Dk&Ven_VMware&P
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra Change Transaction PasswordVMware20,11696492231
              Source: MPGPH131.exe, 0000000E.00000002.1649901501.0000000005BC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}}C
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&NE
              Source: Amcache.hve.21.drBinary or memory string: vmci.sys
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: global block list test formVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: bankofamerica.comVMware20,11696492231x
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comVMware20,11696492231o
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXn
              Source: Amcache.hve.21.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.21.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.21.drBinary or memory string: VMware Virtual RAM
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.21.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_9C3F3566
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
              Source: Amcache.hve.21.drBinary or memory string: VMware Virtual USB Mouse
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tive Brokers - non-EU EuropeVMware20,11696492231
              Source: RageMP131.exe, 00000016.00000003.1528744564.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L~
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492
              Source: file.exe, 00000000.00000002.1408683703.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000g
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r global passwords blocklistVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
              Source: Amcache.hve.21.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.21.drBinary or memory string: \driver\vmci,\driver\pci
              Source: file.exe, 00000000.00000002.1408683703.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000@Z
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169649223
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&)8:
              Source: Amcache.hve.21.drBinary or memory string: VMware
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT}z.
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o.inVMware20,11696492231~
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: outlook.office.comVMware20,11696492231s
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: AMC password management pageVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageformVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: interactivebrokers.comVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}qE
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
              Source: RageMP131.exe, 00000016.00000003.1528744564.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: outlook.office365.comVMware20,11696492231t
              Source: Amcache.hve.21.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: discord.comVMware20,11696492231f
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: tasks.office.comVMware20,11696492231o
              Source: Amcache.hve.21.drBinary or memory string: VMware20,1
              Source: Amcache.hve.21.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.21.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.21.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
              Source: Amcache.hve.21.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: VMware VMCI Bus Device
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
              Source: Amcache.hve.21.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116(
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnIA
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccount.microsoft.com/profileVMware20,11696492231u
              Source: Amcache.hve.21.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.21.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.21.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.21.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.21.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: file.exe, 00000000.00000002.1408683703.0000000000FCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\igkpcodhieompeloncfnbekccinhapdb\CURRENT
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
              Source: Amcache.hve.21.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rootpagecomVMware20,11696492231o
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: dev.azure.comVMware20,11696492231j
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
              Source: Amcache.hve.21.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.21.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
              Source: MPGPH131.exe, 0000000E.00000003.1320967567.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}mD
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]0_2_004C6D80
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004C6D80 mov eax, dword ptr fs:[00000030h]14_2_004C6D80
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00493F40 mov eax, dword ptr fs:[00000030h]14_2_00493F40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,0_2_004E9A70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_0043451D
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00438A64

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Contains functionality to inject threads in other processes
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,14_2_004CF280
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004531CA
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
              Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004533F9
              Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00452D5F
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452E51
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452E06
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452EEC
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0044B734
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,14_2_004531CA
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,14_2_0044B1B1
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_004532F3
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,14_2_004533F9
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_004534CF
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,14_2_0044B734
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,14_2_00452B5A
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,14_2_00452D5F
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,14_2_00452E51
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,14_2_00452E06
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,14_2_00452EEC
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_00452F77
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_0043361D
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.21.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.21.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.21.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.21.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.21.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4536, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 3308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7112, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7620, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\EfSAyduNP94O7VkIcUcjXr_.zip, type: DROPPED
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\walletsFo
              Source: file.exe, 00000000.00000002.1413592341.0000000005859000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty Extension
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\Autofill
              Source: file.exe, 00000000.00000002.1413592341.0000000005859000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: Exodus_E
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json2Vo
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsN16l7
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger LivealV
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\formhistory.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\logins.jsonJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\signons.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\places.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\signons.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile read: C:\Users\user\AppData\Local\Temp\trixyTk4mNNg5wnH2\Cookies\Chrome_Default.txtJump to behavior
              Source: Yara matchFile source: 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 3308, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4536, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 3308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7112, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7620, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\EfSAyduNP94O7VkIcUcjXr_.zip, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		11
              Process Injection              		3
              Obfuscated Files or Information              		1
              Credentials In Files              		1
              Account Discovery              		Remote Desktop Protocol21
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		2
              Software Packing              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Screen Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		NTDS35
              System Information Discovery              		Distributed Component Object Model1
              Email Collection              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets1
              Query Registry              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
              Virtualization/Sandbox Evasion              		Cached Domain Credentials351
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Process Injection              		DCSync13
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460423 Sample: file.exe Startdate: 21/06/2024 Architecture: WINDOWS Score: 100 39 ipinfo.io 2->39 41 db-ip.com 2->41 49 Snort IDS alert for network traffic 2->49 51 Antivirus detection for URL or domain 2->51 53 Yara detected RisePro Stealer 2->53 55 4 other signatures 2->55 8 file.exe 1 12 2->8         started        13 MPGPH131.exe 5 55 2->13         started        15 RageMP131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 43 77.91.77.66, 49701, 49702, 49703 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->43 45 ipinfo.io 34.117.186.192, 443, 49704, 49706 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->45 47 db-ip.com 172.67.75.166, 443, 49705, 49708 CLOUDFLARENETUS United States 8->47 29 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->29 dropped 31 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->31 dropped 33 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 8->33 dropped 35 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 8->35 dropped 57 Query firmware table information (likely to detect VMs) 8->57 59 Found many strings related to Crypto-Wallets (likely being stolen) 8->59 61 Found stalling execution ending in API Sleep call 8->61 73 2 other signatures 8->73 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        37 C:\Users\user\...fSAyduNP94O7VkIcUcjXr_.zip, Zip 13->37 dropped 63 Multi AV Scanner detection for dropped file 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Machine Learning detection for dropped file 13->67 23 WerFault.exe 16 13->23         started        69 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->69 71 Tries to harvest and steal browser information (history, passwords, etc) 17->71 file6 signatures7 process8 process9 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
              C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
              C:\ProgramData\MPGPH131\MPGPH131.exe47%ReversingLabsWin32.Trojan.RiseProStealer
              C:\Users\user\AppData\Local\RageMP131\RageMP131.exe47%ReversingLabsWin32.Trojan.RiseProStealer

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://upx.sf.net0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://ipinfo.io/0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              http://77.91.77.81/mine/amadka.exe100%Avira URL Cloudphishing
              https://ipinfo.io:443/widget/demo/8.46.123.330%Avira URL Cloudsafe
              https://t.me/risepro_botB0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORTv0%Avira URL Cloudsafe
              http://77.91.77.81/cost/go.exe100%Avira URL Cloudphishing
              https://t.me/risepro_botL0%Avira URL Cloudsafe
              https://db-ip.com/0%Avira URL Cloudsafe
              https://db-ip.com:443/demo/home.php?s=8.46.123.33J0%Avira URL Cloudsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              https://ipinfo.io/widget/demo/8.46.123.3350%Avira URL Cloudsafe
              http://77.91.77.81/cost/go.exeE100%Avira URL Cloudphishing
              https://t.me/risepro0%Avira URL Cloudsafe
              https://t.me/risepro_botZ0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.33K0%Avira URL Cloudsafe
              https://t.y0%Avira URL Cloudsafe
              https://ipinfo.io/y0%Avira URL Cloudsafe
              http://77.91.77.81/mine/amadka.exerisepro3J100%Avira URL Cloudphishing
              https://t.me/risepro_botO0%Avira URL Cloudsafe
              https://ipinfo.io/widget/demo/8.46.123.330%Avira URL Cloudsafe
              https://db-ip.com:443/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
              https://ipinfo.io:443/widget/demo/8.46.123.33h0%Avira URL Cloudsafe
              https://t.me/risepro_botisepro_bot0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORTMP=C:0%Avira URL Cloudsafe
              https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK0%Avira URL Cloudsafe
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
              https://ipinfo.io/widget/demo/8.46.123.33o0%Avira URL Cloudsafe
              https://db-ip.com:443/demo/home.php?s=8.46.123.33r0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORT-0%Avira URL Cloudsafe
              https://t.me/risepro_bot330%Avira URL Cloudsafe
              http://77.91.77.81/cost/go.exep100%Avira URL Cloudphishing
              https://ipinfo.io/widget/demo/8.46.123.33s0%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
              https://db-ip.com/n0%Avira URL Cloudsafe
              https://ipinfo.io/Mozilla/5.00%Avira URL Cloudsafe
              http://77.91.77.81/cost/lenin.exen100%Avira URL Cloudphishing
              https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
              https://t.me/risepro_bot0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.33z0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.33Ap0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.33SE0%Avira URL Cloudsafe
              https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
              https://db-ip.com/w0%Avira URL Cloudsafe
              https://support.mozilla.org0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
              http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
              http://77.91.77.81/cost/lenin.exe100%Avira URL Cloudphishing
              https://db-ip.com/demo/home.php?s=8.46.123.33i0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORTOCESSOR_IDENTIFIER=Intel%q0%Avira URL Cloudsafe
              https://t._0%Avira URL Cloudsafe
              https://t.me/risepro_botq0%Avira URL Cloudsafe
              https://ipinfo.io:443/widget/demo/8.46.123.33%0%Avira URL Cloudsafe
              https://ipinfo.io/&0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ipinfo.io
              		34.117.186.192
              		truefalse
                		unknown
                db-ip.com
                		172.67.75.166
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://ipinfo.io/widget/demo/8.46.123.33false
                  • Avira URL Cloud: safe
                  		unknown
                  https://ipinfo.io/false
                  • URL Reputation: safe
                  		unknown
                  https://db-ip.com/demo/home.php?s=8.46.123.33false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://77.91.77.81/mine/amadka.exeMPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://db-ip.com:443/demo/home.php?s=8.46.123.33JMPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/chrome_newtabMPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ipinfo.io:443/widget/demo/8.46.123.33file.exe, 00000000.00000002.1408683703.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/RiseProSUPPORTvMPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/risepro_botLMPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.81/cost/go.exefile.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://t.me/risepro_botBRageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://db-ip.com/RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.81/cost/go.exeEMPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://ipinfo.io/widget/demo/8.46.123.335RageMP131.exe, 00000016.00000002.1596888366.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/risepro_botZMPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://t.yMPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://db-ip.com/demo/home.php?s=8.46.123.33KRageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/riseproRageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/risepro_botOfile.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ipinfo.io/yMPGPH131.exe, 0000000E.00000002.1648923319.0000000000E81000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.81/mine/amadka.exerisepro3JMPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchMPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://db-ip.com:443/demo/home.php?s=8.46.123.33file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ipinfo.io/widget/demo/8.46.123.33oMPGPH131.exe, 0000000F.00000002.1411349896.0000000000D2F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/risepro_botisepro_botRageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/RiseProSUPPORTMP=C:MPGPH131.exe, 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://db-ip.com:443/demo/home.php?s=8.46.123.33rMPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ipinfo.io:443/widget/demo/8.46.123.33hRageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLKD87fZN3R3jFeplaces.sqlite.0.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/risepro_bot33MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoMPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/RiseProSUPPORT-MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.81/cost/go.exepMPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllfile.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://upx.sf.netAmcache.hve.21.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://ipinfo.io/widget/demo/8.46.123.33sfile.exe, 00000000.00000002.1408683703.0000000000FBA000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/RiseProSUPPORTfile.exe, 00000000.00000002.1408683703.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, EfSAyduNP94O7VkIcUcjXr_.zip.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://db-ip.com/nRageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.ecosia.org/newtab/MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://ipinfo.io/Mozilla/5.0file.exe, 00000000.00000002.1408683703.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://ac.ecosia.org/autocomplete?q=MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://t.me/risepro_botRageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.81/cost/lenin.exenMPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://db-ip.com/demo/home.php?s=8.46.123.33zRageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.maxmind.com/en/locate-my-ip-addressfile.exe, MPGPH131.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://db-ip.com/demo/home.php?s=8.46.123.33ApRageMP131.exe, 00000011.00000002.1531975508.0000000000E9B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://db-ip.com/demo/home.php?s=8.46.123.33SEMPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://db-ip.com/wMPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.winimage.com/zLibDllfile.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.0.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://db-ip.com/demo/home.php?s=8.46.123.33iMPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://77.91.77.81/cost/lenin.exefile.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://t.me/RiseProSUPPORTOCESSOR_IDENTIFIER=Intel%qRageMP131.exe, 00000011.00000002.1531975508.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t._MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/risepro_botqRageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ipinfo.io/&MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D1F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ipinfo.io:443/widget/demo/8.46.123.33%MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  34.117.186.192
                  		ipinfo.ioUnited States
                  		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                  172.67.75.166
                  		db-ip.comUnited States
                  		13335CLOUDFLARENETUSfalse
                  77.91.77.66
                  		unknownRussian Federation
                  		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1460423
                  Start date and time:2024-06-21 00:20:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 48s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:28
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@12/33@2/3
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 62%
                  • Number of executed functions: 31
                  • Number of non-executed functions: 64
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.168.117.173
                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: file.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  00:21:03Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                  00:21:03Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                  00:21:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                  00:21:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                  19:31:03API Interceptor1x Sleep call for process: WerFault.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  34.117.186.192HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                  • ipinfo.io/
                  HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                  • ipinfo.io/
                  HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                  • ipinfo.io/
                  SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                  • ipinfo.io/json
                  SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                  • ipinfo.io/json
                  Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                  • ipinfo.io/ip
                  Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                  • ipinfo.io/
                  Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                  • ipinfo.io/
                  w.shGet hashmaliciousXmrigBrowse
                  • /ip
                  Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                  • ipinfo.io/ip
                  172.67.75.166YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                    T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                      file.exeGet hashmaliciousRisePro StealerBrowse
                        https://curious-kringle-id4964-024b3b3.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
                          4Ip0IVHqJ3.exeGet hashmaliciousRisePro StealerBrowse
                            https://gacw-no-reply-restriction-appeal-case.netlify.app/feedback_id_38258467296/Get hashmaliciousUnknownBrowse
                              http://rules-prohibiting-violative-advertisi.netlify.app/appeal_case_ID_78234127826/Get hashmaliciousUnknownBrowse
                                SecuriteInfo.com.Win32.Evo-gen.23207.8804.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  jv9lMYVHh0.exeGet hashmaliciousRisePro StealerBrowse
                                    5i5Cl02eCU.exeGet hashmaliciousRisePro StealerBrowse
                                      77.91.77.66plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                        7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                          PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                            YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                              AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                                                setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                  D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                                    WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                                      2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                                        T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ipinfo.ioPsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                                          • 34.117.186.192
                                                          plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                                          • 34.117.186.192
                                                          PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                          • 34.117.186.192
                                                          D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                                          • 34.117.186.192
                                                          WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          db-ip.complTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 104.26.5.15
                                                          7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 104.26.4.15
                                                          PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 104.26.4.15
                                                          YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 172.67.75.166
                                                          setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                          • 104.26.5.15
                                                          D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 104.26.4.15
                                                          1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                                          • 104.26.4.15
                                                          WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 104.26.4.15
                                                          2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 104.26.5.15
                                                          T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 172.67.75.166

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUplTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 77.91.77.66
                                                          7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 77.91.77.66
                                                          PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 77.91.77.66
                                                          YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 77.91.77.66
                                                          AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 77.91.77.66
                                                          setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                          • 77.91.77.81
                                                          setup.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                          • 77.91.77.81
                                                          FN MultiHack v2.exeGet hashmaliciousRedLineBrowse
                                                          • 77.91.77.6
                                                          D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 77.91.77.66
                                                          https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                                                          • 77.91.77.5
                                                          GOOGLE-AS-APGoogleAsiaPacificPteLtdSGPsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                                          • 34.117.186.192
                                                          plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                                          • 34.117.186.192
                                                          PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                                          • 34.117.239.71
                                                          https://my.visme.co/v/pvmd79je-dj6mqvGet hashmaliciousUnknownBrowse
                                                          • 34.117.77.79
                                                          setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                          • 34.117.186.192
                                                          D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          CLOUDFLARENETUShttp://metaumskelogin.gitbook.io/Get hashmaliciousUnknownBrowse
                                                          • 172.64.147.209
                                                          http://a.additive.cloudns.org/Get hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          http://cloudflare-6s0.pages.dev/Get hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          https://loenwe-hopeagia-noprobs.pages.dev/2606:4700:310c::ac42:2ef9Get hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          http://dark-pine.mecayok955.workers.dev/Get hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          http://818xg.chumeng.link/Get hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          http://meatamask-loginn.gitbook.io/Get hashmaliciousUnknownBrowse
                                                          • 172.64.147.209
                                                          http://www.ladesellerburasi.com.tr/Get hashmaliciousUnknownBrowse
                                                          • 104.21.66.90
                                                          http://sigmaalphalambda.orgGet hashmaliciousUnknownBrowse
                                                          • 104.17.24.14
                                                          plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 104.26.5.15

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          a0e9f5d64349fb13191bc781f81f42e1plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166
                                                          7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166
                                                          Form_Ver-18-13-38.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166
                                                          PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166
                                                          YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166
                                                          Invoice.docmGet hashmaliciousUnknownBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166
                                                          file.exeGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166
                                                          Setup.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166
                                                          setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166
                                                          setup.exeGet hashmaliciousLummaCBrowse
                                                          • 34.117.186.192
                                                          • 172.67.75.166

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\MPGPH131\MPGPH131.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3288080
                                                          Entropy (8bit):7.9625452806049735
                                                          Encrypted:false
                                                          SSDEEP:49152:TrVO6osi6tBGXBfiiwGNBUI7xScqc4sgUFXtOOli2mgIJs7UvYv5:Tdi6HGXNlwyBdn40gOl5IJKuYx
                                                          MD5:B7E7F713CE1C717B6AE28904971E37E5
                                                          SHA1:C18C91D091956967F5937CE5BD1555EA6494309F
                                                          SHA-256:F44B54751B7158902476013AED1FBCFEC96BC0AB19B3303D088DEC97F418885E
                                                          SHA-512:70BC16BF80F7F9A9A03153D63B64D77A9512DB2CBC89C7B367696F555C64C903782BD5FB6798D489C53527616DC2BB410B10564527A8A22DD5AFCFB97621B7FA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 47%
                                                          Reputation:low
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@...........................~.....[.2......................................a..........8.....................~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot.....&...X...&..x..............`..`.reloc........~......,2................@................................................................

                                                          C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Reputation:high, very likely benign file
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_cf4e7bfd48f2a6b37dc7526592834c22e9a43fc_f4fd270f_a89dfd47-cc32-4b15-9bfd-9524009e54c9\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):1.0493647040408818
                                                          Encrypted:false
                                                          SSDEEP:192:vAMVlKaKzI8SH0M8rr6E6jjyZrofxjPzuiFBZ24IO8q6t:o6peI/UM8rCjrPzuiFBY4IO81
                                                          MD5:5588A2AE7D8C28D4CABCEE4B37B30A51
                                                          SHA1:ABAA352E66BD3FA5A52AB345C064FAC517CF9A52
                                                          SHA-256:167F49EFBAD7761D5629F8988B7D28E914E47F2A9A34B7B80DB990D3450C738B
                                                          SHA-512:C6C0F7A319305CAB5ED146361B80FB83FBE23A16E86F7BF9D0881A0E0B2E0A11566070DED06063931CDC2AE0A37BAF519C5841F4098C7E6BA4AFC10EAB94D50E
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.9.9.8.4.7.1.4.0.8.2.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.9.9.8.4.8.9.2.2.0.6.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.8.9.d.f.d.4.7.-.c.c.3.2.-.4.b.1.5.-.9.b.f.d.-.9.5.2.4.0.0.9.e.5.4.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.9.f.5.9.6.8.-.b.2.9.1.-.4.b.8.4.-.b.2.e.6.-.3.c.d.2.2.d.1.f.c.5.9.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.e.c.-.0.0.0.1.-.0.0.1.4.-.f.9.1.0.-.4.c.2.3.6.0.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.c.1.8.c.9.1.d.0.9.1.9.5.6.9.6.7.f.5.9.3.7.c.e.5.b.d.1.5.5.5.e.a.6.4.9.4.3.0.9.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBC0.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 23:30:48 2024, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):103932
                                                          Entropy (8bit):2.0402435309661335
                                                          Encrypted:false
                                                          SSDEEP:384:9z30VaFtvY6y5X4+fP+61uxV7fuMg1y/EnAfpEcv9C3QPEn/ReB7:9zEVaFtvAsfmrLQ
                                                          MD5:ABC0C4E11E8C795631C2E9B20C5E9EF5
                                                          SHA1:709EF7E245CE577544A9A4DEE0DDA78B27B1E5CB
                                                          SHA-256:16A1E6D25C5571C5D5355074BEBDD1E7A66FF3C46F2C8E78FE6A8D0F6ADC0586
                                                          SHA-512:60105E39CE93DF7DE445934E060218D5BC8E2C9E15D5A0C5060B7D422A1F67BD87D0FB56850DFC2FBDD236CDF0B064418B4DF7987C628212ED796094E4F5E041
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:MDMP..a..... .........tf....................................l....#...........L..........`.......8...........T............I..,L...........#...........%..............................................................................eJ.......&......GenuineIntel............T...........O.tf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD16E.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):6372
                                                          Entropy (8bit):3.7298472600841532
                                                          Encrypted:false
                                                          SSDEEP:192:R6l7wVeJZuF6/yIDYiJJ2yAprR889b8Twsf0yP0m:R6lXJK66IDYaJ2fp8TDfxJ
                                                          MD5:37CA9929A7981A7357F65B1F8E11B3FD
                                                          SHA1:499C6816EAA154B614DB77258754CB77F2D15113
                                                          SHA-256:69D31002AB78152967F7552B706B97767E9BE13CCA4A06A7C65E2065EBD403E1
                                                          SHA-512:F9628B2999ABE446AEBE42582D8F84CB554A7FD69B77715F8B117E74BCF03AE0D8E5A5860482322F2B14C4E2414283C759A25623A06B52CF2D3296CAB33B60E5
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.0.8.<./.P.i.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1AD.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4703
                                                          Entropy (8bit):4.523103053377153
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwWl8zsXJg77aI9XHjoWpW8VYNYm8M4JHYFX+q8iBq8Onrzrd:uIjf5I7pHjB7VBJ2g8+rzrd
                                                          MD5:BDC76BD941D7A30826A26B7311421549
                                                          SHA1:BB43E28F58F6D6F3FE5121CF3C699BBA3582770A
                                                          SHA-256:2F3589AFDC66A5E6B252FE3A764E350E9978C208087AF547613C23A88F9014B2
                                                          SHA-512:AFF8BE11C8D455F69FD866B070E3819E034DD5B1AD893E6A5EE196AFB7C0797FF847BFEE2977926E9D1315C4E12790317D0AA510343411F0DB74215ACCFCC184
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376713" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3288080
                                                          Entropy (8bit):7.9625452806049735
                                                          Encrypted:false
                                                          SSDEEP:49152:TrVO6osi6tBGXBfiiwGNBUI7xScqc4sgUFXtOOli2mgIJs7UvYv5:Tdi6HGXNlwyBdn40gOl5IJKuYx
                                                          MD5:B7E7F713CE1C717B6AE28904971E37E5
                                                          SHA1:C18C91D091956967F5937CE5BD1555EA6494309F
                                                          SHA-256:F44B54751B7158902476013AED1FBCFEC96BC0AB19B3303D088DEC97F418885E
                                                          SHA-512:70BC16BF80F7F9A9A03153D63B64D77A9512DB2CBC89C7B367696F555C64C903782BD5FB6798D489C53527616DC2BB410B10564527A8A22DD5AFCFB97621B7FA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 47%
                                                          Reputation:low
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@...........................~.....[.2......................................a..........8.....................~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot.....&...X...&..x..............`..`.reloc........~......,2................@................................................................

                                                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\Users\user\AppData\Local\Temp\EfSAyduNP94O7VkIcUcjXr_.zip

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                          Category:modified
                                                          Size (bytes):2801
                                                          Entropy (8bit):7.729945239782429
                                                          Encrypted:false
                                                          SSDEEP:48:9Rae1+D0JGAA43YUxDWfVb4jotsWtqKghBks6n3KJ6xkvOkfcw:L+wJGBgYU1OVbu8EKgIs63KJV
                                                          MD5:2A865D6667C48785EAA9A61D9353EB0F
                                                          SHA1:C572FD560766F21F22440E076683909AD2C79296
                                                          SHA-256:8F4CC4988FBFCAD8509D197D1898482CA2B27EA2CCDCAB36067834B67711EEB2
                                                          SHA-512:86F8036538781E28AFD6CBB6D34075467E1A6035EFA893F3EF2492029132A8A9FC28942BB60AABC5207A3A278EF371B6DF0D4708B831D2754FBEF34718BDD652
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\EfSAyduNP94O7VkIcUcjXr_.zip, Author: Joe Security
                                                          Preview:PK...........X................Cookies\..PK...........X................Cookies\Chrome_Default.txt....@.@.H..E2o.)...i...f......L....D."e.moutw.8V}...WB..@#("D.F0".4.$.!.....?...Ny.m~.H...@...h....ee.2<..F.jZu..[)=.F.c.2Fh....J..rf...O..... .N...u5..H6[...o?.....e..I...,.i.h._h.F..............g...*...J'..YV..y....n...kF..uN.@.....i#x...:.eM..n.eT...s.\...S.P..4.ke.8(=...!..F.J..X...MLpL.H.'..[.'...X,........:.C.Hd.%.B....u:W.......n.....{..Fs...],...*.<.:...Dw.Vo/[.........PK...........X...ut..._.......information.txt}X.o.F.~7...$..oI~Z.M.:.b.Y...,..-.dHr.l...Q...=1..X$....G...6I.!)mZ.~.-.$..{.........fK>n3.)a...!..7....n......2..6.D.6..s:XD.b..el.....~........B.f..0f. .X0...z......{........%W:T..-4...C.G......T7C2.^O.|U.5.6....)...gw...[..)..y.._...r>{...~..4K?.I.gv....d.0......Ny..l2$.'........U..|.+9...[.f.T......9z...e......E...}9$...Q....N.?..Q..l+[.s...0!.....O....'`RC..E.U.-o.bI.I....e.n[H..t.`O..&[m....l0:..>.En..Q..N.U..7.h.%...$[.....FU-.

                                                          C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:modified
                                                          Size (bytes):13
                                                          Entropy (8bit):2.7773627950641693
                                                          Encrypted:false
                                                          SSDEEP:3:L1W7Ubn:5n
                                                          MD5:4589935A0B45FC4928C26958073C6906
                                                          SHA1:21109F32849C1782F97AB0735DC7EB577CC34116
                                                          SHA-256:48F847B59CBCE0543E573E0F387444E5621EE984756076E8F94E8F7E39861E27
                                                          SHA-512:D53CEAFEDF882F26AA79A41F6CD421B983C9D9D2C518E1AABB86E2F92590C38BE709846DBFD2262CA989781394C44DE2AF2370EB9EC0AA768578BF729B4CCB71
                                                          Malicious:false
                                                          Preview:1718930414721

                                                          C:\Users\user\AppData\Local\Temp\spanAK6XIXNsn5Nq\D87fZN3R3jFeplaces.sqlite

                                                          Download File
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                          Category:modified
                                                          Size (bytes):5242880
                                                          Entropy (8bit):0.03786218306281921
                                                          Encrypted:false
                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
                                                          MD5:4BB4A37B8E93E9B0F5D3DF275799D45E
                                                          SHA1:E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
                                                          SHA-256:89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
                                                          SHA-512:F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\02zdBXl47cvzcookies.sqlite

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                          Category:modified
                                                          Size (bytes):98304
                                                          Entropy (8bit):0.08235737944063153
                                                          Encrypted:false
                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\08X6GAad3tnjCookies

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.848598812124929
                                                          Encrypted:false
                                                          SSDEEP:24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
                                                          MD5:9664DAA86F8917816B588C715D97BE07
                                                          SHA1:FAD9771763CD861ED8F3A57004C4B371422B7761
                                                          SHA-256:8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
                                                          SHA-512:E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\3b6N2Xdh3CYwplaces.sqlite

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):5242880
                                                          Entropy (8bit):0.03786218306281921
                                                          Encrypted:false
                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
                                                          MD5:4BB4A37B8E93E9B0F5D3DF275799D45E
                                                          SHA1:E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
                                                          SHA-256:89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
                                                          SHA-512:F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\4k4Hzk2ExswRLogin Data

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8746135976761988
                                                          Encrypted:false
                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\Bafr0LqMPV7GWeb Data

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.137181696973627
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
                                                          MD5:2D903A087A0C793BDB82F6426B1E8EFB
                                                          SHA1:E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
                                                          SHA-256:AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
                                                          SHA-512:90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\D87fZN3R3jFeplaces.sqlite

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):5242880
                                                          Entropy (8bit):0.03786218306281921
                                                          Encrypted:false
                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
                                                          MD5:4BB4A37B8E93E9B0F5D3DF275799D45E
                                                          SHA1:E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
                                                          SHA-256:89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
                                                          SHA-512:F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\MBy5KfxI1GpwWeb Data

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1215420383712111
                                                          Encrypted:false
                                                          SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                          MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                          SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                          SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                          SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\NQpa6sjCjyVKCookies

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\OeaSQGdKQorHWeb Data

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1215420383712111
                                                          Encrypted:false
                                                          SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                          MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                          SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                          SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                          SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\Sa6XQ5SqTeBqWeb Data

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1215420383712111
                                                          Encrypted:false
                                                          SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                          MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                          SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                          SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                          SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\XMAM6bJvCsxVHistory

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):159744
                                                          Entropy (8bit):0.5394293526345721
                                                          Encrypted:false
                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\XV6CMo7Jg4S7Login Data For Account

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\_jIgbEVzKGGZHistory

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):159744
                                                          Entropy (8bit):0.5394293526345721
                                                          Encrypted:false
                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\diymrzMDsfMULogin Data

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\h5oY31u6hqY9Web Data

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.137181696973627
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
                                                          MD5:2D903A087A0C793BDB82F6426B1E8EFB
                                                          SHA1:E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
                                                          SHA-256:AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
                                                          SHA-512:90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\oqtSf5YllwSpWeb Data

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.137181696973627
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
                                                          MD5:2D903A087A0C793BDB82F6426B1E8EFB
                                                          SHA1:E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
                                                          SHA-256:AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
                                                          SHA-512:90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\wvw07oIVwAzfHistory

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):155648
                                                          Entropy (8bit):0.5407252242845243
                                                          Encrypted:false
                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\spanTk4mNNg5wnH2\zV4ixzbU2nqVHistory

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):155648
                                                          Entropy (8bit):0.5407252242845243
                                                          Encrypted:false
                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\trixyTk4mNNg5wnH2\Cookies\Chrome_Default.txt

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):530
                                                          Entropy (8bit):6.01131324322648
                                                          Encrypted:false
                                                          SSDEEP:12:copYx113fB6BN6nWI7F5rYc0xc5LdxW6bNANfO2hmxEBN6no:KzBochYwxhRAxKqJ
                                                          MD5:350448C3F5349CF53811A638AB396DD4
                                                          SHA1:4F2F2B7A09C5975DC4E26164FAF042A66453817D
                                                          SHA-256:1AD8F746DF0D5B92CD87386A8CC59BDFAE5FB183F9BD295482ADD2F7293957AE
                                                          SHA-512:219BF9680276CEE9CD0BBC5A43AD7A429CD936F3E01512EC86EB7DB754C6F53F696854E37D0A5F54957DF632FEB39E8BECA7A41CDE527354DB7DC1B66B644680
                                                          Malicious:false
                                                          Preview:.google.com.FALSE./.TRUE.1699083741.1P_JAR.ENC893*_djEwQhi70pxk8SYnIsUr5Mx1RafU8aVnOVKREuHIhYZGwf7yYiBTX+/Go9I=_pegY58D3HUBD9QZJcLjavVe+t354dfRkh4996+iwhdQ=*...google.com.TRUE./.TRUE.1712302940.NID.ENC893*_djEwLw0FxAbtzbuLu4wKVSq+uTnRXrV8Hjm5jygIZpKkr22DX+rtTXvcKjen8Rma/GMurYESAmzjenQyKR9qgVu8k/RaiXiSOiaa/lut8WnwO9d8PkBOTAKSZdFhBtU397xZvK8G5XfAi73fDip21OdwdRp1SNZiUAXp6f0j3VYFGuDV6eIgzT4pVkR12LMGBw+RHof28TQ4kFZOLkO7VAFPVzwW25OZFq13SAlLlyUrl4XcbKetVNOrD9EP/gbXB8k6OopuPJAICB2ZHI4=_pegY58D3HUBD9QZJcLjavVe+t354dfRkh4996+iwhdQ=*..

                                                          C:\Users\user\AppData\Local\Temp\trixyTk4mNNg5wnH2\information.txt

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                          Category:dropped
                                                          Size (bytes):5471
                                                          Entropy (8bit):5.456573546077302
                                                          Encrypted:false
                                                          SSDEEP:96:xRFx5VORZicBpAXiSt3ZRT9UwJM0FPscsANUbg3x:xnwDi8ySSt3PT9UmDVB
                                                          MD5:3162F808C28FC74CC7687F6E4D0DA67C
                                                          SHA1:2DF6A7B1A98BBEA94EA3EB1A10D43095B87BACE2
                                                          SHA-256:75CC2C514D7C17A54880E45C5745A4F700A15E376AE25590D379BF700BA3579E
                                                          SHA-512:F36198424E6154024520376FE570712B427CEE28F027B946AD8DEC5EDDF5E7E55B13FEF4701AEE4451733C44F290AB871D6421A4A51D07D205F94BBC43125F17
                                                          Malicious:false
                                                          Preview:Build: selta..Version: 2.0....Date: Thu Jun 20 18:21:18 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: ba7424f256950ea63618af0f9a7cb086....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user~1\AppData\Local\Temp\trixyTk4mNNg5wnH2....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 134349 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 18:21:18..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [328]..csrss.exe [412]..wininit.exe [488]..csrss.exe [496]..winlogon.exe [556]..services.exe [624]..lsass.exe [632]..svchost.exe [748]..fontdrvhost.exe [772]..fontdrvh

                                                          C:\Users\user\AppData\Local\Temp\trixyTk4mNNg5wnH2\passwords.txt

                                                          Download File
                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                          Category:dropped
                                                          Size (bytes):4897
                                                          Entropy (8bit):2.518316437186352
                                                          Encrypted:false
                                                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                          Malicious:false
                                                          Preview:................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:MS Windows registry file, NT/2000 or above
                                                          Category:dropped
                                                          Size (bytes):1835008
                                                          Entropy (8bit):4.4170754748717425
                                                          Encrypted:false
                                                          SSDEEP:6144:0cifpi6ceLPL9skLmb0mFSWSPtaJG8nAgex285i2MMhA20X4WABlGuNR5+:Zi58FSWIZBk2MM6AFB3o
                                                          MD5:8E1E1270D2D08921B26814543CAC2F99
                                                          SHA1:36B4346C35A7F779378B37179A38677A03D94371
                                                          SHA-256:FA82048B9506FBB63645FB1A684819A1354A39B9F50E6E9A3A40A52320956481
                                                          SHA-512:34188A0F4E917476705E010DF40DFCC2C2BADDE0087EDE597C41AF884EA102907B49AC666FBD0A3965B72C6EE9B7E341B25FD40EA7C038BD36126617CA15FE0E
                                                          Malicious:false
                                                          Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....i...............................................................................................................................................................................................................................................................................................................................................A9..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.9625452806049735
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:file.exe
                                                          File size:3'288'080 bytes
                                                          MD5:b7e7f713ce1c717b6ae28904971e37e5
                                                          SHA1:c18c91d091956967f5937ce5bd1555ea6494309f
                                                          SHA256:f44b54751b7158902476013aed1fbcfec96bc0ab19b3303d088dec97f418885e
                                                          SHA512:70bc16bf80f7f9a9a03153d63b64d77a9512db2cbc89c7b367696f555c64c903782bd5fb6798d489c53527616dc2bb410b10564527a8a22dd5afcfb97621b7fa
                                                          SSDEEP:49152:TrVO6osi6tBGXBfiiwGNBUI7xScqc4sgUFXtOOli2mgIJs7UvYv5:Tdi6HGXNlwyBdn40gOl5IJKuYx
                                                          TLSH:6DE533B4ACE1DB73DEF7253A19571DC325012713CE935A70654FACB3A12824E13AAB2D
                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                                          File Icon

                                                          Icon Hash:8596a1a0a1a1b171

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x980058
                                                          Entrypoint Section:.boot
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x664C6914 [Tue May 21 09:27:48 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:0
                                                          File Version Major:6
                                                          File Version Minor:0
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:0
                                                          Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007FEC20ED3AF0h
                                                          push ebx
                                                          mov ebx, esp
                                                          push ebx
                                                          mov esi, dword ptr [ebx+08h]
                                                          mov edi, dword ptr [ebx+10h]
                                                          cld
                                                          mov dl, 80h
                                                          mov al, byte ptr [esi]
                                                          inc esi
                                                          mov byte ptr [edi], al
                                                          inc edi
                                                          mov ebx, 00000002h
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          jnc 00007FEC20ED398Ch
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          jnc 00007FEC20ED39F3h
                                                          xor eax, eax
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          jnc 00007FEC20ED3A87h
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          adc eax, eax
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          adc eax, eax
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          adc eax, eax
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          adc eax, eax
                                                          je 00007FEC20ED39AAh
                                                          push edi
                                                          mov eax, eax
                                                          sub edi, eax
                                                          mov al, byte ptr [edi]
                                                          pop edi
                                                          mov byte ptr [edi], al
                                                          inc edi
                                                          mov ebx, 00000002h
                                                          jmp 00007FEC20ED393Bh
                                                          mov eax, 00000001h
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          adc eax, eax
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          jc 00007FEC20ED398Ch
                                                          sub eax, ebx
                                                          mov ebx, 00000001h
                                                          jne 00007FEC20ED39CAh
                                                          mov ecx, 00000001h
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          adc ecx, ecx
                                                          add dl, dl
                                                          jne 00007FEC20ED39A7h
                                                          mov dl, byte ptr [esi]
                                                          inc esi
                                                          adc dl, dl
                                                          jc 00007FEC20ED398Ch
                                                          push esi
                                                          mov esi, edi
                                                          sub esi, ebp

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x19618b0x184.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000x1638.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7ec0000x10.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x1970180x18.tls
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          0x10000x15bbc80x9d2000b5966057166f14f792b0661a52e62c9False0.9981028117541766data7.974899357034606IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          0x15d0000x27e320x10a00cdb9a7ba3c41de697f1c02a0819f5afbFalse0.9910126879699248data7.921714740120305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          0x1850000x49300x8004c73bbaf3b06d3fecdce59d9a8ec47f9False0.990234375data7.7595853049567465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x18a0000x16380x1800fe6f3fdb9e7e97cba92d8ce4e4fcc95bFalse0.7220052083333334data6.54017046361188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          0x18c0000x98580x7200e10cc8e287c4710362557422f669d7ccFalse0.9799205043859649data7.940612143792499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                          .idata0x1960000x10000x4001b20e07443fa333ff9692026d1e6c6c2False0.3984375data3.42439969016873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .tls0x1970000x10000x20054a50a058e0f3b6aa2fe1b22e2033106False0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .themida0x1980000x3e80000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .boot0x5800000x26b4000x26b400adef47a5fd46533e1142dfe88de3ac44unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .reloc0x7ec0000x10000x10f5bc99b71bad9e8a775cc32747e3ca58False1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x18a4400x1060PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.8838263358778626
                                                          RT_GROUP_ICON0x18b4a00x14dataRussianRussia1.05
                                                          RT_VERSION0x18a1300x310dataRussianRussia0.45408163265306123
                                                          RT_MANIFEST0x18b4b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                          Imports

                                                          DLLImport
                                                          kernel32.dllGetModuleHandleA
                                                          USER32.dllwsprintfA
                                                          GDI32.dllCreateCompatibleBitmap
                                                          ADVAPI32.dllRegQueryValueExA
                                                          SHELL32.dllShellExecuteA
                                                          ole32.dllCoInitialize
                                                          WS2_32.dllWSAStartup
                                                          CRYPT32.dllCryptUnprotectData
                                                          SHLWAPI.dllPathFindExtensionA
                                                          gdiplus.dllGdipGetImageEncoders
                                                          SETUPAPI.dllSetupDiEnumDeviceInfo
                                                          ntdll.dllRtlUnicodeStringToAnsiString
                                                          RstrtMgr.DLLRmStartSession

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          RussianRussia
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          06/21/24-00:21:07.716237TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970158709192.168.2.777.91.77.66
                                                          06/21/24-00:21:18.191477TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970258709192.168.2.777.91.77.66
                                                          06/21/24-00:21:22.433823TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094971677.91.77.66192.168.2.7
                                                          06/21/24-00:21:04.001309TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4970158709192.168.2.777.91.77.66
                                                          06/21/24-00:21:08.912466TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970377.91.77.66192.168.2.7
                                                          06/21/24-00:21:09.145970TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970377.91.77.66192.168.2.7
                                                          06/21/24-00:21:29.885372TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094972177.91.77.66192.168.2.7
                                                          06/21/24-00:21:04.598857TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970177.91.77.66192.168.2.7
                                                          06/21/24-00:21:08.254846TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970177.91.77.66192.168.2.7
                                                          06/21/24-00:21:09.129736TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970277.91.77.66192.168.2.7
                                                          06/21/24-00:21:08.889682TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970277.91.77.66192.168.2.7

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jun 21, 2024 00:21:03.982075930 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:03.987093925 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:03.987190008 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:04.001308918 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:04.006155014 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:04.598856926 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:04.653630972 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:07.716237068 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:07.722588062 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.254846096 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.277223110 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.283832073 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.283910036 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.290463924 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.296695948 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.296811104 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.302526951 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.309277058 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.309988976 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.318964005 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.325109005 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.378061056 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:08.378087997 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:08.378267050 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:08.379343987 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:08.379354954 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:08.441593885 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.484045029 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.608400106 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.608869076 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.615401983 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.873218060 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:08.873363018 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:08.874639034 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:08.874645948 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:08.874876976 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:08.889682055 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.912466049 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:08.919302940 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:08.929915905 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:08.935542107 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.966139078 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:08.976505995 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.041207075 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:09.044120073 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:09.050230980 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:09.054567099 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:09.054790974 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:09.061309099 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:09.090089083 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.090207100 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.090678930 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.099611998 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.099611998 CEST49704443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.099632978 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.099643946 CEST4434970434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.117398977 CEST49705443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:09.117466927 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.117566109 CEST49705443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:09.117885113 CEST49705443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:09.117898941 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.129735947 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:09.145970106 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:09.184943914 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:09.200537920 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:09.230683088 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.230720997 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.230772018 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.233150005 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.233171940 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.257275105 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.257318020 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.257378101 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.258821964 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.258836031 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.585522890 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.585628033 CEST49705443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:09.663549900 CEST49705443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:09.663590908 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.663990974 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.665801048 CEST49705443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:09.700472116 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.700618982 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.708504915 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.735774994 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.735824108 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.736377954 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.738382101 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.738487959 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.779894114 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.798491955 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:09.798518896 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.798829079 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:09.801583052 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.801656961 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.801708937 CEST49705443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:09.802967072 CEST49705443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:09.802993059 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.803006887 CEST49705443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:09.803014040 CEST44349705172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:09.803623915 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:09.810004950 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:09.841285944 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:10.176826000 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:10.220505953 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.257196903 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:10.304495096 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.307689905 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.307924032 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.307971001 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:10.308240891 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:10.308264017 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.308279037 CEST49706443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:10.308284998 CEST4434970634.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.363486052 CEST49708443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.363531113 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.363626003 CEST49708443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.363953114 CEST49708443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.363967896 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.397828102 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.397938967 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.397984982 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:10.398351908 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:10.398370981 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.398384094 CEST49707443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:10.398391008 CEST4434970734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:10.406538010 CEST49709443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.406577110 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.406639099 CEST49709443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.406984091 CEST49709443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.406995058 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.849873066 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.849942923 CEST49708443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.851304054 CEST49708443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.851313114 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.851558924 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.852994919 CEST49708443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.866198063 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.866264105 CEST49709443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.867533922 CEST49709443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.867541075 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.867775917 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.868998051 CEST49709443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:10.896507025 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:10.916497946 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:11.212388992 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:11.212426901 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:11.212497950 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:11.212539911 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:11.212557077 CEST49708443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:11.212624073 CEST49709443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:11.212981939 CEST49709443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:11.212981939 CEST49709443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:11.212991953 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:11.213000059 CEST44349709172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:11.213196993 CEST49708443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:11.213224888 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:11.213241100 CEST49708443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:11.213248014 CEST44349708172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:11.213413000 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.213481903 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.218297958 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:11.218314886 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:11.481488943 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:11.528738976 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.544634104 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.546626091 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:11.551081896 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:11.591258049 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.654040098 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.660402060 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:11.771323919 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:11.825632095 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.873040915 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.879456043 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:11.900273085 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:11.950615883 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.982069016 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:11.988385916 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.109496117 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.110172987 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.110212088 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.110244989 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.110240936 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.110269070 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.110346079 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.111512899 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.111524105 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.111553907 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.111578941 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.111680031 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.111710072 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.111721039 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.111776114 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.111788034 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.111802101 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.111828089 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.111828089 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.112649918 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.112759113 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.113152027 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.117206097 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.117728949 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.217708111 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.217736959 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.217749119 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.217885017 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.218137026 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.218153000 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.218190908 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.218233109 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.218327045 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.218446016 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.218552113 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.218563080 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.218725920 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.218823910 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.218885899 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.218956947 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.219083071 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.219127893 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.219172001 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.219362020 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.219517946 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.219618082 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.224185944 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.224215031 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.224225998 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.224253893 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.224293947 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.227292061 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.227313042 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.227324009 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.227404118 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.227546930 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.227658987 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.227690935 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.278770924 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.316521883 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.335844994 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.335907936 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.335959911 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.335987091 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.335994005 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.336029053 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.336052895 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.356909037 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.388113976 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.422072887 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.428637028 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.431917906 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.438780069 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.651993990 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.695718050 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.700535059 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.747500896 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.770415068 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.776575089 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:12.785818100 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:12.792001009 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.340682030 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.388034105 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.419598103 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.426402092 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.651695013 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.700550079 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.747891903 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.752868891 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.987402916 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.987454891 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.987467051 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.987478971 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.987503052 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.987526894 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.987560034 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.987611055 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.987751961 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.987763882 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.987806082 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.987811089 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.987850904 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.988221884 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.988272905 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.988285065 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.988322020 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.988430023 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.988501072 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.988538980 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.989188910 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.989212990 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.989224911 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.989236116 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.989264011 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:14.993666887 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.993706942 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:14.993746996 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:15.067603111 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.084228039 CEST587094970377.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.105051994 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.105078936 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.105091095 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.105166912 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:15.105200052 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.105215073 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.105246067 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:15.122546911 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:15.138097048 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:15.153688908 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:15.185249090 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:15.192646027 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.419384956 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.466166973 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:15.522898912 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:15.529517889 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.758955956 CEST587094970177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:15.810029984 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:17.587692022 CEST4970158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:17.746381998 CEST4970358709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:18.191477060 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:18.198064089 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:18.595407009 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:18.637974024 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:20.274576902 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:20.274647951 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:20.281102896 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:20.281145096 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:20.281173944 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:20.281188011 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:20.281199932 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:20.288011074 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:21.836513042 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:21.843755960 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:21.843900919 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:21.864043951 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:21.868949890 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:22.433823109 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:22.481893063 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:23.218944073 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:23.278691053 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:23.341346979 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:23.348391056 CEST587094970277.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:23.348473072 CEST4970258709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:23.385351896 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:23.481842995 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:23.484364033 CEST49717443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:23.484412909 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:23.484538078 CEST49717443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:23.485640049 CEST49717443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:23.485656023 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:23.497622967 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:23.505618095 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:23.950298071 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:23.950366974 CEST49717443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:23.953188896 CEST49717443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:23.953195095 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:23.953445911 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:24.011492968 CEST49717443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:24.056502104 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:24.139533997 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:24.139672995 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:24.139724016 CEST49717443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:24.139916897 CEST49717443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:24.139938116 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:24.139951944 CEST49717443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:24.139957905 CEST4434971734.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:24.142101049 CEST49718443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:24.142122984 CEST44349718172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:24.142225027 CEST49718443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:24.142760992 CEST49718443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:24.142772913 CEST44349718172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:24.618252039 CEST44349718172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:24.618329048 CEST49718443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:24.619662046 CEST49718443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:24.619669914 CEST44349718172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:24.619920015 CEST44349718172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:24.621225119 CEST49718443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:24.664500952 CEST44349718172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:24.783746004 CEST44349718172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:24.784120083 CEST44349718172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:24.784178019 CEST49718443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:24.784303904 CEST49718443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:24.784315109 CEST44349718172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:24.784945965 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:24.792228937 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:25.057445049 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:25.108783007 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:25.110162973 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:25.300127983 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:25.300158024 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:25.300257921 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:25.526633978 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:25.578350067 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:28.718981028 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:28.725559950 CEST587094971677.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:28.725683928 CEST4971658709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:29.026293039 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:29.032943010 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:29.033113956 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:29.078053951 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:29.085386038 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:29.842473984 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:29.885371923 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:29.885449886 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:30.107268095 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:30.153687000 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:30.278371096 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:30.325869083 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:30.334088087 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:30.334136963 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:30.334216118 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:30.335155010 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:30.335175037 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:30.403887987 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:30.409151077 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:30.987632036 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:30.987720013 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:30.989084005 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:30.989090919 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:30.989871025 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:31.044316053 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:31.050394058 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:31.092544079 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:31.183809996 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:31.183928013 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:31.184068918 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:31.184485912 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:31.184497118 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:31.184514046 CEST49724443192.168.2.734.117.186.192
                                                          Jun 21, 2024 00:21:31.184520006 CEST4434972434.117.186.192192.168.2.7
                                                          Jun 21, 2024 00:21:31.186647892 CEST49725443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:31.186680079 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:31.190677881 CEST49725443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:31.191098928 CEST49725443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:31.191117048 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:31.896787882 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:31.896899939 CEST49725443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:31.905579090 CEST49725443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:31.905606031 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:31.905960083 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:31.907628059 CEST49725443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:31.948508024 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:32.075598001 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:32.075702906 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:32.075854063 CEST49725443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:32.081186056 CEST49725443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:32.081226110 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:32.081273079 CEST49725443192.168.2.7172.67.75.166
                                                          Jun 21, 2024 00:21:32.081280947 CEST44349725172.67.75.166192.168.2.7
                                                          Jun 21, 2024 00:21:32.089000940 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:32.095089912 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:32.356393099 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:32.408634901 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:32.421545982 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:32.428143978 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:32.648624897 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:32.700607061 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:35.763140917 CEST4972158709192.168.2.777.91.77.66
                                                          Jun 21, 2024 00:21:35.768121958 CEST587094972177.91.77.66192.168.2.7
                                                          Jun 21, 2024 00:21:35.768208981 CEST4972158709192.168.2.777.91.77.66

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jun 21, 2024 00:21:08.362730026 CEST6205753192.168.2.71.1.1.1
                                                          Jun 21, 2024 00:21:08.373075962 CEST53620571.1.1.1192.168.2.7
                                                          Jun 21, 2024 00:21:09.104669094 CEST5188453192.168.2.71.1.1.1
                                                          Jun 21, 2024 00:21:09.116669893 CEST53518841.1.1.1192.168.2.7

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jun 21, 2024 00:21:08.362730026 CEST192.168.2.71.1.1.10x9d67Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                          Jun 21, 2024 00:21:09.104669094 CEST192.168.2.71.1.1.10x71e5Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jun 21, 2024 00:21:08.373075962 CEST1.1.1.1192.168.2.70x9d67No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                          Jun 21, 2024 00:21:09.116669893 CEST1.1.1.1192.168.2.70x71e5No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                          Jun 21, 2024 00:21:09.116669893 CEST1.1.1.1192.168.2.70x71e5No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                          Jun 21, 2024 00:21:09.116669893 CEST1.1.1.1192.168.2.70x71e5No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • ipinfo.io
                                                          • https:
                                                          • db-ip.com

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          0192.168.2.74970034.117.186.192443
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:20:55 UTC59OUTGET / HTTP/1.1
                                                          Host: ipinfo.io
                                                          Connection: Keep-Alive
                                                          2024-06-20 22:20:55 UTC513INHTTP/1.1 200 OK
                                                          server: nginx/1.24.0
                                                          date: Thu, 20 Jun 2024 22:20:55 GMT
                                                          content-type: application/json; charset=utf-8
                                                          Content-Length: 319
                                                          access-control-allow-origin: *
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          x-content-type-options: nosniff
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-envoy-upstream-service-time: 1
                                                          via: 1.1 google
                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close
                                                          2024-06-20 22:20:55 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                                                          Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.74970434.117.186.1924434536C:\Users\user\Desktop\file.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:08 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Referer: https://ipinfo.io/
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: ipinfo.io
                                                          2024-06-20 22:21:09 UTC514INHTTP/1.1 200 OK
                                                          server: nginx/1.24.0
                                                          date: Thu, 20 Jun 2024 22:21:09 GMT
                                                          content-type: application/json; charset=utf-8
                                                          Content-Length: 1025
                                                          access-control-allow-origin: *
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          x-content-type-options: nosniff
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-envoy-upstream-service-time: 2
                                                          via: 1.1 google
                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close
                                                          2024-06-20 22:21:09 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                          2024-06-20 22:21:09 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.749705172.67.75.1664434536C:\Users\user\Desktop\file.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:09 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: db-ip.com
                                                          2024-06-20 22:21:09 UTC657INHTTP/1.1 200 OK
                                                          Date: Thu, 20 Jun 2024 22:21:09 GMT
                                                          Content-Type: application/json
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-iplb-request-id: AC46E6F3:5FFC_93878F2E:0050_6674AB55_14BFBCBA:7B63
                                                          x-iplb-instance: 59128
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ygKXkExJH1PQYe7SaJyhUdk3FAebX7A1%2FLFeNSuoREkMuBl3nhuChlFN1aXGC3YER1ftLLQYkOQdcUZuWvuIwoOXN26iPxkHIUda%2Bco%2BfXFoUi13FvhPZw%2Faw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 896f2677c98e8c6b-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          2024-06-20 22:21:09 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                          2024-06-20 22:21:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.74970634.117.186.1924433308C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:10 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Referer: https://ipinfo.io/
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: ipinfo.io
                                                          2024-06-20 22:21:10 UTC514INHTTP/1.1 200 OK
                                                          server: nginx/1.24.0
                                                          date: Thu, 20 Jun 2024 22:21:10 GMT
                                                          content-type: application/json; charset=utf-8
                                                          Content-Length: 1025
                                                          access-control-allow-origin: *
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          x-content-type-options: nosniff
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-envoy-upstream-service-time: 3
                                                          via: 1.1 google
                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close
                                                          2024-06-20 22:21:10 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                          2024-06-20 22:21:10 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.74970734.117.186.1924437112C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:10 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Referer: https://ipinfo.io/
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: ipinfo.io
                                                          2024-06-20 22:21:10 UTC514INHTTP/1.1 200 OK
                                                          server: nginx/1.24.0
                                                          date: Thu, 20 Jun 2024 22:21:10 GMT
                                                          content-type: application/json; charset=utf-8
                                                          Content-Length: 1025
                                                          access-control-allow-origin: *
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          x-content-type-options: nosniff
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-envoy-upstream-service-time: 3
                                                          via: 1.1 google
                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close
                                                          2024-06-20 22:21:10 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                          2024-06-20 22:21:10 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.749708172.67.75.1664433308C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:10 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: db-ip.com
                                                          2024-06-20 22:21:11 UTC655INHTTP/1.1 200 OK
                                                          Date: Thu, 20 Jun 2024 22:21:10 GMT
                                                          Content-Type: application/json
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-iplb-request-id: A29E3E32:71E8_93878F2E:0050_6674AB56_14D3C242:4F34
                                                          x-iplb-instance: 59215
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E6hEacCOfEAhUlL%2FSc2xPPDVT7ilnksSRNlty%2FS70j8T2FMSccb6FogWn62xpBSNalp9eGZXzcO3V0q37fdgo9%2F4w3SztGcViPYsOf6HGIMUxXDnpSDDYqc2RA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 896f267f584e0c90-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          2024-06-20 22:21:11 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                          2024-06-20 22:21:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.749709172.67.75.1664437112C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:10 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: db-ip.com
                                                          2024-06-20 22:21:11 UTC655INHTTP/1.1 200 OK
                                                          Date: Thu, 20 Jun 2024 22:21:11 GMT
                                                          Content-Type: application/json
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-iplb-request-id: A29E9F24:D138_93878F2E:0050_6674AB56_14BFBCEB:7B63
                                                          x-iplb-instance: 59128
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UsXFsO83lPZ6W1UhPv0Gv3puAz%2BKVCeKAGDHtFdHgWLnT9Nokj8NATK0Wa9NCbUm4tYk0TZaE4EdqpRb4WPiTI5x5XrH%2B6F42efpGpIXv3S%2B02ZH5XRYGPLfXg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 896f267f8e1b42d4-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          2024-06-20 22:21:11 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                          2024-06-20 22:21:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.74971734.117.186.1924437264C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:24 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Referer: https://ipinfo.io/
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: ipinfo.io
                                                          2024-06-20 22:21:24 UTC514INHTTP/1.1 200 OK
                                                          server: nginx/1.24.0
                                                          date: Thu, 20 Jun 2024 22:21:24 GMT
                                                          content-type: application/json; charset=utf-8
                                                          Content-Length: 1025
                                                          access-control-allow-origin: *
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          x-content-type-options: nosniff
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-envoy-upstream-service-time: 2
                                                          via: 1.1 google
                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close
                                                          2024-06-20 22:21:24 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                          2024-06-20 22:21:24 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.749718172.67.75.1664437264C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:24 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: db-ip.com
                                                          2024-06-20 22:21:24 UTC655INHTTP/1.1 200 OK
                                                          Date: Thu, 20 Jun 2024 22:21:24 GMT
                                                          Content-Type: application/json
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-iplb-request-id: A29E9E71:2B8C_93878F2E:0050_6674AB64_14D3C444:4F34
                                                          x-iplb-instance: 59215
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TXHITAd3IL4hHuPwjxgE7U5K0Rx5lVpO8cVXwer2s9WrZjHQumwMydok%2BIlVKeDhzTd8hOshjhqD%2FDZ32fXJHh%2BS3FvbqdyqrZSJm5SwpWwNtH5jGxLB1knNGg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 896f26d55cb2421c-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          2024-06-20 22:21:24 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                          2024-06-20 22:21:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.74972434.117.186.1924437620C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:31 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Referer: https://ipinfo.io/
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: ipinfo.io
                                                          2024-06-20 22:21:31 UTC514INHTTP/1.1 200 OK
                                                          server: nginx/1.24.0
                                                          date: Thu, 20 Jun 2024 22:21:31 GMT
                                                          content-type: application/json; charset=utf-8
                                                          Content-Length: 1025
                                                          access-control-allow-origin: *
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          x-content-type-options: nosniff
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-envoy-upstream-service-time: 2
                                                          via: 1.1 google
                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close
                                                          2024-06-20 22:21:31 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                          2024-06-20 22:21:31 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.749725172.67.75.1664437620C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-06-20 22:21:31 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                          Host: db-ip.com
                                                          2024-06-20 22:21:32 UTC659INHTTP/1.1 200 OK
                                                          Date: Thu, 20 Jun 2024 22:21:32 GMT
                                                          Content-Type: application/json
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-iplb-request-id: A29E9B93:CFF0_93878F2E:0050_6674AB6C_14BFC000:7B63
                                                          x-iplb-instance: 59128
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HkZar8chJfH%2BNQ9W8AIEFox3pP9j03LrI9oVky4jkkf0oLGcWVcFuiGSB7Se5qIIjTzXV%2Bw%2BsAKsQOtWgyDxZUXJtN19%2Ftu8ylDoO4Hu%2BAsrYdzN8e9YPyPIMA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 896f2702fb6f4310-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          2024-06-20 22:21:32 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                          2024-06-20 22:21:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:18:21:00
                                                          Start date:20/06/2024
                                                          Path:C:\Users\user\Desktop\file.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                                          Imagebase:0x400000
                                                          File size:3'288'080 bytes
                                                          MD5 hash:B7E7F713CE1C717B6AE28904971E37E5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:18:21:02
                                                          Start date:20/06/2024
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                          Imagebase:0xcb0000
                                                          File size:187'904 bytes
                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:18:21:02
                                                          Start date:20/06/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff75da10000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:18:21:02
                                                          Start date:20/06/2024
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                          Imagebase:0xcb0000
                                                          File size:187'904 bytes
                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:18:21:02
                                                          Start date:20/06/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff75da10000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:18:21:03
                                                          Start date:20/06/2024
                                                          Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          Imagebase:0x400000
                                                          File size:3'288'080 bytes
                                                          MD5 hash:B7E7F713CE1C717B6AE28904971E37E5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 47%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:18:21:03
                                                          Start date:20/06/2024
                                                          Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                          Imagebase:0x400000
                                                          File size:3'288'080 bytes
                                                          MD5 hash:B7E7F713CE1C717B6AE28904971E37E5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:18:21:16
                                                          Start date:20/06/2024
                                                          Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                          Imagebase:0x400000
                                                          File size:3'288'080 bytes
                                                          MD5 hash:B7E7F713CE1C717B6AE28904971E37E5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 47%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:19:30:46
                                                          Start date:20/06/2024
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 824
                                                          Imagebase:0xde0000
                                                          File size:483'680 bytes
                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:19:30:48
                                                          Start date:20/06/2024
                                                          Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                          Imagebase:0x400000
                                                          File size:3'288'080 bytes
                                                          MD5 hash:B7E7F713CE1C717B6AE28904971E37E5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:9.1%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:28.2%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:8
                                                            execution_graph 32672 46aa80 32673 46aaba 32672->32673 32674 478b27 32673->32674 32675 46aae1 32673->32675 32895 402cf0 std::_Throw_Cpp_error 42 API calls 32673->32895 32898 4aa200 221 API calls 32673->32898 32677 4163b0 std::_Throw_Cpp_error 42 API calls 32675->32677 34020 4163b0 32675->34020 32678 46ab3c 32677->32678 32679 46abc4 32678->32679 32681 46abde 32679->32681 32682 403040 std::_Throw_Cpp_error 42 API calls 32681->32682 34025 403040 32681->34025 32683 46ad59 32682->32683 32685 46ad84 32683->32685 34019 47721c 32683->34019 34031 4aa200 32683->34031 32688 46ad96 32685->32688 32686 47722a 32687 47724c 32686->32687 32690 4163b0 std::_Throw_Cpp_error 42 API calls 32687->32690 32689 46adb8 32688->32689 32691 4163b0 std::_Throw_Cpp_error 42 API calls 32689->32691 32692 47725b 32690->32692 32693 46adc0 32691->32693 32702 477278 32692->32702 32694 46adda 32693->32694 32695 46ade1 32694->32695 32697 4163b0 std::_Throw_Cpp_error 42 API calls 32695->32697 32696 4163b0 std::_Throw_Cpp_error 42 API calls 32696->32702 32698 46ade9 32697->32698 35025 402cf0 32698->35025 32700 402cf0 std::_Throw_Cpp_error 42 API calls 32700->32702 32701 46ae63 32704 402cf0 std::_Throw_Cpp_error 42 API calls 32701->32704 32702->32696 32702->32700 32708 47747b 32702->32708 32703 402cf0 std::_Throw_Cpp_error 42 API calls 32703->32708 32705 46af8d 32704->32705 32707 4aa200 221 API calls 32705->32707 32706 4aa200 221 API calls 32706->32708 32709 46afa8 32707->32709 32708->32703 32708->32706 32710 4774af 32708->32710 32712 46afbd 32709->32712 32711 4774d1 32710->32711 32715 4163b0 std::_Throw_Cpp_error 42 API calls 32711->32715 32713 46afdf 32712->32713 32714 4163b0 std::_Throw_Cpp_error 42 API calls 32713->32714 32716 46afe7 32714->32716 32717 4774e0 32715->32717 32718 46b001 32716->32718 32725 4774fd 32717->32725 32719 46b008 32718->32719 32721 4163b0 std::_Throw_Cpp_error 42 API calls 32719->32721 32720 4163b0 std::_Throw_Cpp_error 42 API calls 32720->32725 32722 46b010 32721->32722 32724 402cf0 std::_Throw_Cpp_error 42 API calls 32722->32724 32723 402cf0 std::_Throw_Cpp_error 42 API calls 32723->32725 32726 46b0e2 32724->32726 32725->32720 32725->32723 32733 477700 32725->32733 32727 402cf0 std::_Throw_Cpp_error 42 API calls 32726->32727 32729 46b20c 32727->32729 32728 402cf0 std::_Throw_Cpp_error 42 API calls 32728->32733 32730 4aa200 221 API calls 32729->32730 32732 46b227 32730->32732 32731 4aa200 221 API calls 32731->32733 32736 46b23c 32732->32736 32733->32728 32733->32731 32734 477734 32733->32734 32735 477756 32734->32735 32738 4163b0 std::_Throw_Cpp_error 42 API calls 32735->32738 32737 46b25e 32736->32737 32739 4163b0 std::_Throw_Cpp_error 42 API calls 32737->32739 32740 477765 32738->32740 32741 46b266 32739->32741 32749 477782 32740->32749 32742 46b280 32741->32742 32743 46b287 32742->32743 32744 4163b0 std::_Throw_Cpp_error 42 API calls 32743->32744 32746 46b28f 32744->32746 32745 4163b0 std::_Throw_Cpp_error 42 API calls 32745->32749 32748 402cf0 std::_Throw_Cpp_error 42 API calls 32746->32748 32747 402cf0 std::_Throw_Cpp_error 42 API calls 32747->32749 32750 46b309 32748->32750 32749->32745 32749->32747 32756 477985 32749->32756 32752 402cf0 std::_Throw_Cpp_error 42 API calls 32750->32752 32751 402cf0 std::_Throw_Cpp_error 42 API calls 32751->32756 32753 46b433 32752->32753 32755 4aa200 221 API calls 32753->32755 32754 4aa200 221 API calls 32754->32756 32757 46b44e 32755->32757 32756->32751 32756->32754 32758 4779b9 32756->32758 32759 46b463 32757->32759 32760 4779db 32758->32760 32761 46b485 32759->32761 32762 4163b0 std::_Throw_Cpp_error 42 API calls 32760->32762 32763 4163b0 std::_Throw_Cpp_error 42 API calls 32761->32763 32764 4779ea 32762->32764 32765 46b48d 32763->32765 32774 477a07 32764->32774 32766 46b4a7 32765->32766 32767 46b4ae 32766->32767 32769 4163b0 std::_Throw_Cpp_error 42 API calls 32767->32769 32768 4163b0 std::_Throw_Cpp_error 42 API calls 32768->32774 32770 46b4b6 32769->32770 32771 402cf0 std::_Throw_Cpp_error 42 API calls 32770->32771 32773 46b530 32771->32773 32772 402cf0 std::_Throw_Cpp_error 42 API calls 32772->32774 32775 402cf0 std::_Throw_Cpp_error 42 API calls 32773->32775 32774->32768 32774->32772 32780 477bb2 32774->32780 32777 46b65a 32775->32777 32776 402cf0 std::_Throw_Cpp_error 42 API calls 32776->32780 32779 4aa200 221 API calls 32777->32779 32778 4aa200 221 API calls 32778->32780 32781 46b675 32779->32781 32780->32776 32780->32778 32782 477be6 32780->32782 32784 46b68a 32781->32784 32783 477c08 32782->32783 32787 4163b0 std::_Throw_Cpp_error 42 API calls 32783->32787 32785 46b6ac 32784->32785 32786 4163b0 std::_Throw_Cpp_error 42 API calls 32785->32786 32788 46b6b4 32786->32788 32789 477c17 32787->32789 32790 46b6ce 32788->32790 32797 477c34 32789->32797 32791 46b6d5 32790->32791 32793 4163b0 std::_Throw_Cpp_error 42 API calls 32791->32793 32792 4163b0 std::_Throw_Cpp_error 42 API calls 32792->32797 32794 46b6dd 32793->32794 32796 402cf0 std::_Throw_Cpp_error 42 API calls 32794->32796 32795 402cf0 std::_Throw_Cpp_error 42 API calls 32795->32797 32798 46b757 32796->32798 32797->32792 32797->32795 32805 477ddf 32797->32805 32800 402cf0 std::_Throw_Cpp_error 42 API calls 32798->32800 32799 402cf0 std::_Throw_Cpp_error 42 API calls 32799->32805 32801 46b881 32800->32801 32802 4aa200 221 API calls 32801->32802 32804 46b89c 32802->32804 32803 4aa200 221 API calls 32803->32805 32808 46b8b1 32804->32808 32805->32799 32805->32803 32806 477e13 32805->32806 32807 477e35 32806->32807 32810 4163b0 std::_Throw_Cpp_error 42 API calls 32807->32810 32809 46b8d3 32808->32809 32811 4163b0 std::_Throw_Cpp_error 42 API calls 32809->32811 32812 477e44 32810->32812 32813 46b8db 32811->32813 32821 477e61 32812->32821 32814 46b8f5 32813->32814 32815 46b8fc 32814->32815 32816 4163b0 std::_Throw_Cpp_error 42 API calls 32815->32816 32818 46b904 32816->32818 32817 4163b0 std::_Throw_Cpp_error 42 API calls 32817->32821 32819 402cf0 std::_Throw_Cpp_error 42 API calls 32818->32819 32822 46b97e 32819->32822 32820 402cf0 std::_Throw_Cpp_error 42 API calls 32820->32821 32821->32817 32821->32820 32828 47800c 32821->32828 32824 402cf0 std::_Throw_Cpp_error 42 API calls 32822->32824 32823 402cf0 std::_Throw_Cpp_error 42 API calls 32823->32828 32825 46baa8 32824->32825 32827 4aa200 221 API calls 32825->32827 32826 4aa200 221 API calls 32826->32828 32829 46bac3 32827->32829 32828->32823 32828->32826 32830 478040 32828->32830 32831 46bad8 32829->32831 32832 478062 32830->32832 32833 46bafa 32831->32833 32835 4163b0 std::_Throw_Cpp_error 42 API calls 32832->32835 32834 4163b0 std::_Throw_Cpp_error 42 API calls 32833->32834 32837 46bb02 32834->32837 32836 478071 32835->32836 32845 47808e 32836->32845 32838 46bb1c 32837->32838 32839 46bb23 32838->32839 32841 4163b0 std::_Throw_Cpp_error 42 API calls 32839->32841 32840 4163b0 std::_Throw_Cpp_error 42 API calls 32840->32845 32842 46bb2b 32841->32842 32844 402cf0 std::_Throw_Cpp_error 42 API calls 32842->32844 32843 402cf0 std::_Throw_Cpp_error 42 API calls 32843->32845 32846 46bba5 32844->32846 32845->32840 32845->32843 32852 478239 32845->32852 32847 402cf0 std::_Throw_Cpp_error 42 API calls 32846->32847 32849 46bccf 32847->32849 32848 402cf0 std::_Throw_Cpp_error 42 API calls 32848->32852 32850 4aa200 221 API calls 32849->32850 32853 46bcea 32850->32853 32851 4aa200 221 API calls 32851->32852 32852->32848 32852->32851 32854 47826d 32852->32854 32856 46bcff 32853->32856 32855 47828f 32854->32855 32858 4163b0 std::_Throw_Cpp_error 42 API calls 32855->32858 32857 46bd21 32856->32857 32859 4163b0 std::_Throw_Cpp_error 42 API calls 32857->32859 32860 47829e 32858->32860 32861 46bd29 32859->32861 32869 4782bb 32860->32869 32862 46bd43 32861->32862 32863 46bd4a 32862->32863 32864 4163b0 std::_Throw_Cpp_error 42 API calls 32863->32864 32866 46bd52 32864->32866 32865 4163b0 std::_Throw_Cpp_error 42 API calls 32865->32869 32868 402cf0 std::_Throw_Cpp_error 42 API calls 32866->32868 32867 402cf0 std::_Throw_Cpp_error 42 API calls 32867->32869 32870 46bdcc 32868->32870 32869->32865 32869->32867 32877 4784be 32869->32877 32872 402cf0 std::_Throw_Cpp_error 42 API calls 32870->32872 32871 402cf0 std::_Throw_Cpp_error 42 API calls 32871->32877 32873 46bef6 32872->32873 32875 4aa200 221 API calls 32873->32875 32874 4aa200 221 API calls 32874->32877 32876 46bf11 32875->32876 32880 46bf26 32876->32880 32877->32871 32877->32874 32878 4784f2 32877->32878 32879 478514 32878->32879 32882 4163b0 std::_Throw_Cpp_error 42 API calls 32879->32882 32881 46bf48 32880->32881 32883 4163b0 std::_Throw_Cpp_error 42 API calls 32881->32883 32884 478523 32882->32884 32885 46bf50 32883->32885 32894 478540 32884->32894 32886 46bf6a 32885->32886 32887 46bf71 32886->32887 32889 4163b0 std::_Throw_Cpp_error 42 API calls 32887->32889 32888 4163b0 std::_Throw_Cpp_error 42 API calls 32888->32894 32890 46bf79 32889->32890 32891 402cf0 std::_Throw_Cpp_error 42 API calls 32890->32891 32893 46bff3 32891->32893 32892 402cf0 std::_Throw_Cpp_error 42 API calls 32892->32894 32896 402cf0 std::_Throw_Cpp_error 42 API calls 32893->32896 32894->32673 32894->32888 32894->32892 32895->32673 32897 46c11d 32896->32897 32899 4aa200 221 API calls 32897->32899 32898->32673 32900 46c138 32899->32900 32901 46c14d 32900->32901 32902 46c16f 32901->32902 32903 4163b0 std::_Throw_Cpp_error 42 API calls 32902->32903 32904 46c177 32903->32904 32905 46c191 32904->32905 32906 46c198 32905->32906 32907 4163b0 std::_Throw_Cpp_error 42 API calls 32906->32907 32908 46c1a0 32907->32908 32909 402cf0 std::_Throw_Cpp_error 42 API calls 32908->32909 32910 46c21a 32909->32910 32911 402cf0 std::_Throw_Cpp_error 42 API calls 32910->32911 32912 46c344 32911->32912 32913 4aa200 221 API calls 32912->32913 32914 46c35f 32913->32914 32915 46c374 32914->32915 32916 46c396 32915->32916 32917 4163b0 std::_Throw_Cpp_error 42 API calls 32916->32917 32918 46c39e 32917->32918 32919 46c3b8 32918->32919 32920 46c3bf 32919->32920 32921 4163b0 std::_Throw_Cpp_error 42 API calls 32920->32921 32922 46c3c7 32921->32922 32923 402cf0 std::_Throw_Cpp_error 42 API calls 32922->32923 32924 46c441 32923->32924 32925 402cf0 std::_Throw_Cpp_error 42 API calls 32924->32925 32926 46c56b 32925->32926 32927 4aa200 221 API calls 32926->32927 32928 46c586 32927->32928 32929 46c59b 32928->32929 34019->32686 34022 4163d8 34020->34022 34021 4163e7 34021->32675 34022->34021 35029 4032d0 34022->35029 34024 41642a std::_Locinfo::_Locinfo_ctor 34024->32675 34026 4030c8 34025->34026 34028 403052 34025->34028 34027 403057 std::_Locinfo::_Locinfo_ctor 34027->32681 34028->34027 34029 4032d0 std::_Throw_Cpp_error 42 API calls 34028->34029 34030 4030a3 std::_Locinfo::_Locinfo_ctor 34029->34030 34030->32681 35071 4359b0 34031->35071 34036 4aa2ad 34038 4163b0 std::_Throw_Cpp_error 42 API calls 34036->34038 34037 4ab3c5 35143 4152b0 42 API calls 34037->35143 34040 4aa2be 34038->34040 35078 4c6000 34040->35078 34041 4ab411 34043 402df0 std::_Throw_Cpp_error 42 API calls 34041->34043 34045 4ab3c3 34043->34045 34053 4ab46b 34045->34053 34306 4ab490 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 34045->34306 35144 4242a0 42 API calls 34045->35144 34046 4aa2eb 35114 4185d0 34046->35114 34047 4ab3b4 34051 4185d0 78 API calls 34047->34051 34048 4aa2f7 34052 4185d0 78 API calls 34048->34052 34051->34045 34054 4aa303 34052->34054 34055 402df0 std::_Throw_Cpp_error 42 API calls 34053->34055 35131 402df0 34054->35131 34055->34306 34057 4adb0c 35145 417ef0 34057->35145 34058 4aa30f 34059 402df0 std::_Throw_Cpp_error 42 API calls 34058->34059 34060 4aa31b 34059->34060 34061 402df0 std::_Throw_Cpp_error 42 API calls 34060->34061 34063 4aa327 34061->34063 34065 402df0 std::_Throw_Cpp_error 42 API calls 34063->34065 34064 4adb7a 35164 4140c0 34064->35164 34067 4aa333 34065->34067 34069 402df0 std::_Throw_Cpp_error 42 API calls 34067->34069 34072 4aa342 34069->34072 34070 41ad80 42 API calls 34070->34306 34072->32683 34073 4adc42 __fread_nolock 34074 4adc60 SHGetFolderPathA 34073->34074 34075 41ac50 42 API calls 34074->34075 34076 4adc9a 34075->34076 34077 4adcc7 34076->34077 34078 4ae135 34076->34078 34080 4163b0 std::_Throw_Cpp_error 42 API calls 34077->34080 35197 4152b0 42 API calls 34078->35197 34079 4adb07 34082 438c70 std::_Throw_Cpp_error 40 API calls 34079->34082 34083 4adcdb 34080->34083 34082->34057 34085 4c6000 46 API calls 34083->34085 34084 4ae181 34086 402df0 std::_Throw_Cpp_error 42 API calls 34084->34086 34087 4adcf2 34085->34087 34088 4ae133 34086->34088 34089 4add14 34087->34089 34172 4add2b 34087->34172 34090 4ae213 34088->34090 34099 4ae1db 34088->34099 35198 4242a0 42 API calls 34088->35198 34092 4185d0 78 API calls 34089->34092 35200 41ab20 34090->35200 34096 4add26 34092->34096 34093 4ae11e 34094 4185d0 78 API calls 34093->34094 34094->34088 34100 4185d0 78 API calls 34096->34100 34099->34090 35199 402fe0 40 API calls 2 library calls 34099->35199 34103 4b148f 34100->34103 34106 402df0 std::_Throw_Cpp_error 42 API calls 34103->34106 34105 402df0 42 API calls std::_Throw_Cpp_error 34298 4aa355 std::_Locinfo::_Locinfo_ctor 34105->34298 34108 4b149e 34106->34108 34111 402df0 std::_Throw_Cpp_error 42 API calls 34108->34111 34109 402df0 std::_Throw_Cpp_error 42 API calls 34112 4ae30b 34109->34112 34113 4b14ad 34111->34113 34114 4ae51c 34112->34114 34118 41ab20 42 API calls 34112->34118 34117 402df0 std::_Throw_Cpp_error 42 API calls 34113->34117 34116 41ab20 42 API calls 34114->34116 34115 4b15cf 34125 402cf0 std::_Throw_Cpp_error 42 API calls 34115->34125 34120 4ae5ba 34116->34120 34122 4b14b9 34117->34122 34123 4ae459 34118->34123 34119 418f00 std::_Throw_Cpp_error 42 API calls 34119->34172 34126 41ad80 42 API calls 34120->34126 34121 41e8a0 42 API calls 34121->34298 34127 402df0 std::_Throw_Cpp_error 42 API calls 34122->34127 34124 4e6d70 80 API calls 34123->34124 34137 4ae469 34124->34137 34128 4b15e8 34125->34128 34129 4ae5d1 34126->34129 34130 4b14c8 34127->34130 35448 41ace0 42 API calls 34128->35448 35227 4e7640 89 API calls 2 library calls 34129->35227 34130->32683 34131 418f00 42 API calls std::_Throw_Cpp_error 34131->34298 34134 41ab20 42 API calls 34134->34306 34135 41abb0 42 API calls 34135->34172 34136 4ae5e7 34138 402df0 std::_Throw_Cpp_error 42 API calls 34136->34138 34137->34114 35216 416130 34137->35216 34141 4ae5f9 34138->34141 34140 4c6000 46 API calls 34140->34172 34518 4ae9cc std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 34141->34518 35228 41b430 34141->35228 34143 402df0 42 API calls std::_Throw_Cpp_error 34143->34172 34145 41e710 42 API calls 34145->34306 34147 4b145e 34149 402df0 std::_Throw_Cpp_error 42 API calls 34147->34149 34151 4b1474 34149->34151 34150 41af80 42 API calls 34154 4ae711 34150->34154 34155 402df0 std::_Throw_Cpp_error 42 API calls 34151->34155 34159 41af80 42 API calls 34154->34159 34154->34518 34155->34096 34156 4b1629 34158 438c70 std::_Throw_Cpp_error 40 API calls 34156->34158 34161 4b162e 34158->34161 34163 4ae7b2 34159->34163 34160 4185d0 78 API calls 34160->34172 34162 417ef0 42 API calls 34161->34162 34164 4b168a 34162->34164 34165 41af80 42 API calls 34163->34165 34166 4140c0 104 API calls 34164->34166 34167 4ae848 34165->34167 34168 4b16b4 34166->34168 34171 41af80 42 API calls 34167->34171 34167->34518 34170 41af80 42 API calls 34168->34170 34169 41e710 42 API calls 34169->34518 34178 4b1761 __fread_nolock 34170->34178 34173 4ae8e9 34171->34173 34172->34093 34172->34115 34172->34119 34172->34135 34172->34140 34172->34143 34172->34160 34174 4163b0 std::_Throw_Cpp_error 42 API calls 34172->34174 35192 41e8a0 34172->35192 35196 424400 45 API calls 4 library calls 34172->35196 34176 41af80 42 API calls 34173->34176 34174->34172 34177 4ae97f 34176->34177 35237 41b0e0 104 API calls 4 library calls 34177->35237 34180 4b177f SHGetFolderPathA 34178->34180 34183 41ac50 42 API calls 34180->34183 34181 4ae98d 35238 458b00 52 API calls 2 library calls 34181->35238 34185 4b17b9 34183->34185 34184 4ae99e 35239 4162c0 42 API calls std::_Throw_Cpp_error 34184->35239 34187 4b17e6 34185->34187 34188 4b1b25 34185->34188 34191 4163b0 std::_Throw_Cpp_error 42 API calls 34187->34191 35450 4152b0 42 API calls 34188->35450 34189 4ae9ae 34192 402df0 std::_Throw_Cpp_error 42 API calls 34189->34192 34194 4b17fa 34191->34194 34195 4ae9bd 34192->34195 34193 4b1b71 34207 4b1b20 34193->34207 35451 402fe0 40 API calls 2 library calls 34193->35451 34197 4c6000 46 API calls 34194->34197 34200 402df0 std::_Throw_Cpp_error 42 API calls 34195->34200 34196 4e6d70 80 API calls 34196->34306 34198 4b1811 34197->34198 34202 4b1833 34198->34202 34250 4b184a 34198->34250 34199 402fe0 40 API calls std::_Throw_Cpp_error 34199->34518 34200->34518 34203 4185d0 78 API calls 34202->34203 34205 4b1845 34203->34205 34204 4b1b0b 34208 4185d0 78 API calls 34204->34208 34210 4185d0 78 API calls 34205->34210 34206 4b1bf9 34458 4b1c64 std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::_Locinfo::_Locinfo_ctor 34206->34458 35453 402fe0 40 API calls 2 library calls 34206->35453 34207->34206 34207->34458 35452 4242a0 42 API calls 34207->35452 34208->34207 34212 4b3469 34210->34212 34214 402df0 std::_Throw_Cpp_error 42 API calls 34212->34214 34213 41e8a0 42 API calls 34213->34518 34217 4b3478 34214->34217 34215 4163b0 42 API calls std::_Throw_Cpp_error 34215->34306 34216 41e8a0 42 API calls 34216->34250 34218 402df0 std::_Throw_Cpp_error 42 API calls 34217->34218 34221 4b3487 34218->34221 34219 4b3539 34225 402cf0 std::_Throw_Cpp_error 42 API calls 34219->34225 34220 41ad80 42 API calls 34220->34250 34224 402df0 std::_Throw_Cpp_error 42 API calls 34221->34224 34223 41e8a0 42 API calls 34223->34306 34227 4b3496 34224->34227 34231 4b3551 34225->34231 34226 4c6000 46 API calls 34226->34250 34227->32683 34229 4e6d70 80 API calls 34229->34518 34230 4140c0 104 API calls 34230->34458 35466 41ace0 42 API calls 34231->35466 34233 402df0 std::_Throw_Cpp_error 42 API calls 34233->34250 34234 4b34e5 34238 402cf0 std::_Throw_Cpp_error 42 API calls 34234->34238 34236 4180a0 42 API calls 34236->34458 34237 4185d0 78 API calls 34237->34250 34242 4b34fc 34238->34242 34240 402df0 42 API calls std::_Throw_Cpp_error 34240->34306 34241 41abb0 42 API calls 34241->34298 35465 41ace0 42 API calls 34242->35465 34246 416130 42 API calls 34246->34518 34249 4b3595 34253 438c70 std::_Throw_Cpp_error 40 API calls 34249->34253 34250->34204 34250->34216 34250->34219 34250->34220 34250->34226 34250->34233 34250->34237 34254 4163b0 std::_Throw_Cpp_error 42 API calls 34250->34254 35449 424400 45 API calls 4 library calls 34250->35449 34252 402df0 42 API calls std::_Throw_Cpp_error 34252->34458 34256 4b359a 34253->34256 34254->34250 34262 402cf0 std::_Throw_Cpp_error 42 API calls 34256->34262 34258 41ab20 42 API calls 34258->34458 34259 403040 42 API calls std::_Throw_Cpp_error 34259->34306 34260 4140c0 104 API calls 34260->34518 34264 4b35b1 34262->34264 34263 41e8a0 42 API calls 34263->34458 35467 41ace0 42 API calls 34264->35467 34269 4b159a 34278 402cf0 std::_Throw_Cpp_error 42 API calls 34269->34278 34271 4032d0 42 API calls std::_Throw_Cpp_error 34271->34306 34274 4032d0 std::_Throw_Cpp_error 42 API calls 34274->34298 34275 41ad80 42 API calls 34275->34458 34277 402fe0 40 API calls std::_Throw_Cpp_error 34277->34306 34280 4b15b1 34278->34280 35447 41ace0 42 API calls 34280->35447 34281 4b14dd 34286 402cf0 std::_Throw_Cpp_error 42 API calls 34281->34286 34283 402cf0 42 API calls std::_Throw_Cpp_error 34283->34518 34285 426db0 42 API calls 34285->34518 34288 4b14f1 34286->34288 35444 41ace0 42 API calls 34288->35444 34292 4235f0 42 API calls 34292->34306 34293 41ab20 42 API calls 34293->34518 34295 4d6790 150 API calls 34295->34458 34296 4163b0 42 API calls std::_Throw_Cpp_error 34296->34298 34298->34047 34298->34057 34298->34105 34298->34121 34298->34131 34298->34241 34298->34274 34298->34296 34299 4e6d70 80 API calls 34298->34299 35142 424400 45 API calls 4 library calls 34298->35142 34299->34298 34300 510f30 3 API calls 34300->34458 34301 4098e0 42 API calls 34301->34306 34302 4b34ab 34309 402cf0 std::_Throw_Cpp_error 42 API calls 34302->34309 34304 4d65f0 89 API calls 34304->34458 34306->34048 34306->34057 34306->34070 34306->34079 34306->34134 34306->34145 34306->34196 34306->34215 34306->34223 34306->34240 34306->34259 34306->34271 34306->34277 34306->34292 34306->34301 35101 418f00 34306->35101 35110 41abb0 34306->35110 34313 4b34be 34309->34313 34310 418f00 std::_Throw_Cpp_error 42 API calls 34310->34518 35464 41ace0 42 API calls 34313->35464 34318 41ad80 42 API calls 34318->34518 34326 4b334f 34340 402cf0 std::_Throw_Cpp_error 42 API calls 34326->34340 34329 417ef0 42 API calls 34329->34458 34330 433672 std::_Facet_Register 42 API calls 34330->34458 34334 424900 104 API calls 34334->34458 34336 41af80 42 API calls 34336->34518 34345 4b3363 34340->34345 35463 41ace0 42 API calls 34345->35463 34352 402df0 42 API calls std::_Throw_Cpp_error 34352->34518 34368 417ef0 42 API calls 34368->34518 34370 403040 42 API calls std::_Throw_Cpp_error 34370->34458 34373 4b1569 34387 402cf0 std::_Throw_Cpp_error 42 API calls 34373->34387 34378 426db0 42 API calls 34378->34458 34382 54b610 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 34382->34518 34389 4b157c 34387->34389 35446 41ace0 42 API calls 34389->35446 34396 54ae20 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 34396->34458 34404 433672 42 API calls std::_Facet_Register 34404->34518 34406 4b131b 34412 402cf0 std::_Throw_Cpp_error 42 API calls 34406->34412 34416 4b132f 34412->34416 34414 403040 42 API calls std::_Throw_Cpp_error 34414->34518 35443 41ace0 42 API calls 34416->35443 34423 4b1512 34428 402cf0 std::_Throw_Cpp_error 42 API calls 34423->34428 34432 4b1529 34428->34432 35445 41ace0 42 API calls 34432->35445 34449 4032d0 42 API calls std::_Throw_Cpp_error 34449->34458 34458->34205 34458->34219 34458->34230 34458->34234 34458->34236 34458->34249 34458->34252 34458->34256 34458->34258 34458->34263 34458->34275 34458->34295 34458->34300 34458->34302 34458->34304 34458->34326 34458->34329 34458->34330 34458->34334 34458->34370 34458->34378 34458->34396 34458->34449 34462 413d50 104 API calls 34458->34462 34472 54b610 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 34458->34472 35454 41c3a0 42 API calls std::_Facet_Register 34458->35454 35455 402fe0 40 API calls 2 library calls 34458->35455 35456 41e710 34458->35456 35461 4412f6 50 API calls __fread_nolock 34458->35461 35462 54af50 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 34458->35462 34462->34458 34466 5475d0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 34466->34518 34469 4180a0 42 API calls 34469->34518 34472->34458 34474 4b10a4 34480 402cf0 std::_Throw_Cpp_error 42 API calls 34474->34480 34478 413d50 104 API calls 34478->34518 34479 424900 104 API calls 34479->34518 34483 4b10b7 34480->34483 35418 41ace0 42 API calls 34483->35418 34486 4163b0 std::_Throw_Cpp_error 42 API calls 34486->34518 34494 4032d0 42 API calls std::_Throw_Cpp_error 34494->34518 34518->34115 34518->34147 34518->34156 34518->34169 34518->34199 34518->34213 34518->34229 34518->34246 34518->34260 34518->34269 34518->34281 34518->34283 34518->34285 34518->34293 34518->34310 34518->34318 34518->34336 34518->34352 34518->34368 34518->34373 34518->34382 34518->34404 34518->34406 34518->34414 34518->34423 34518->34466 34518->34469 34518->34474 34518->34478 34518->34479 34518->34486 34518->34494 35240 41ae20 42 API calls 34518->35240 35241 4e7640 89 API calls 2 library calls 34518->35241 35242 422100 34518->35242 35248 41db10 34518->35248 35312 41d490 42 API calls std::_Throw_Cpp_error 34518->35312 35313 41b0e0 104 API calls 4 library calls 34518->35313 35314 458b00 52 API calls 2 library calls 34518->35314 35315 4162c0 42 API calls std::_Throw_Cpp_error 34518->35315 35316 41c3a0 42 API calls std::_Facet_Register 34518->35316 35317 4d6790 34518->35317 35370 510f30 34518->35370 35381 54ae20 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 34518->35381 35382 532eb0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 34518->35382 35383 532e30 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 34518->35383 35384 4c64a0 141 API calls 2 library calls 34518->35384 35385 4c6b00 34518->35385 35419 54af50 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 34518->35419 35420 4d65f0 34518->35420 35026 402d13 35025->35026 35026->35026 35027 403040 std::_Throw_Cpp_error 42 API calls 35026->35027 35028 402d25 35027->35028 35028->32701 35030 4032e2 35029->35030 35031 403306 35029->35031 35032 4032e9 35030->35032 35033 40331f 35030->35033 35034 403318 35031->35034 35036 433672 std::_Facet_Register 42 API calls 35031->35036 35043 433672 35032->35043 35054 402b50 42 API calls 2 library calls 35033->35054 35034->34024 35038 403310 35036->35038 35038->34024 35039 4032ef 35041 4032f8 35039->35041 35055 438c70 35039->35055 35041->34024 35045 433677 35043->35045 35046 433691 35045->35046 35049 402b50 Concurrency::cancel_current_task 35045->35049 35060 4423ec 35045->35060 35067 445a89 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 35045->35067 35046->35039 35048 43369d 35048->35048 35049->35048 35065 4351fb RaiseException 35049->35065 35051 402b6c 35066 434b15 41 API calls 2 library calls 35051->35066 35053 402bac 35053->35039 35054->35039 35069 438bac 40 API calls __fread_nolock 35055->35069 35057 438c7f 35070 438c8d 11 API calls std::locale::_Setgloballocale 35057->35070 35059 438c8c 35063 44b094 __Getctype 35060->35063 35061 44b0d0 35061->35045 35062 44b0bd RtlAllocateHeap 35062->35061 35062->35063 35063->35061 35063->35062 35068 445a89 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 35063->35068 35065->35051 35066->35053 35067->35045 35068->35063 35069->35057 35070->35059 35072 4359c7 SHGetFolderPathA 35071->35072 35073 41ac50 35072->35073 35074 41ac81 35073->35074 35074->35074 35075 41acd3 35074->35075 35076 41e8a0 42 API calls 35074->35076 35077 41acb2 35076->35077 35077->34036 35077->34037 35079 4c6082 35078->35079 35080 4c6072 35078->35080 35081 41ab20 42 API calls 35079->35081 35080->35079 35082 402df0 std::_Throw_Cpp_error 42 API calls 35080->35082 35083 4c6125 FindFirstFileA 35081->35083 35082->35080 35085 402df0 std::_Throw_Cpp_error 42 API calls 35083->35085 35099 4c6159 std::ios_base::_Ios_base_dtor 35085->35099 35086 4c6463 35087 402df0 std::_Throw_Cpp_error 42 API calls 35086->35087 35089 4aa2d1 35087->35089 35088 4c6437 FindNextFileA 35090 4c644d GetLastError 35088->35090 35088->35099 35089->34046 35089->34298 35091 4c645c FindClose 35090->35091 35090->35099 35091->35086 35092 403040 std::_Throw_Cpp_error 42 API calls 35092->35099 35093 41ab20 42 API calls 35093->35099 35094 418f00 std::_Throw_Cpp_error 42 API calls 35094->35099 35095 4c648e 35097 438c70 std::_Throw_Cpp_error 40 API calls 35095->35097 35096 4242a0 42 API calls 35096->35099 35098 4c6493 35097->35098 35099->35086 35099->35088 35099->35092 35099->35093 35099->35094 35099->35095 35099->35096 35100 402df0 std::_Throw_Cpp_error 42 API calls 35099->35100 35100->35099 35102 418f4f 35101->35102 35103 418f22 std::_Locinfo::_Locinfo_ctor 35101->35103 35104 4032d0 std::_Throw_Cpp_error 42 API calls 35102->35104 35105 41902f std::ios_base::_Ios_base_dtor 35102->35105 35103->34306 35106 418fa4 std::_Locinfo::_Locinfo_ctor 35104->35106 35105->34306 35107 419002 std::_Locinfo::_Locinfo_ctor 35106->35107 35468 402fe0 40 API calls 2 library calls 35106->35468 35107->34306 35109 418fef 35109->34306 35111 41abe1 35110->35111 35111->35111 35112 418f00 std::_Throw_Cpp_error 42 API calls 35111->35112 35113 41abf6 35112->35113 35113->34306 35115 41863c std::ios_base::_Ios_base_dtor 35114->35115 35117 4185f3 35114->35117 35115->34048 35116 41860e 35116->35115 35119 438c70 std::_Throw_Cpp_error 40 API calls 35116->35119 35117->35116 35118 402df0 std::_Throw_Cpp_error 42 API calls 35117->35118 35118->35117 35120 418672 35119->35120 35469 404900 42 API calls 3 library calls 35120->35469 35122 418728 35123 433672 std::_Facet_Register 42 API calls 35122->35123 35124 41872f 35123->35124 35470 432729 46 API calls 6 library calls 35124->35470 35126 41873b 35471 41a060 76 API calls 5 library calls 35126->35471 35128 418778 35129 4187cc 35128->35129 35472 404900 42 API calls 3 library calls 35128->35472 35129->34048 35132 402e13 35131->35132 35133 402e2e std::ios_base::_Ios_base_dtor 35131->35133 35132->35133 35134 438c70 std::_Throw_Cpp_error 40 API calls 35132->35134 35133->34058 35135 402e5f 35134->35135 35136 402e88 35135->35136 35137 4032d0 std::_Throw_Cpp_error 42 API calls 35135->35137 35136->34058 35139 402eee std::_Locinfo::_Locinfo_ctor 35137->35139 35138 402f3c std::_Locinfo::_Locinfo_ctor 35138->34058 35139->35138 35473 402fe0 40 API calls 2 library calls 35139->35473 35141 402f2b 35141->34058 35142->34298 35143->34041 35144->34053 35146 418034 35145->35146 35147 417f1d 35145->35147 35157 402cf0 std::_Throw_Cpp_error 42 API calls 35146->35157 35158 417f29 35146->35158 35148 417fcb 35147->35148 35149 417f83 35147->35149 35150 417f24 35147->35150 35151 417f2b 35147->35151 35152 417f7c 35147->35152 35148->34064 35154 433672 std::_Facet_Register 42 API calls 35149->35154 35474 41c3a0 42 API calls std::_Facet_Register 35150->35474 35156 433672 std::_Facet_Register 42 API calls 35151->35156 35475 41cf80 42 API calls 2 library calls 35152->35475 35154->35158 35156->35158 35159 41804f 35157->35159 35158->34064 35476 407f90 42 API calls 2 library calls 35159->35476 35161 418062 35477 4351fb RaiseException 35161->35477 35163 418073 35165 4140ff 35164->35165 35166 433672 std::_Facet_Register 42 API calls 35165->35166 35167 41412e 35166->35167 35168 4141ac 35167->35168 35478 42bf30 104 API calls 4 library calls 35167->35478 35172 41af80 35168->35172 35170 414171 35170->35168 35479 419860 104 API calls 35170->35479 35173 41afb8 35172->35173 35175 41afc5 35172->35175 35174 417ef0 42 API calls 35173->35174 35174->35175 35176 41b08c 35175->35176 35177 41afda 35175->35177 35178 402cf0 std::_Throw_Cpp_error 42 API calls 35176->35178 35179 403040 std::_Throw_Cpp_error 42 API calls 35177->35179 35180 41b09c 35178->35180 35181 41b013 35179->35181 35490 41ace0 42 API calls 35180->35490 35480 426db0 35181->35480 35186 41b058 std::ios_base::_Ios_base_dtor 35186->34073 35189 41b029 35189->35186 35190 438c70 std::_Throw_Cpp_error 40 API calls 35189->35190 35191 41b0dc 35190->35191 35193 41e8ce 35192->35193 35195 41e8f8 std::_Locinfo::_Locinfo_ctor 35192->35195 35194 4032d0 std::_Throw_Cpp_error 42 API calls 35193->35194 35194->35195 35195->34172 35196->34172 35197->34084 35198->34099 35199->34090 35201 41ab55 35200->35201 35202 41aba3 35201->35202 35203 41e8a0 42 API calls 35201->35203 35204 41ab83 35203->35204 35205 41ad80 35204->35205 35206 41adb4 35205->35206 35207 418f00 std::_Throw_Cpp_error 42 API calls 35206->35207 35208 41adbf 35207->35208 35209 4e6d70 35208->35209 35492 439820 35209->35492 35213 4e6e3c 35214 402df0 std::_Throw_Cpp_error 42 API calls 35213->35214 35215 4ae2f6 35214->35215 35215->34109 35217 416174 35216->35217 35220 416143 std::_Locinfo::_Locinfo_ctor 35216->35220 35218 416200 35217->35218 35219 416180 35217->35219 35222 418f00 std::_Throw_Cpp_error 42 API calls 35218->35222 35221 4032d0 std::_Throw_Cpp_error 42 API calls 35219->35221 35220->34114 35225 4161bf std::_Locinfo::_Locinfo_ctor 35221->35225 35223 416232 35222->35223 35223->34114 35224 4161ed 35224->34114 35225->35224 35612 402fe0 40 API calls 2 library calls 35225->35612 35227->34136 35229 417ef0 42 API calls 35228->35229 35230 41b48d 35229->35230 35231 422100 42 API calls 35230->35231 35232 41b4f0 35231->35232 35233 41db10 53 API calls 35232->35233 35234 41b503 35233->35234 35613 41d490 42 API calls std::_Throw_Cpp_error 35234->35613 35236 41b512 35236->34150 35237->34181 35238->34184 35239->34189 35240->34518 35241->34518 35243 42215f 35242->35243 35614 44133b 35243->35614 35247 422285 35247->34518 35249 41db56 35248->35249 35250 41de3d 35248->35250 35679 41ebb0 42 API calls 35249->35679 35252 41fd70 42 API calls 35250->35252 35254 41de87 35252->35254 35253 41dba4 35255 41fd70 42 API calls 35253->35255 35307 41df5e std::ios_base::_Ios_base_dtor 35254->35307 35688 41eda0 53 API calls 2 library calls 35254->35688 35258 41dbc1 35255->35258 35257 41dee2 35689 4075c0 42 API calls 2 library calls 35257->35689 35311 41dcc3 std::ios_base::_Ios_base_dtor 35258->35311 35680 41eda0 53 API calls 2 library calls 35258->35680 35259 417ef0 42 API calls 35262 41dfc7 35259->35262 35260 41de38 std::ios_base::_Ios_base_dtor 35260->34518 35262->35260 35267 438c70 std::_Throw_Cpp_error 40 API calls 35262->35267 35263 41df06 35690 41f440 53 API calls 3 library calls 35263->35690 35265 41dd82 35274 417ef0 42 API calls 35265->35274 35282 41dd9f 35265->35282 35266 41dcec 35270 417ef0 42 API calls 35266->35270 35271 41e06f 35267->35271 35269 41dc1c 35681 4075c0 42 API calls 2 library calls 35269->35681 35302 41dd01 35270->35302 35692 4190b0 41 API calls 35271->35692 35272 41df1f 35276 41e093 35272->35276 35279 402df0 std::_Throw_Cpp_error 42 API calls 35272->35279 35274->35282 35694 4190b0 41 API calls 35276->35694 35277 41dc40 35682 41f440 53 API calls 3 library calls 35277->35682 35278 41e07d 35693 4351fb RaiseException 35278->35693 35285 41df40 35279->35285 35685 4135b0 40 API calls 2 library calls 35282->35685 35691 407a20 RtlFreeHeap GetLastError ___std_exception_destroy 35285->35691 35286 41dc56 35286->35271 35291 41dc6b 35286->35291 35287 41e0a1 35695 4351fb RaiseException 35287->35695 35288 41dd6c 35686 4135b0 40 API calls 2 library calls 35288->35686 35289 41e08e 35293 438c70 std::_Throw_Cpp_error 40 API calls 35289->35293 35295 402df0 std::_Throw_Cpp_error 42 API calls 35291->35295 35293->35276 35294 41df4f 35299 402df0 std::_Throw_Cpp_error 42 API calls 35294->35299 35300 41dc77 35295->35300 35296 41e0b2 35301 438c70 std::_Throw_Cpp_error 40 API calls 35296->35301 35299->35307 35683 407a20 RtlFreeHeap GetLastError ___std_exception_destroy 35300->35683 35305 41e0b7 35301->35305 35684 4135b0 40 API calls 2 library calls 35302->35684 35303 41de26 35687 4135b0 40 API calls 2 library calls 35303->35687 35307->35259 35307->35262 35307->35296 35308 41dc86 35309 402df0 std::_Throw_Cpp_error 42 API calls 35308->35309 35310 41dc95 35309->35310 35310->35289 35310->35311 35311->35265 35311->35266 35312->34518 35313->34518 35314->34518 35315->34518 35316->34518 35318 4d6870 35317->35318 35318->35318 35319 403040 std::_Throw_Cpp_error 42 API calls 35318->35319 35320 4d6885 35319->35320 35321 403040 std::_Throw_Cpp_error 42 API calls 35320->35321 35322 4d68c2 35321->35322 35696 4e64d0 35322->35696 35325 4d6a4c 35327 4fad00 3 API calls 35325->35327 35369 4d6a59 35327->35369 35329 41ab20 42 API calls 35330 4d699f 35329->35330 35332 41e710 42 API calls 35330->35332 35331 4185d0 78 API calls 35333 4d6a6d 35331->35333 35334 4d69b6 35332->35334 35333->34518 35335 41ad80 42 API calls 35334->35335 35336 4d69cc 35335->35336 35337 402df0 std::_Throw_Cpp_error 42 API calls 35336->35337 35338 4d69f0 35337->35338 35339 402df0 std::_Throw_Cpp_error 42 API calls 35338->35339 35340 4d69ff 35339->35340 35341 402df0 std::_Throw_Cpp_error 42 API calls 35340->35341 35342 4d6a0e CopyFileA 35341->35342 35343 4d6a2a 35342->35343 35344 4d6a82 35342->35344 35780 4d6ba0 141 API calls __fread_nolock 35343->35780 35730 432b99 35344->35730 35348 4d6a3c 35348->35344 35351 4d6a40 35348->35351 35349 4d6aa1 35352 4d6b89 35349->35352 35353 4d6ab1 35349->35353 35350 4d6b82 35783 432534 78 API calls 3 library calls 35350->35783 35355 402df0 std::_Throw_Cpp_error 42 API calls 35351->35355 35784 432534 78 API calls 3 library calls 35352->35784 35733 4fad00 35353->35733 35355->35325 35359 4d6b9a 35360 4163b0 std::_Throw_Cpp_error 42 API calls 35361 4d6ae1 35360->35361 35362 4d6afb 35361->35362 35781 423a30 42 API calls 4 library calls 35361->35781 35364 402df0 std::_Throw_Cpp_error 42 API calls 35362->35364 35365 4d6b60 35364->35365 35782 432baa RtlReleaseSRWLockExclusive 35365->35782 35367 4d6b6e 35368 402df0 std::_Throw_Cpp_error 42 API calls 35367->35368 35368->35369 35369->35331 35371 511410 35370->35371 35373 510f57 35370->35373 35371->34518 35373->35371 35932 511420 35373->35932 35374 5113f1 35374->34518 35376 511420 3 API calls 35376->35374 35378 510fe7 35379 5113ba 35378->35379 35380 5475d0 3 API calls 35378->35380 35379->35376 35380->35379 35381->34518 35382->34518 35383->34518 35384->34518 35386 4c6b42 CryptUnprotectData 35385->35386 35387 4c6b5d 35386->35387 35388 4c6b68 35386->35388 35387->35386 35387->35388 35389 4c6b8c 35388->35389 35390 4423ec ___std_exception_copy 3 API calls 35388->35390 35389->34518 35391 4c6b7a 35390->35391 35392 4c6b83 LocalFree 35391->35392 35393 4c6ba1 __fread_nolock std::_Locinfo::_Locinfo_ctor 35391->35393 35392->35389 35394 403040 std::_Throw_Cpp_error 42 API calls 35393->35394 35395 4c6bed 35394->35395 35396 402df0 std::_Throw_Cpp_error 42 API calls 35395->35396 35398 4c6c05 35395->35398 35396->35398 35397 4c6c5a std::ios_base::_Ios_base_dtor 36070 441c96 35397->36070 35398->35397 35400 4c6c9d 35398->35400 35402 438c70 std::_Throw_Cpp_error 40 API calls 35400->35402 35403 4c6ca2 35402->35403 35404 4163b0 std::_Throw_Cpp_error 42 API calls 35403->35404 35405 4c6ce7 35404->35405 35406 4163b0 std::_Throw_Cpp_error 42 API calls 35405->35406 35407 4c6cfd 35406->35407 35409 4c6d12 35407->35409 36073 423800 35407->36073 35410 402df0 std::_Throw_Cpp_error 42 API calls 35409->35410 35411 4c6d3d 35410->35411 35412 402df0 std::_Throw_Cpp_error 42 API calls 35411->35412 35413 4c6d52 35412->35413 35414 402df0 std::_Throw_Cpp_error 42 API calls 35413->35414 35415 4c6d5e 35414->35415 35416 402df0 std::_Throw_Cpp_error 42 API calls 35415->35416 35417 4c6d6d 35416->35417 35417->34518 35419->34518 35421 432b99 12 API calls 35420->35421 35422 4d6634 35421->35422 35423 4d663f 35422->35423 35424 4d6768 35422->35424 35426 4d676f 35423->35426 35427 4d664f 35423->35427 36122 432534 78 API calls 3 library calls 35424->36122 36123 432534 78 API calls 3 library calls 35426->36123 35429 4d668e 35427->35429 35432 4d66c2 35427->35432 35431 54b110 3 API calls 35429->35431 35430 4d6780 35433 4d6695 35431->35433 35434 54b110 3 API calls 35432->35434 36121 432baa RtlReleaseSRWLockExclusive 35433->36121 35435 4d66c9 35434->35435 36108 43d25e 35435->36108 35437 4d66a9 35437->34518 35439 4d6747 35440 402df0 std::_Throw_Cpp_error 42 API calls 35439->35440 35440->35433 35441 402df0 std::_Throw_Cpp_error 42 API calls 35442 4d66ed 35441->35442 35442->35439 35442->35441 35449->34250 35450->34193 35451->34207 35452->34206 35453->34458 35454->34458 35455->34458 35457 41e753 35456->35457 35458 4032d0 std::_Throw_Cpp_error 42 API calls 35457->35458 35459 41e758 std::_Locinfo::_Locinfo_ctor 35457->35459 35460 41e843 std::_Locinfo::_Locinfo_ctor 35458->35460 35459->34458 35460->34458 35461->34458 35462->34458 35468->35109 35469->35122 35470->35126 35471->35128 35472->35129 35473->35141 35474->35158 35475->35158 35476->35161 35477->35163 35478->35170 35479->35170 35486 426df1 35480->35486 35481 426e41 35484 433672 std::_Facet_Register 42 API calls 35481->35484 35482 426f1c 35491 407260 42 API calls 35482->35491 35487 426e62 35484->35487 35485 426f21 35486->35481 35486->35482 35489 426e23 35486->35489 35488 417ef0 42 API calls 35487->35488 35488->35489 35489->35189 35491->35485 35501 43975e 35492->35501 35494 439832 35494->35213 35495 43d0a8 35494->35495 35496 43d0bb __fread_nolock 35495->35496 35547 43cf83 35496->35547 35498 43d0c7 35499 43899c __fread_nolock 40 API calls 35498->35499 35500 43d0d3 35499->35500 35500->35213 35503 43976a __fread_nolock 35501->35503 35502 439771 35518 438c60 40 API calls __fread_nolock 35502->35518 35503->35502 35504 439791 35503->35504 35507 439781 35504->35507 35510 44a8ef 35504->35510 35507->35494 35508 4397ac 35508->35507 35519 4397fe RtlLeaveCriticalSection __fread_nolock 35508->35519 35511 44a8fb __fread_nolock 35510->35511 35520 44424b RtlEnterCriticalSection 35511->35520 35513 44a909 35521 44a993 35513->35521 35518->35507 35519->35507 35520->35513 35528 44a9b6 35521->35528 35522 44aa0e 35539 44a65a RtlEnterCriticalSection RtlLeaveCriticalSection RtlAllocateHeap __Getctype std::_Facet_Register 35522->35539 35524 44aa17 35540 44b01a 35524->35540 35527 44aa20 35533 44a916 35527->35533 35544 44b7f4 6 API calls std::locale::_Setgloballocale 35527->35544 35528->35522 35528->35528 35528->35533 35537 441250 RtlEnterCriticalSection 35528->35537 35538 441264 RtlLeaveCriticalSection 35528->35538 35530 44aa3f 35545 441250 RtlEnterCriticalSection 35530->35545 35534 44a94f 35533->35534 35546 444293 RtlLeaveCriticalSection 35534->35546 35536 44a93a 35536->35508 35537->35528 35538->35528 35539->35524 35541 44b025 RtlFreeHeap 35540->35541 35543 44b047 __dosmaperr 35540->35543 35542 44b03a GetLastError 35541->35542 35541->35543 35542->35543 35543->35527 35544->35530 35545->35533 35546->35536 35548 43cf8f __fread_nolock 35547->35548 35549 43cf99 35548->35549 35550 43cfbc 35548->35550 35573 438be3 40 API calls 2 library calls 35549->35573 35557 43cfb4 35550->35557 35558 441250 RtlEnterCriticalSection 35550->35558 35553 43cfda 35559 43d01a 35553->35559 35555 43cfe7 35574 43d012 RtlLeaveCriticalSection __fread_nolock 35555->35574 35557->35498 35558->35553 35560 43d027 35559->35560 35561 43d04a 35559->35561 35586 438be3 40 API calls 2 library calls 35560->35586 35563 43d042 35561->35563 35564 439a91 73 API calls 35561->35564 35563->35555 35565 43d062 35564->35565 35575 44b054 35565->35575 35568 44a1e9 __fread_nolock 40 API calls 35569 43d076 35568->35569 35579 448d2c 35569->35579 35572 44b01a ___std_exception_destroy 2 API calls 35572->35563 35573->35557 35574->35557 35576 43d06a 35575->35576 35577 44b06b 35575->35577 35576->35568 35577->35576 35578 44b01a ___std_exception_destroy 2 API calls 35577->35578 35578->35576 35580 448d55 35579->35580 35585 43d07d 35579->35585 35581 448da4 35580->35581 35583 448d7c 35580->35583 35595 438be3 40 API calls 2 library calls 35581->35595 35587 448c9b 35583->35587 35585->35563 35585->35572 35586->35563 35588 448ca7 __fread_nolock 35587->35588 35596 44e6c4 RtlEnterCriticalSection 35588->35596 35590 448ce6 35610 448d20 RtlLeaveCriticalSection 35590->35610 35591 448cb5 35591->35590 35597 448dff 35591->35597 35594 448d09 35594->35585 35595->35585 35596->35591 35598 44e940 __fread_nolock 40 API calls 35597->35598 35601 448e0f 35598->35601 35599 448e15 35611 44e8af 15 API calls __dosmaperr 35599->35611 35601->35599 35604 44e940 __fread_nolock 40 API calls 35601->35604 35609 448e47 35601->35609 35602 44e940 __fread_nolock 40 API calls 35605 448e53 FindCloseChangeNotification 35602->35605 35603 448e6d __fread_nolock 35603->35590 35606 448e3e 35604->35606 35605->35599 35607 448e5f GetLastError 35605->35607 35608 44e940 __fread_nolock 40 API calls 35606->35608 35607->35599 35608->35609 35609->35599 35609->35602 35610->35594 35611->35603 35612->35224 35613->35236 35633 449e42 GetLastError 35614->35633 35619 41fd70 35622 41fd84 35619->35622 35623 41fde4 35619->35623 35621 41ff6c 35621->35247 35626 41fdc2 35622->35626 35673 429e20 42 API calls 4 library calls 35622->35673 35629 41fe74 35623->35629 35676 4201e0 42 API calls 35623->35676 35626->35623 35630 41fe58 35626->35630 35674 429e20 42 API calls 4 library calls 35626->35674 35628 41fecc 35628->35621 35677 4208f0 42 API calls 35628->35677 35678 429e20 42 API calls 4 library calls 35628->35678 35629->35247 35630->35629 35675 421430 42 API calls 35630->35675 35634 449e5e 35633->35634 35635 449e58 35633->35635 35639 449e62 SetLastError 35634->35639 35665 44b69b 6 API calls std::locale::_Setgloballocale 35634->35665 35664 44b65c 6 API calls std::locale::_Setgloballocale 35635->35664 35638 449e7a 35638->35639 35666 44a65a RtlEnterCriticalSection RtlLeaveCriticalSection RtlAllocateHeap __Getctype std::_Facet_Register 35638->35666 35643 449ef7 35639->35643 35644 441346 35639->35644 35642 449e8f 35646 449e97 35642->35646 35647 449ea8 35642->35647 35671 4441c6 40 API calls 2 library calls 35643->35671 35660 44a12d 35644->35660 35667 44b69b 6 API calls std::locale::_Setgloballocale 35646->35667 35668 44b69b 6 API calls std::locale::_Setgloballocale 35647->35668 35648 449efc 35651 449eb4 35652 449ecf 35651->35652 35653 449eb8 35651->35653 35670 449c70 RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError __Getctype 35652->35670 35669 44b69b 6 API calls std::locale::_Setgloballocale 35653->35669 35655 44b01a ___std_exception_destroy 2 API calls 35655->35639 35657 449ea5 35657->35655 35658 449eda 35659 44b01a ___std_exception_destroy 2 API calls 35658->35659 35659->35639 35661 42225f 35660->35661 35662 44a140 35660->35662 35661->35619 35662->35661 35672 452392 40 API calls 3 library calls 35662->35672 35664->35634 35665->35638 35666->35642 35667->35657 35668->35651 35669->35657 35670->35658 35671->35648 35672->35661 35673->35626 35674->35630 35675->35623 35676->35628 35677->35628 35678->35628 35679->35253 35680->35269 35681->35277 35682->35286 35683->35308 35684->35288 35685->35288 35686->35303 35687->35260 35688->35257 35689->35263 35690->35272 35691->35294 35692->35278 35693->35289 35694->35287 35695->35296 35721 4e6562 std::ios_base::_Ios_base_dtor 35696->35721 35697 4e668f 35699 4e6698 35697->35699 35700 4e6713 35697->35700 35698 4e6767 35789 419e60 42 API calls 35698->35789 35786 415f60 42 API calls std::_Throw_Cpp_error 35699->35786 35702 4e66fa 35700->35702 35708 4e672d 35700->35708 35709 4e6722 35700->35709 35706 402df0 std::_Throw_Cpp_error 42 API calls 35702->35706 35703 403040 std::_Throw_Cpp_error 42 API calls 35703->35721 35705 4e66a9 35710 4e66fc 35705->35710 35711 4e66b5 35705->35711 35712 4e6741 35706->35712 35788 424400 45 API calls 4 library calls 35708->35788 35713 4163b0 std::_Throw_Cpp_error 42 API calls 35709->35713 35787 4242a0 42 API calls 35710->35787 35716 402df0 std::_Throw_Cpp_error 42 API calls 35711->35716 35717 402df0 std::_Throw_Cpp_error 42 API calls 35712->35717 35713->35702 35716->35702 35719 4d68d5 35717->35719 35719->35325 35725 4e63a0 35719->35725 35720 4e6705 35722 402df0 std::_Throw_Cpp_error 42 API calls 35720->35722 35721->35697 35721->35698 35721->35703 35723 4e6762 35721->35723 35785 4242a0 42 API calls 35721->35785 35722->35702 35724 438c70 std::_Throw_Cpp_error 40 API calls 35723->35724 35724->35698 35790 416300 42 API calls 2 library calls 35725->35790 35727 4e63da 35728 4d6911 35727->35728 35791 43957b 40 API calls __Getctype 35727->35791 35728->35329 35792 432bc8 GetCurrentThreadId 35730->35792 35816 4fbf00 35733->35816 35735 4fad1c 35752 4d6acd 35735->35752 35825 54a0f0 35735->35825 35739 4fad85 __fread_nolock 35751 4fadb2 35739->35751 35831 54a8c0 35739->35831 35741 4faf19 35834 4fb370 35741->35834 35742 4faeb6 35744 5475d0 3 API calls 35742->35744 35744->35751 35745 4faf31 35746 4fb370 3 API calls 35745->35746 35747 4faf4b 35746->35747 35748 4fb370 3 API calls 35747->35748 35749 4faf65 35748->35749 35750 4fb370 3 API calls 35749->35750 35753 4faf7f 35750->35753 35751->35752 35884 54b110 35751->35884 35752->35360 35753->35751 35754 4fb370 3 API calls 35753->35754 35755 4fb039 35754->35755 35845 4fb5d0 35755->35845 35758 4fb065 35760 5475d0 3 API calls 35758->35760 35759 4fb083 35849 51ba20 35759->35849 35760->35751 35762 4fb090 35763 51ba20 3 API calls 35762->35763 35764 4fb09f 35763->35764 35764->35751 35855 5475d0 35764->35855 35768 4fb0fb 35778 4fb179 35768->35778 35883 51bbd0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection __fread_nolock std::_Locinfo::_Locinfo_ctor 35768->35883 35770 4fb2c1 35770->35751 35772 5475d0 3 API calls 35770->35772 35771 4fb146 35773 4fb166 35771->35773 35773->35778 35778->35770 35779 5475d0 3 API calls 35778->35779 35779->35778 35780->35348 35781->35362 35782->35367 35783->35352 35784->35359 35785->35721 35786->35705 35787->35720 35788->35702 35790->35727 35791->35727 35793 432bf2 35792->35793 35794 432c11 35792->35794 35795 432bf7 RtlAcquireSRWLockExclusive 35793->35795 35798 432c07 35793->35798 35796 432c31 35794->35796 35797 432c1a 35794->35797 35795->35798 35800 432c90 35796->35800 35806 432c49 35796->35806 35797->35798 35799 432c25 RtlAcquireSRWLockExclusive 35797->35799 35807 433d77 35798->35807 35799->35798 35800->35798 35802 432c97 RtlTryAcquireSRWLockExclusive 35800->35802 35802->35798 35803 432ba6 35803->35349 35803->35350 35805 432c80 RtlTryAcquireSRWLockExclusive 35805->35798 35805->35806 35806->35798 35806->35805 35814 43302b GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 35806->35814 35808 433d80 IsProcessorFeaturePresent 35807->35808 35809 433d7f 35807->35809 35811 43455a 35808->35811 35809->35803 35815 43451d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 35811->35815 35813 43463d 35813->35803 35814->35806 35815->35813 35817 4fbf13 35816->35817 35819 4fbf1c __fread_nolock 35816->35819 35817->35735 35818 4fbf00 3 API calls 35820 4fc241 35818->35820 35819->35818 35824 4fc269 35819->35824 35821 54a0f0 3 API calls 35820->35821 35820->35824 35822 4fc250 35821->35822 35823 4fbf00 3 API calls 35822->35823 35822->35824 35823->35824 35824->35735 35826 54a14d 35825->35826 35829 54a101 35825->35829 35826->35739 35827 54a140 35827->35739 35829->35827 35899 54a160 35829->35899 35830 54a127 35830->35739 35832 4fbf00 3 API calls 35831->35832 35833 4faeb0 35832->35833 35833->35741 35833->35742 35837 4fb386 35834->35837 35835 4fb3b7 35835->35745 35837->35835 35839 4fb428 35837->35839 35844 4fb444 35837->35844 35838 4fb4ad 35841 5475d0 3 API calls 35838->35841 35840 5475d0 3 API calls 35839->35840 35842 4fb435 35840->35842 35843 4fb4e3 35841->35843 35842->35745 35843->35745 35906 51bfa0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection std::_Locinfo::_Locinfo_ctor 35844->35906 35846 4fb5fc 35845->35846 35907 53d420 35846->35907 35848 4fb05e 35848->35758 35848->35759 35850 51ba29 35849->35850 35851 51ba5c 35849->35851 35853 54a0f0 3 API calls 35850->35853 35854 51ba3a __fread_nolock 35850->35854 35852 54a0f0 3 API calls 35851->35852 35852->35854 35853->35854 35854->35762 35856 5475db 35855->35856 35862 4fb0e1 35855->35862 35857 5475ec 35856->35857 35924 537180 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35856->35924 35857->35862 35925 5483e0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35857->35925 35860 547610 35860->35862 35926 537690 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection std::_Locinfo::_Locinfo_ctor 35860->35926 35863 4fb710 35862->35863 35864 4fb85f 35863->35864 35865 4fb726 35863->35865 35864->35768 35865->35864 35866 4fb710 3 API calls 35865->35866 35872 4fb764 35865->35872 35868 4fb786 35866->35868 35868->35864 35870 4fb710 3 API calls 35868->35870 35869 4fb80a 35870->35872 35872->35864 35927 51bbd0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection __fread_nolock std::_Locinfo::_Locinfo_ctor 35872->35927 35874 4fb7cb 35874->35869 35875 4fb7ee 35874->35875 35883->35771 35887 54b123 35884->35887 35898 54b38c 35884->35898 35885 54b13b 35885->35752 35887->35885 35929 520f90 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection __fread_nolock 35887->35929 35888 54b176 35889 5475d0 3 API calls 35888->35889 35891 54b1b9 35889->35891 35890 54b161 35890->35888 35894 54b1a4 35890->35894 35891->35752 35892 54b225 35931 520f90 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection __fread_nolock 35892->35931 35894->35892 35930 53d320 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35894->35930 35896 54b22e 35897 5475d0 3 API calls 35896->35897 35897->35898 35898->35752 35900 54a175 35899->35900 35903 54a780 35900->35903 35901 54a1bf 35901->35830 35904 4423ec ___std_exception_copy 3 API calls 35903->35904 35905 54a796 35904->35905 35905->35901 35906->35838 35908 54a0f0 3 API calls 35907->35908 35909 53d443 35908->35909 35910 53d5e0 35909->35910 35911 54a0f0 3 API calls 35909->35911 35910->35848 35912 53d473 __fread_nolock 35911->35912 35916 53d58a 35912->35916 35917 53fcf0 35912->35917 35915 53d4a3 __fread_nolock 35915->35916 35923 540490 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35915->35923 35916->35848 35918 53fd24 35917->35918 35920 54a0f0 3 API calls 35918->35920 35921 53fd50 35918->35921 35919 54a0f0 3 API calls 35922 53fd9d __fread_nolock std::_Locinfo::_Locinfo_ctor 35919->35922 35920->35921 35921->35919 35921->35922 35922->35915 35923->35916 35924->35857 35925->35860 35926->35862 35927->35874 35929->35890 35930->35894 35931->35896 35933 51143d 35932->35933 35934 54a0f0 3 API calls 35933->35934 35935 51146e __fread_nolock 35933->35935 35937 511442 35933->35937 35934->35935 35936 51162f 35935->35936 35935->35937 35938 5114f3 35935->35938 35966 4fc410 35936->35966 35940 510f8d 35937->35940 35941 5475d0 3 API calls 35937->35941 35942 5114f8 35938->35942 35945 511531 35938->35945 35940->35374 35940->35378 35940->35379 35965 534460 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection std::_Locinfo::_Locinfo_ctor 35940->35965 35941->35940 35943 5475d0 3 API calls 35942->35943 35944 511505 35943->35944 35944->35937 35946 5475d0 3 API calls 35944->35946 35948 54a0f0 3 API calls 35945->35948 35950 511575 std::_Locinfo::_Locinfo_ctor 35945->35950 35953 511535 35945->35953 35946->35937 35947 511751 35964 511763 35947->35964 35999 520f90 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection __fread_nolock 35947->35999 35948->35950 35952 4fc410 3 API calls 35950->35952 35950->35953 35952->35953 35953->35947 35989 53cde0 35953->35989 35997 53ea90 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35953->35997 35998 53ccf0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35953->35998 35954 511950 35957 5475d0 3 API calls 35954->35957 35955 5118a8 35961 5475d0 3 API calls 35955->35961 35956 51188e 35956->35954 35956->35955 35957->35937 35961->35937 35962 54a0f0 3 API calls 35963 5117be std::_Locinfo::_Locinfo_ctor 35962->35963 35963->35956 36000 534460 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection std::_Locinfo::_Locinfo_ctor 35963->36000 35964->35962 35964->35963 35965->35378 35967 4fc446 35966->35967 35968 54a0f0 3 API calls 35967->35968 35969 4fc46f 35968->35969 35970 4fc832 35969->35970 35973 4fc509 35969->35973 35977 4fcf80 3 API calls 35969->35977 35979 4fc4fe 35969->35979 35980 4fc55f 35969->35980 35970->35953 35971 4fc625 35978 4fc64e 35971->35978 36017 4ff530 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35971->36017 35972 4fc602 35976 4fcf80 3 API calls 35972->35976 35973->35971 35973->35972 36001 4fcf80 35973->36001 35976->35971 35977->35969 35983 4fc6a8 35978->35983 36018 5496d0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35978->36018 36015 547510 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35979->36015 36016 548370 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35980->36016 35987 4fc72f 35983->35987 36019 520b90 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35983->36019 35986 4fc818 35986->35953 35987->35986 36020 520b90 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35987->36020 35990 53ceed 35989->35990 35994 53ce01 35989->35994 35996 53ce17 35990->35996 36061 53e880 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection __fread_nolock 35990->36061 35994->35990 35994->35996 36048 53cfe0 35994->36048 36059 53cf30 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection __fread_nolock 35994->36059 36060 53d660 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 35994->36060 35996->35953 35997->35953 35998->35953 35999->35964 36000->35956 36003 4fcf93 36001->36003 36002 4fd040 36004 4fcff6 36002->36004 36011 4fd079 36002->36011 36041 4ff530 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36002->36041 36003->36002 36003->36004 36005 4fcffd 36003->36005 36021 4fd130 36003->36021 36004->35972 36039 547510 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36005->36039 36008 4fd01f 36040 4ff530 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36008->36040 36042 547510 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36011->36042 36012 4fd036 36012->35972 36014 4fd084 36014->35972 36015->35973 36016->35973 36017->35971 36018->35983 36019->35987 36020->35987 36022 4fd190 36021->36022 36023 4fd182 36021->36023 36024 4fef3c 36022->36024 36025 4feef2 36022->36025 36023->36022 36026 4fd1d2 36023->36026 36033 4fd1de 36023->36033 36027 4fef61 36024->36027 36047 4ff530 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36024->36047 36029 4feef6 36025->36029 36046 4ff340 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36025->36046 36043 5215e0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36026->36043 36027->36003 36029->36003 36031 4fd360 36031->36022 36045 536b60 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36031->36045 36034 54a0f0 3 API calls 36033->36034 36038 4fd224 __fread_nolock 36033->36038 36034->36038 36035 4fef32 36035->36003 36038->36022 36038->36031 36044 536b60 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36038->36044 36039->36008 36040->36012 36041->36002 36042->36014 36043->36022 36044->36038 36045->36022 36046->36035 36047->36024 36062 53f550 36048->36062 36050 53cff5 36052 53d14f 36050->36052 36066 53f2e0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection __fread_nolock 36050->36066 36052->35994 36053 53d147 36053->36052 36068 53f4f0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36053->36068 36055 53d00f 36055->36052 36055->36053 36056 53d0f7 36055->36056 36058 53d113 36056->36058 36067 53f4f0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36056->36067 36058->35994 36059->35994 36060->35994 36061->35996 36063 53f56a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 36062->36063 36063->36063 36064 53f5e9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 36063->36064 36069 540af0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 36063->36069 36064->36050 36066->36055 36067->36058 36068->36052 36069->36064 36071 44b01a ___std_exception_destroy 2 API calls 36070->36071 36072 441cae LocalFree 36071->36072 36072->34518 36074 4239fb 36073->36074 36075 42385b 36073->36075 36104 403330 42 API calls 36074->36104 36076 423880 36075->36076 36078 4239f6 36075->36078 36080 4238b7 36075->36080 36083 4238de 36075->36083 36081 433672 std::_Facet_Register 42 API calls 36076->36081 36103 402b50 42 API calls 2 library calls 36078->36103 36080->36076 36080->36078 36089 4238c8 36081->36089 36082 438c70 std::_Throw_Cpp_error 40 API calls 36084 423a05 36082->36084 36085 433672 std::_Facet_Register 42 API calls 36083->36085 36083->36089 36105 41cde0 42 API calls std::_Throw_Cpp_error 36084->36105 36085->36089 36087 423a11 36106 4197d0 40 API calls 2 library calls 36087->36106 36092 42392d 36089->36092 36098 423985 36089->36098 36100 4296e0 42 API calls 36089->36100 36090 423a1f 36107 4351fb RaiseException 36090->36107 36101 4296e0 42 API calls 36092->36101 36093 423a28 36096 423965 36099 4239b9 std::ios_base::_Ios_base_dtor 36096->36099 36102 41cde0 42 API calls std::_Throw_Cpp_error 36096->36102 36098->36082 36098->36099 36099->35409 36100->36092 36101->36096 36102->36098 36103->36074 36105->36087 36106->36090 36107->36093 36109 43d276 36108->36109 36110 43d26c 36108->36110 36124 43d1a7 36109->36124 36111 44b9d0 16 API calls 36110->36111 36113 43d273 36111->36113 36113->35442 36117 43d2a4 36119 43d2c2 36117->36119 36120 44b01a ___std_exception_destroy 2 API calls 36117->36120 36119->35442 36120->36119 36121->35437 36122->35426 36123->35430 36137 4395ae 36124->36137 36128 43d1cb 36129 43d18a 36128->36129 36147 43d0d8 36129->36147 36131 43d1a2 36131->36117 36132 44b9d0 DeleteFileW 36131->36132 36133 44b9f4 36132->36133 36134 44b9e2 GetLastError 36132->36134 36133->36117 36169 4416a5 14 API calls __dosmaperr 36134->36169 36136 44b9ee 36136->36117 36138 4395cc 36137->36138 36144 4395c5 36137->36144 36139 449e42 __Getctype 40 API calls 36138->36139 36138->36144 36140 4395ed 36139->36140 36141 44a12d __Getctype 40 API calls 36140->36141 36142 439603 36141->36142 36146 44a18b 50 API calls std::_Locinfo::_Locinfo_ctor 36142->36146 36144->36128 36145 44b50e 5 API calls std::_Lockit::_Lockit 36144->36145 36145->36128 36146->36144 36148 43d100 36147->36148 36149 43d0e6 36147->36149 36151 43d107 36148->36151 36152 43d126 36148->36152 36163 43d1e6 RtlFreeHeap GetLastError ___std_exception_destroy 36149->36163 36153 43d0f0 36151->36153 36164 43d200 RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError RtlAllocateHeap 36151->36164 36165 44b17a MultiByteToWideChar __fread_nolock 36152->36165 36153->36131 36156 43d135 36157 43d13c GetLastError 36156->36157 36161 43d162 36156->36161 36167 43d200 RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError RtlAllocateHeap 36156->36167 36166 4416a5 14 API calls __dosmaperr 36157->36166 36161->36153 36168 44b17a MultiByteToWideChar __fread_nolock 36161->36168 36162 43d179 36162->36153 36162->36157 36163->36153 36164->36153 36165->36156 36166->36153 36167->36161 36168->36162 36169->36136 36170 46a140 36173 46a17b 36170->36173 36171 46aa60 36172 4163b0 42 API calls std::_Throw_Cpp_error 36172->36173 36173->36171 36173->36172 36175 413d50 104 API calls 36173->36175 36180 41af80 42 API calls 36173->36180 36181 4138b0 42 API calls 36173->36181 36182 49f0d0 36173->36182 36278 49d3a0 36173->36278 36362 49af60 36173->36362 36447 4986b0 185 API calls 6 library calls 36173->36447 36448 4963b0 185 API calls 7 library calls 36173->36448 36175->36173 36180->36173 36181->36173 36183 49f106 36182->36183 36184 417ef0 42 API calls 36183->36184 36185 49f12f 36184->36185 36186 4140c0 104 API calls 36185->36186 36187 49f159 36186->36187 36188 41af80 42 API calls 36187->36188 36189 49f1f4 __fread_nolock 36188->36189 36190 49f212 SHGetFolderPathA 36189->36190 36191 41ac50 42 API calls 36190->36191 36192 49f23f 36191->36192 36193 41ab20 42 API calls 36192->36193 36194 49f2e4 __fread_nolock 36193->36194 36195 49f2fe GetPrivateProfileSectionNamesA 36194->36195 36272 49f331 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 36195->36272 36197 4a348d lstrlen 36198 4a34a3 36197->36198 36197->36272 36199 402df0 std::_Throw_Cpp_error 42 API calls 36198->36199 36201 4a34b2 36199->36201 36200 49f422 GetPrivateProfileStringA 36200->36272 36202 402df0 std::_Throw_Cpp_error 42 API calls 36201->36202 36203 4a34c1 36202->36203 36205 402df0 std::_Throw_Cpp_error 42 API calls 36203->36205 36204 41e8a0 42 API calls 36204->36272 36206 4a34cd 36205->36206 36208 402df0 std::_Throw_Cpp_error 42 API calls 36206->36208 36207 4a34fb 36210 402cf0 std::_Throw_Cpp_error 42 API calls 36207->36210 36209 4a34d9 36208->36209 36211 402df0 std::_Throw_Cpp_error 42 API calls 36209->36211 36212 4a3514 36210->36212 36213 4a34e5 36211->36213 36466 41ace0 42 API calls 36212->36466 36213->36173 36219 4a3555 36220 438c70 std::_Throw_Cpp_error 40 API calls 36219->36220 36221 4a355a 36220->36221 36222 402cf0 std::_Throw_Cpp_error 42 API calls 36221->36222 36225 4a356d 36222->36225 36223 4d6790 150 API calls 36223->36272 36467 41ace0 42 API calls 36225->36467 36226 4032d0 std::_Throw_Cpp_error 42 API calls 36226->36272 36227 41b430 53 API calls 36227->36272 36230 510f30 3 API calls 36230->36272 36231 417ef0 42 API calls 36231->36272 36235 54b610 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36235->36272 36236 4d65f0 89 API calls 36236->36272 36237 4a35ae 36239 402cf0 std::_Throw_Cpp_error 42 API calls 36237->36239 36240 4a35c2 36239->36240 36468 41ace0 42 API calls 36240->36468 36241 54ae20 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36241->36272 36249 4e6ca0 88 API calls 36249->36272 36250 4a1c5f CreateDirectoryA 36250->36272 36252 41ad80 42 API calls 36252->36272 36253 41abb0 42 API calls 36253->36272 36254 413d50 104 API calls 36254->36272 36255 426db0 42 API calls 36255->36272 36256 41b0e0 104 API calls 36256->36272 36257 433672 42 API calls std::_Facet_Register 36257->36272 36258 41ace0 42 API calls 36258->36272 36259 4a1f46 CreateDirectoryA 36259->36272 36260 41ab20 42 API calls 36260->36272 36261 4e6d70 80 API calls 36261->36272 36262 403040 42 API calls std::_Throw_Cpp_error 36262->36272 36263 402fe0 40 API calls std::_Throw_Cpp_error 36263->36272 36264 402cf0 std::_Throw_Cpp_error 42 API calls 36264->36272 36266 41b7b0 42 API calls 36266->36272 36267 41af80 42 API calls 36267->36272 36268 439820 42 API calls 36268->36272 36269 441628 75 API calls 36269->36272 36270 43d0a8 78 API calls 36270->36272 36272->36197 36272->36200 36272->36204 36272->36207 36272->36219 36272->36221 36272->36223 36272->36226 36272->36227 36272->36230 36272->36231 36272->36235 36272->36236 36272->36237 36272->36241 36272->36249 36272->36250 36272->36252 36272->36253 36272->36254 36272->36255 36272->36256 36272->36257 36272->36258 36272->36259 36272->36260 36272->36261 36272->36262 36272->36263 36272->36264 36272->36266 36272->36267 36272->36268 36272->36269 36272->36270 36273 4a3610 182 API calls 36272->36273 36274 4130f0 42 API calls 36272->36274 36275 413980 42 API calls 36272->36275 36277 402df0 42 API calls std::_Throw_Cpp_error 36272->36277 36449 440fae 36272->36449 36459 42c080 42 API calls 2 library calls 36272->36459 36460 424900 104 API calls 36272->36460 36461 54af50 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36272->36461 36462 4e7640 89 API calls 2 library calls 36272->36462 36463 413200 42 API calls 2 library calls 36272->36463 36464 41b9d0 42 API calls 2 library calls 36272->36464 36465 4136c0 104 API calls 2 library calls 36272->36465 36273->36272 36274->36272 36275->36272 36277->36272 36279 49d3d6 36278->36279 36280 417ef0 42 API calls 36279->36280 36281 49d3ff 36280->36281 36282 4140c0 104 API calls 36281->36282 36283 49d429 36282->36283 36284 41af80 42 API calls 36283->36284 36285 49d4c4 __fread_nolock 36284->36285 36286 49d4e2 SHGetFolderPathA 36285->36286 36287 41ac50 42 API calls 36286->36287 36288 49d50f 36287->36288 36289 41ab20 42 API calls 36288->36289 36290 49d5b4 __fread_nolock 36289->36290 36291 49d5ce GetPrivateProfileSectionNamesA 36290->36291 36324 49d601 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 36291->36324 36292 440fae 50 API calls 36292->36324 36293 49ef31 lstrlen 36294 49ef47 36293->36294 36293->36324 36296 402df0 std::_Throw_Cpp_error 42 API calls 36294->36296 36295 49d6f2 GetPrivateProfileStringA 36295->36324 36297 49ef56 36296->36297 36298 402df0 std::_Throw_Cpp_error 42 API calls 36297->36298 36300 49ef65 36298->36300 36299 49f068 36305 438c70 std::_Throw_Cpp_error 40 API calls 36299->36305 36302 402df0 std::_Throw_Cpp_error 42 API calls 36300->36302 36301 41e8a0 42 API calls 36301->36324 36303 49ef71 36302->36303 36303->36173 36304 41abb0 42 API calls 36304->36324 36306 49f072 36305->36306 36307 402cf0 std::_Throw_Cpp_error 42 API calls 36306->36307 36308 49f089 36307->36308 36479 41ace0 42 API calls 36308->36479 36314 41ab20 42 API calls 36314->36324 36316 439820 42 API calls 36316->36324 36317 43d0a8 78 API calls 36317->36324 36318 402df0 42 API calls std::_Throw_Cpp_error 36318->36324 36319 4140c0 104 API calls 36319->36324 36320 4e64d0 45 API calls 36320->36324 36322 49efc0 36327 402cf0 std::_Throw_Cpp_error 42 API calls 36322->36327 36323 4032d0 42 API calls std::_Throw_Cpp_error 36323->36324 36324->36292 36324->36293 36324->36295 36324->36299 36324->36301 36324->36304 36324->36306 36324->36314 36324->36316 36324->36317 36324->36318 36324->36319 36324->36320 36324->36322 36324->36323 36325 4185d0 78 API calls 36324->36325 36326 4180a0 42 API calls 36324->36326 36329 416130 42 API calls 36324->36329 36331 4d6790 150 API calls 36324->36331 36335 510f30 3 API calls 36324->36335 36336 417ef0 42 API calls 36324->36336 36338 49ef86 36324->36338 36339 4d65f0 89 API calls 36324->36339 36341 54ae20 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36324->36341 36346 49ee5e 36324->36346 36351 403040 42 API calls std::_Throw_Cpp_error 36324->36351 36353 426db0 42 API calls 36324->36353 36354 433672 42 API calls std::_Facet_Register 36324->36354 36355 49f014 36324->36355 36356 413d50 104 API calls 36324->36356 36357 424900 104 API calls 36324->36357 36361 54b610 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36324->36361 36472 41c3a0 42 API calls std::_Facet_Register 36324->36472 36473 423f40 104 API calls 4 library calls 36324->36473 36474 54af50 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36324->36474 36325->36324 36326->36324 36328 49efd7 36327->36328 36477 41ace0 42 API calls 36328->36477 36329->36324 36331->36324 36335->36324 36336->36324 36340 402cf0 std::_Throw_Cpp_error 42 API calls 36338->36340 36339->36324 36343 49ef99 36340->36343 36341->36324 36476 41ace0 42 API calls 36343->36476 36347 402cf0 std::_Throw_Cpp_error 42 API calls 36346->36347 36348 49ee72 36347->36348 36475 41ace0 42 API calls 36348->36475 36351->36324 36353->36324 36354->36324 36358 402cf0 std::_Throw_Cpp_error 42 API calls 36355->36358 36356->36324 36357->36324 36359 49f027 36358->36359 36478 41ace0 42 API calls 36359->36478 36361->36324 36363 49af96 36362->36363 36364 417ef0 42 API calls 36363->36364 36365 49afbf 36364->36365 36366 4140c0 104 API calls 36365->36366 36367 49afe9 36366->36367 36368 41af80 42 API calls 36367->36368 36369 49b128 __fread_nolock 36368->36369 36370 49b146 SHGetFolderPathA 36369->36370 36371 41ac50 42 API calls 36370->36371 36372 49b173 36371->36372 36373 41ab20 42 API calls 36372->36373 36374 49b227 __fread_nolock 36373->36374 36375 49b241 GetPrivateProfileSectionNamesA 36374->36375 36409 49b274 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 36375->36409 36376 440fae 50 API calls 36376->36409 36377 49d22c lstrlen 36378 49d242 36377->36378 36377->36409 36380 402df0 std::_Throw_Cpp_error 42 API calls 36378->36380 36379 49b365 GetPrivateProfileStringA 36379->36409 36381 49d251 36380->36381 36382 402df0 std::_Throw_Cpp_error 42 API calls 36381->36382 36384 49d260 36382->36384 36383 49d329 36389 438c70 std::_Throw_Cpp_error 40 API calls 36383->36389 36386 402df0 std::_Throw_Cpp_error 42 API calls 36384->36386 36385 41e8a0 42 API calls 36385->36409 36387 49d26c 36386->36387 36387->36173 36388 41abb0 42 API calls 36388->36409 36390 49d333 36389->36390 36486 419e60 42 API calls 36390->36486 36392 49d338 36393 402cf0 std::_Throw_Cpp_error 42 API calls 36392->36393 36394 49d34f 36393->36394 36487 41ace0 42 API calls 36394->36487 36398 41ab20 42 API calls 36398->36409 36401 439820 42 API calls 36401->36409 36403 43d0a8 78 API calls 36403->36409 36404 4140c0 104 API calls 36404->36409 36405 4e64d0 45 API calls 36405->36409 36407 49d281 36412 402cf0 std::_Throw_Cpp_error 42 API calls 36407->36412 36408 4032d0 42 API calls std::_Throw_Cpp_error 36408->36409 36409->36376 36409->36377 36409->36379 36409->36383 36409->36385 36409->36388 36409->36390 36409->36392 36409->36398 36409->36401 36409->36403 36409->36404 36409->36405 36409->36407 36409->36408 36410 4185d0 78 API calls 36409->36410 36411 4180a0 42 API calls 36409->36411 36414 416130 42 API calls 36409->36414 36416 4d6790 150 API calls 36409->36416 36420 41af80 42 API calls 36409->36420 36422 49d0d3 36409->36422 36423 4d65f0 89 API calls 36409->36423 36424 424900 104 API calls 36409->36424 36425 413d50 104 API calls 36409->36425 36430 54ae20 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36409->36430 36434 418f00 std::_Throw_Cpp_error 42 API calls 36409->36434 36435 510f30 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36409->36435 36436 54b610 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36409->36436 36437 433672 42 API calls std::_Facet_Register 36409->36437 36438 402df0 42 API calls std::_Throw_Cpp_error 36409->36438 36439 403040 42 API calls std::_Throw_Cpp_error 36409->36439 36440 426db0 42 API calls 36409->36440 36441 4163b0 std::_Throw_Cpp_error 42 API calls 36409->36441 36442 49d2d5 36409->36442 36443 417ef0 42 API calls 36409->36443 36480 41c3a0 42 API calls std::_Facet_Register 36409->36480 36481 41fbf0 42 API calls 2 library calls 36409->36481 36482 54af50 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection 36409->36482 36410->36409 36411->36409 36413 49d298 36412->36413 36484 41ace0 42 API calls 36413->36484 36414->36409 36416->36409 36420->36409 36426 402cf0 std::_Throw_Cpp_error 42 API calls 36422->36426 36423->36409 36424->36409 36425->36409 36428 49d0e6 36426->36428 36483 41ace0 42 API calls 36428->36483 36430->36409 36434->36409 36435->36409 36436->36409 36437->36409 36438->36409 36439->36409 36440->36409 36441->36409 36444 402cf0 std::_Throw_Cpp_error 42 API calls 36442->36444 36443->36409 36445 49d2e8 36444->36445 36485 41ace0 42 API calls 36445->36485 36447->36173 36448->36173 36450 441005 36449->36450 36451 440fbd 36449->36451 36471 44101b 50 API calls 2 library calls 36450->36471 36453 440fc3 36451->36453 36456 440fe0 36451->36456 36469 438c60 40 API calls __fread_nolock 36453->36469 36454 440fd3 36454->36272 36458 440ffe 36456->36458 36470 438c60 40 API calls __fread_nolock 36456->36470 36458->36272 36459->36272 36461->36272 36462->36272 36463->36272 36464->36272 36465->36272 36469->36454 36470->36454 36471->36454 36472->36324 36473->36324 36474->36324 36480->36409 36481->36409 36482->36409 36638 4c7b00 36639 4c7ecc 36638->36639 36642 4c7b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 36638->36642 36640 4c7b87 setsockopt recv WSAGetLastError 36640->36639 36640->36642 36642->36640 36643 4c7eb7 Sleep 36642->36643 36644 4c7e15 recv 36642->36644 36646 4c7eaf Sleep 36642->36646 36651 4c7ee1 36642->36651 36652 4163b0 std::_Throw_Cpp_error 42 API calls 36642->36652 36653 4c7cd6 setsockopt recv 36642->36653 36654 418dc0 42 API calls 36642->36654 36658 4c8590 WSAStartup 36642->36658 36671 418dc0 36642->36671 36680 4c7ef0 36642->36680 36752 433069 36642->36752 36755 409280 36642->36755 36643->36639 36643->36642 36644->36646 36646->36643 36648 4c7c2d recv 36648->36642 36649 4c7c4e recv 36648->36649 36649->36642 36655 438c70 std::_Throw_Cpp_error 40 API calls 36651->36655 36652->36642 36653->36642 36654->36653 36656 4c7ee6 36655->36656 36659 4c8696 36658->36659 36660 4c85c8 36658->36660 36659->36642 36660->36659 36661 4c85fe getaddrinfo 36660->36661 36662 4c8646 36661->36662 36663 4c8690 WSACleanup 36661->36663 36664 4c86a4 FreeAddrInfoW 36662->36664 36666 4c8654 socket 36662->36666 36663->36659 36664->36663 36665 4c86b0 36664->36665 36665->36642 36666->36663 36667 4c866a connect 36666->36667 36668 4c867c closesocket 36667->36668 36669 4c86a0 36667->36669 36668->36666 36670 4c8686 FreeAddrInfoW 36668->36670 36669->36664 36670->36663 36673 418de2 __fread_nolock 36671->36673 36674 418e11 36671->36674 36672 418ef8 36673->36648 36674->36672 36675 4032d0 std::_Throw_Cpp_error 42 API calls 36674->36675 36676 418e66 __fread_nolock std::_Locinfo::_Locinfo_ctor 36675->36676 36677 418ecb __fread_nolock std::_Locinfo::_Locinfo_ctor 36676->36677 36771 402fe0 40 API calls 2 library calls 36676->36771 36677->36648 36679 418eb8 36679->36648 36681 4c7f6c 36680->36681 36682 4c7f3e 36680->36682 36683 4c7f8e 36681->36683 36684 4c7f74 36681->36684 36685 402cf0 std::_Throw_Cpp_error 42 API calls 36682->36685 36687 4c7f96 36683->36687 36688 4c7fb0 36683->36688 36686 416290 42 API calls 36684->36686 36689 4c7f50 36685->36689 36721 4c7f64 36686->36721 36691 416290 42 API calls 36687->36691 36692 4c7fb8 36688->36692 36693 4c7fd5 36688->36693 36690 409280 45 API calls 36689->36690 36690->36721 36691->36721 36692->36721 36772 416290 36692->36772 36694 4c7fdd 36693->36694 36695 4c7ffb 36693->36695 36776 4412b7 50 API calls __fread_nolock 36694->36776 36700 4c801b 36695->36700 36701 4c82c0 36695->36701 36695->36721 36697 402df0 std::_Throw_Cpp_error 42 API calls 36699 4c84f1 36697->36699 36699->36642 36777 405400 87 API calls std::_Throw_Cpp_error 36700->36777 36703 4c82c8 36701->36703 36704 4c831b 36701->36704 36707 41b430 53 API calls 36703->36707 36705 4c8376 36704->36705 36706 4c8323 36704->36706 36709 4c837e 36705->36709 36710 4c83d1 36705->36710 36708 41b430 53 API calls 36706->36708 36707->36721 36708->36721 36711 41b430 53 API calls 36709->36711 36713 4c842c 36710->36713 36714 4c83d9 36710->36714 36711->36721 36712 4c82a5 36784 432baa RtlReleaseSRWLockExclusive 36712->36784 36715 4c8484 36713->36715 36716 4c8434 36713->36716 36719 41b430 53 API calls 36714->36719 36715->36721 36785 458b00 52 API calls 2 library calls 36715->36785 36720 41b430 53 API calls 36716->36720 36718 402cf0 std::_Throw_Cpp_error 42 API calls 36729 4c8040 36718->36729 36719->36721 36720->36721 36721->36697 36723 4c849a 36786 4162c0 42 API calls std::_Throw_Cpp_error 36723->36786 36726 4c84a9 36727 402df0 std::_Throw_Cpp_error 42 API calls 36726->36727 36727->36721 36728 402df0 42 API calls std::_Throw_Cpp_error 36728->36729 36729->36712 36729->36718 36729->36728 36730 4c810b 36729->36730 36778 41ace0 42 API calls 36729->36778 36779 402d30 42 API calls std::_Throw_Cpp_error 36730->36779 36732 4c812f 36780 4d62c0 44 API calls 5 library calls 36732->36780 36734 4c8140 36735 402df0 std::_Throw_Cpp_error 42 API calls 36734->36735 36736 4c814f 36735->36736 36737 4c81b2 GetCurrentProcess 36736->36737 36741 4c81e5 36736->36741 36738 4163b0 std::_Throw_Cpp_error 42 API calls 36737->36738 36739 4c81ce 36738->36739 36781 4cf280 61 API calls 3 library calls 36739->36781 36743 439820 42 API calls 36741->36743 36742 4c81dd 36744 4c8279 36742->36744 36745 4c8247 36743->36745 36783 415230 42 API calls std::_Throw_Cpp_error 36744->36783 36745->36744 36782 441628 75 API calls __fread_nolock 36745->36782 36747 4c8296 36750 402df0 std::_Throw_Cpp_error 42 API calls 36747->36750 36749 4c8273 36751 43d0a8 78 API calls 36749->36751 36750->36712 36751->36744 36787 43361d 36752->36787 36756 4163b0 std::_Throw_Cpp_error 42 API calls 36755->36756 36758 4092d4 36756->36758 36757 402df0 std::_Throw_Cpp_error 42 API calls 36759 409482 36757->36759 36758->36757 36760 418dc0 42 API calls 36759->36760 36761 409523 std::_Locinfo::_Locinfo_ctor 36759->36761 36760->36761 36762 4095f0 GetModuleHandleA GetProcAddress WSASend 36761->36762 36763 4096e2 std::ios_base::_Ios_base_dtor 36761->36763 36762->36761 36762->36763 36764 40975d std::ios_base::_Ios_base_dtor 36763->36764 36765 438c70 std::_Throw_Cpp_error 40 API calls 36763->36765 36764->36642 36766 40979c 36765->36766 36767 402df0 std::_Throw_Cpp_error 42 API calls 36766->36767 36768 4097d7 36767->36768 36769 402df0 std::_Throw_Cpp_error 42 API calls 36768->36769 36770 4097f0 36769->36770 36770->36642 36771->36679 36773 4162b1 36772->36773 36774 41629d 36772->36774 36773->36721 36775 416130 42 API calls 36774->36775 36775->36773 36776->36721 36777->36729 36779->36732 36780->36734 36781->36742 36782->36749 36783->36747 36784->36721 36785->36723 36786->36726 36788 433659 GetSystemTimeAsFileTime 36787->36788 36789 43364d GetSystemTimePreciseAsFileTime 36787->36789 36790 433077 36788->36790 36789->36790 36790->36642 36545 44209f 36548 4420bc 36545->36548 36550 4420c8 __fread_nolock 36548->36550 36549 4420b7 36550->36549 36551 442112 36550->36551 36555 4420db __fread_nolock 36550->36555 36559 441250 RtlEnterCriticalSection 36551->36559 36553 44211c 36560 441ec6 36553->36560 36568 438c60 40 API calls __fread_nolock 36555->36568 36559->36553 36562 441ef5 36560->36562 36564 441ed8 __fread_nolock 36560->36564 36569 442151 RtlLeaveCriticalSection __fread_nolock 36562->36569 36563 441ee5 __fread_nolock 36623 438c60 40 API calls __fread_nolock 36563->36623 36564->36562 36564->36563 36566 44a1e9 __fread_nolock 40 API calls 36564->36566 36570 448910 36564->36570 36624 43ceeb 40 API calls 2 library calls 36564->36624 36566->36564 36568->36549 36569->36549 36571 448922 36570->36571 36572 44893a 36570->36572 36625 4416ec 14 API calls __dosmaperr 36571->36625 36573 448c7c 36572->36573 36579 44897d 36572->36579 36636 4416ec 14 API calls __dosmaperr 36573->36636 36576 448988 36626 4416ec 14 API calls __dosmaperr 36576->36626 36578 448927 36578->36564 36579->36576 36579->36578 36582 4489b8 36579->36582 36580 44898d 36637 438c60 40 API calls __fread_nolock 36580->36637 36583 4489d1 36582->36583 36584 448a0c 36582->36584 36585 4489de 36582->36585 36583->36585 36590 4489fa 36583->36590 36629 44b094 RtlEnterCriticalSection RtlLeaveCriticalSection RtlAllocateHeap __Getctype std::_Facet_Register 36584->36629 36627 4416ec 14 API calls __dosmaperr 36585->36627 36587 4489e3 36628 438c60 40 API calls __fread_nolock 36587->36628 36589 453be3 __fread_nolock 40 API calls 36592 448b58 36589->36592 36590->36589 36591 448a1d 36593 44b01a ___std_exception_destroy 2 API calls 36591->36593 36596 448bcc 36592->36596 36599 448b71 GetConsoleMode 36592->36599 36594 448a26 36593->36594 36597 44b01a ___std_exception_destroy 2 API calls 36594->36597 36598 448bd0 ReadFile 36596->36598 36600 448a2d 36597->36600 36601 448c44 GetLastError 36598->36601 36602 448be8 36598->36602 36599->36596 36603 448b82 36599->36603 36604 448a37 36600->36604 36605 448a52 36600->36605 36606 448c51 36601->36606 36607 448ba8 36601->36607 36602->36601 36608 448bc1 36602->36608 36603->36598 36609 448b88 ReadConsoleW 36603->36609 36630 4416ec 14 API calls __dosmaperr 36604->36630 36631 4425fd 42 API calls __fread_nolock 36605->36631 36635 4416ec 14 API calls __dosmaperr 36606->36635 36621 4489f5 __fread_nolock 36607->36621 36632 4416a5 14 API calls __dosmaperr 36607->36632 36616 448c24 36608->36616 36617 448c0d 36608->36617 36608->36621 36609->36608 36612 448ba2 GetLastError 36609->36612 36610 44b01a ___std_exception_destroy 2 API calls 36610->36578 36612->36607 36618 448c3d 36616->36618 36616->36621 36633 448622 45 API calls 2 library calls 36617->36633 36634 448468 43 API calls __fread_nolock 36618->36634 36621->36610 36622 448c42 36622->36621 36623->36562 36624->36564 36625->36578 36626->36580 36627->36587 36628->36621 36629->36591 36630->36621 36631->36590 36632->36621 36633->36621 36634->36622 36635->36621 36636->36580 36637->36578 36488 4393ab 36489 4393be __fread_nolock 36488->36489 36494 438cc1 36489->36494 36492 43899c __fread_nolock 40 API calls 36493 4393d6 36492->36493 36495 438ccd __fread_nolock 36494->36495 36496 438cf5 36495->36496 36497 438cd4 36495->36497 36505 441250 RtlEnterCriticalSection 36496->36505 36509 438be3 40 API calls 2 library calls 36497->36509 36500 438d00 36506 438dd0 36500->36506 36501 438ced 36501->36492 36505->36500 36511 438e02 36506->36511 36508 438d0f 36510 438d37 RtlLeaveCriticalSection __fread_nolock 36508->36510 36509->36501 36510->36501 36512 438e11 36511->36512 36513 438e39 36511->36513 36528 438be3 40 API calls 2 library calls 36512->36528 36515 44a1e9 __fread_nolock 40 API calls 36513->36515 36516 438e42 36515->36516 36525 4425df 36516->36525 36519 438eec 36529 43916e 45 API calls 3 library calls 36519->36529 36521 438f03 36524 438e2c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 36521->36524 36530 438fa3 44 API calls 2 library calls 36521->36530 36522 438efb 36522->36524 36524->36508 36531 4423f7 36525->36531 36528->36524 36529->36522 36530->36524 36532 442403 __fread_nolock 36531->36532 36533 442446 36532->36533 36535 44248c 36532->36535 36541 438e60 36532->36541 36543 438be3 40 API calls 2 library calls 36533->36543 36542 44e6c4 RtlEnterCriticalSection 36535->36542 36537 442492 36538 4424b3 36537->36538 36539 44251c __fread_nolock 42 API calls 36537->36539 36544 442514 RtlLeaveCriticalSection 36538->36544 36539->36538 36541->36519 36541->36521 36541->36524 36542->36537 36543->36541 36544->36541 32535 43d5f6 32536 43d609 __fread_nolock 32535->32536 32541 43d34d 32536->32541 32543 43d359 __fread_nolock 32541->32543 32542 43d35f 32568 438be3 40 API calls 2 library calls 32542->32568 32543->32542 32546 43d3a2 32543->32546 32545 43d37a 32552 43899c 32545->32552 32558 441250 RtlEnterCriticalSection 32546->32558 32548 43d3ae 32559 43d4d0 32548->32559 32550 43d3c4 32569 43d3ed RtlLeaveCriticalSection __fread_nolock 32550->32569 32553 4389a8 32552->32553 32554 4389bf 32553->32554 32670 438a47 40 API calls 2 library calls 32553->32670 32556 4389d2 32554->32556 32671 438a47 40 API calls 2 library calls 32554->32671 32558->32548 32560 43d4e3 32559->32560 32561 43d4f6 32559->32561 32560->32550 32570 43d3f7 32561->32570 32563 43d519 32567 43d5a7 32563->32567 32574 439a91 32563->32574 32567->32550 32568->32545 32569->32545 32571 43d460 32570->32571 32572 43d408 32570->32572 32571->32563 32572->32571 32583 4425fd 42 API calls __fread_nolock 32572->32583 32575 439aaa 32574->32575 32579 439ad1 32574->32579 32575->32579 32584 44a1e9 32575->32584 32577 439ac6 32589 449678 32577->32589 32580 44263d 32579->32580 32652 44251c 32580->32652 32582 442656 32582->32567 32583->32571 32585 44a1f5 32584->32585 32586 44a20a 32584->32586 32600 438c60 40 API calls __fread_nolock 32585->32600 32586->32577 32588 44a205 32588->32577 32592 449684 __fread_nolock 32589->32592 32590 44968c 32590->32579 32591 4496c5 32630 438be3 40 API calls 2 library calls 32591->32630 32592->32590 32592->32591 32594 44970b 32592->32594 32601 44e6c4 RtlEnterCriticalSection 32594->32601 32596 449711 32597 44972f 32596->32597 32602 449789 32596->32602 32631 449781 RtlLeaveCriticalSection 32597->32631 32600->32588 32601->32596 32603 4497b1 32602->32603 32629 4497d4 __fread_nolock 32602->32629 32604 4497b5 32603->32604 32606 449810 32603->32606 32639 438be3 40 API calls 2 library calls 32604->32639 32607 44263d 42 API calls 32606->32607 32609 44982e 32606->32609 32607->32609 32632 4492ce 32609->32632 32611 449846 32615 449875 32611->32615 32616 44984e 32611->32616 32612 44988d 32613 4498f6 WriteFile 32612->32613 32614 4498a1 32612->32614 32617 449918 GetLastError 32613->32617 32613->32629 32619 4498e2 32614->32619 32620 4498a9 32614->32620 32641 448e9f 54 API calls 2 library calls 32615->32641 32616->32629 32640 449266 6 API calls 32616->32640 32617->32629 32644 44934b 7 API calls _ValidateLocalCookies 32619->32644 32621 4498ce 32620->32621 32622 4498ae 32620->32622 32643 44950f 8 API calls 2 library calls 32621->32643 32625 4498b7 32622->32625 32622->32629 32642 449426 7 API calls _ValidateLocalCookies 32625->32642 32627 449888 32627->32629 32629->32597 32630->32590 32631->32590 32645 453be3 32632->32645 32634 449344 32634->32611 32634->32612 32635 4492e0 32635->32634 32636 44930e 32635->32636 32650 43e1d0 50 API calls 2 library calls 32635->32650 32636->32634 32637 449328 GetConsoleMode 32636->32637 32637->32634 32639->32629 32640->32629 32641->32627 32642->32629 32643->32627 32644->32627 32646 453bf0 32645->32646 32648 453bfd 32645->32648 32646->32635 32647 453c09 32647->32635 32648->32647 32651 438c60 40 API calls __fread_nolock 32648->32651 32650->32636 32651->32646 32658 44e940 32652->32658 32654 44252e 32655 44254a SetFilePointerEx 32654->32655 32657 442536 __fread_nolock 32654->32657 32656 442562 GetLastError 32655->32656 32655->32657 32656->32657 32657->32582 32659 44e962 32658->32659 32660 44e94d 32658->32660 32663 44e987 32659->32663 32668 4416ec 14 API calls __dosmaperr 32659->32668 32667 4416ec 14 API calls __dosmaperr 32660->32667 32663->32654 32664 44e992 32669 438c60 40 API calls __fread_nolock 32664->32669 32665 44e952 32665->32654 32667->32665 32668->32664 32669->32665 32670->32554 32671->32556

                                                            Executed Functions

                                                            Function 004AA200 Relevance: 56.8, APIs: 10, Strings: 11, Instructions: 20001COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 004AA277
                                                              • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?), ref: 004C613F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: FileFindFirstFolderPath
                                                            • String ID: ;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$Jzv"$WUa5$X<b.$cannot use operator[] with a string argument with $cannot use push_back() with
                                                            • API String ID: 2195519125-383699475
                                                            • Opcode ID: a9177fbbe17572fbd4b84f9919c9dbe39e8faa86fef2cda6b0e8cc26f7163890
                                                            • Instruction ID: d5c29c46e18a526762dbfc7c8aed9f945ae13eab665394adbd88e65e82b678fb
                                                            • Opcode Fuzzy Hash: a9177fbbe17572fbd4b84f9919c9dbe39e8faa86fef2cda6b0e8cc26f7163890
                                                            • Instruction Fuzzy Hash: 29B433B0D052698BDB25CF68C984BEEBBB1BF49304F1081DAD449A7281DB746F84CF95
                                                            Function 0049F0D0 Relevance: 20.7, APIs: 6, Strings: 4, Instructions: 3171stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 0049F224
                                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049F322
                                                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049F515
                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 004A1C76
                                                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE ref: 004E6CFC
                                                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32 ref: 004E6D07
                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 004A1F5D
                                                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004A348E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
                                                            • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with $~]d
                                                            • API String ID: 2833034228-1763774129
                                                            • Opcode ID: 7d93ad9b4b1ce352e5d1ee811a148a18318d73da804a40fe56edda9e192c09f8
                                                            • Instruction ID: 3f98b5ef17dcfaa8f689e4fcb5a5d7fbbd5e2711f2842c60bb6495c93d0a2e70
                                                            • Opcode Fuzzy Hash: 7d93ad9b4b1ce352e5d1ee811a148a18318d73da804a40fe56edda9e192c09f8
                                                            • Instruction Fuzzy Hash: 2793DCB4D052A98ADB65CF29C990BEDBBB1BF59304F0081EAD84DA7241DB742BC4CF45
                                                            Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279networksleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 4666 4c7b00-4c7b38 4667 4c7ecc-4c7ee0 4666->4667 4668 4c7b3e 4666->4668 4669 4c7b44-4c7b4c 4668->4669 4670 4c7b4e-4c7b74 call 4c8590 4669->4670 4671 4c7b87-4c7bd0 setsockopt recv WSAGetLastError 4669->4671 4674 4c7b79-4c7b81 4670->4674 4671->4667 4673 4c7bd6-4c7bd9 4671->4673 4675 4c7bdf-4c7be6 4673->4675 4676 4c7e2a-4c7e53 call 433069 call 458660 4673->4676 4674->4671 4677 4c7eb7-4c7ec6 Sleep 4674->4677 4678 4c7bec-4c7c48 call 418dc0 recv 4675->4678 4679 4c7e15-4c7e25 recv 4675->4679 4681 4c7eaf-4c7eb1 Sleep 4676->4681 4692 4c7e55 4676->4692 4677->4667 4677->4669 4686 4c7c4e-4c7c69 recv 4678->4686 4687 4c7dc3-4c7dd0 4678->4687 4679->4681 4681->4677 4686->4687 4691 4c7c6f-4c7caa 4686->4691 4689 4c7dfe-4c7e10 4687->4689 4690 4c7dd2-4c7dde 4687->4690 4689->4681 4697 4c7df4-4c7dfb call 4338f3 4690->4697 4698 4c7de0-4c7dee 4690->4698 4693 4c7cac-4c7cb1 4691->4693 4694 4c7d1d-4c7d7d call 4163b0 call 408d50 call 4c7ef0 4691->4694 4695 4c7e5f-4c7e97 call 409280 4692->4695 4696 4c7e57-4c7e5d 4692->4696 4699 4c7cc7-4c7cd1 call 418dc0 4693->4699 4700 4c7cb3-4c7cc5 4693->4700 4716 4c7d7f-4c7d8b 4694->4716 4717 4c7dab-4c7dbf 4694->4717 4707 4c7e9c-4c7eaa 4695->4707 4696->4681 4696->4695 4697->4689 4698->4697 4702 4c7ee1-4c7ee6 call 438c70 4698->4702 4705 4c7cd6-4c7d1b setsockopt recv 4699->4705 4700->4705 4705->4694 4707->4681 4718 4c7d8d-4c7d9b 4716->4718 4719 4c7da1-4c7da3 call 4338f3 4716->4719 4717->4687 4718->4702 4718->4719 4721 4c7da8 4719->4721 4721->4717
                                                            APIs
                                                            • setsockopt.WS2_32(00000378,0000FFFF,00001006,?,00000008), ref: 004C7BA6
                                                            • recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
                                                            • WSAGetLastError.WS2_32 ref: 004C7BC5
                                                            • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
                                                            • recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
                                                            • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
                                                            • recv.WS2_32(00000000,?,00000008), ref: 004C7D1B
                                                              • Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
                                                              • Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
                                                              • Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
                                                              • Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
                                                              • Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
                                                              • Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
                                                              • Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690
                                                            • recv.WS2_32(?,00000004,00000008), ref: 004C7E23
                                                            • __Xtime_get_ticks.LIBCPMT ref: 004C7E2A
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
                                                            • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
                                                            • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
                                                            • String ID:
                                                            • API String ID: 3089209366-0
                                                            • Opcode ID: bf63d13b1ff8512e0977649ea2c4b5d39b1ddf7e820bf7edad5e0a4297d173d9
                                                            • Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
                                                            • Opcode Fuzzy Hash: bf63d13b1ff8512e0977649ea2c4b5d39b1ddf7e820bf7edad5e0a4297d173d9
                                                            • Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95
                                                            Function 0049AF60 Relevance: 14.1, APIs: 4, Strings: 3, Instructions: 1876stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 0049B158
                                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049B265
                                                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049B458
                                                            • lstrlen.KERNEL32(?), ref: 0049D22D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                                            • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with
                                                            • API String ID: 1311570089-747751661
                                                            • Opcode ID: c7548e9aab67caa6fd7e4735ddc45b734348763a357b6ffe448b77bd6da819b4
                                                            • Instruction ID: b2dbe3f5757ef5304a2bca7f4d9e3a7c922558eb406562d1b13ccbd165419304
                                                            • Opcode Fuzzy Hash: c7548e9aab67caa6fd7e4735ddc45b734348763a357b6ffe448b77bd6da819b4
                                                            • Instruction Fuzzy Hash: BF2321B0D042688BDB25CF28C9947EDBBB1BF59304F1082EAE449A7281DB746BC4CF55
                                                            Function 0049D3A0 Relevance: 12.1, APIs: 4, Strings: 2, Instructions: 1570stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 0049D4F4
                                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049D5F2
                                                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049D7E5
                                                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0049EF32
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                                            • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                                            • API String ID: 1311570089-3306948993
                                                            • Opcode ID: 5d224bfb82d7c9fcd97c78c1f7bd274914e5a38299a5b7267bf76e394b5648f2
                                                            • Instruction ID: d38aed82ee4788d52106214de1412b854dd9129e0c255bb6c7140376d04d8967
                                                            • Opcode Fuzzy Hash: 5d224bfb82d7c9fcd97c78c1f7bd274914e5a38299a5b7267bf76e394b5648f2
                                                            • Instruction Fuzzy Hash: 570334B0D042688BDB25CF28C9947EEBBB4BF59304F1042EED449A7281EB746B84CF55
                                                            Function 004FAD00 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8107 4fad00-4fad1e call 4fbf00 8110 4fb35e-4fb364 8107->8110 8111 4fad24-4fad2d 8107->8111 8112 4fad2f-4fad31 8111->8112 8113 4fad33-4fad39 8111->8113 8114 4fad53-4fad59 8112->8114 8115 4fad3f-4fad50 8113->8115 8116 4fad3b-4fad3d 8113->8116 8117 4fad5b-4fad61 8114->8117 8118 4fad63-4fad6a 8114->8118 8115->8114 8116->8114 8119 4fad72-4fad8f call 54a0f0 8117->8119 8118->8119 8120 4fad6c 8118->8120 8123 4fb348 8119->8123 8124 4fad95-4fada7 call 4359b0 8119->8124 8120->8119 8126 4fb34a 8123->8126 8130 4fadeb-4fadf0 8124->8130 8131 4fada9-4fadb0 8124->8131 8128 4fb34f-4fb354 call 54b110 8126->8128 8137 4fb356-4fb35b 8128->8137 8133 4fadfc-4faeb4 call 54a8c0 8130->8133 8134 4fadf2-4fadf9 8130->8134 8135 4fadc9-4fadd9 8131->8135 8136 4fadb2-4fadc4 call 549d90 8131->8136 8144 4faf19-4faf88 call 4fb370 * 4 8133->8144 8145 4faeb6-4faec4 call 5475d0 8133->8145 8134->8133 8135->8130 8146 4faddb-4fade6 call 549d90 8135->8146 8136->8126 8137->8110 8156 4faec9-4faece 8144->8156 8171 4faf8e 8144->8171 8154 4faec7 8145->8154 8146->8126 8154->8156 8158 4faeda-4faee2 8156->8158 8159 4faed0-4faed7 8156->8159 8160 4fb31b-4fb321 8158->8160 8161 4faee8-4faeed 8158->8161 8159->8158 8160->8126 8164 4fb323-4fb32c 8160->8164 8161->8160 8163 4faef3-4faef8 8161->8163 8163->8160 8167 4faefe-4faf18 8163->8167 8164->8128 8168 4fb32e-4fb330 8164->8168 8168->8137 8170 4fb332-4fb347 8168->8170 8172 4faf93-4faf97 8171->8172 8172->8172 8173 4faf99-4fafaf 8172->8173 8174 4fafb1-4fafbd 8173->8174 8175 4fb000 8173->8175 8176 4fafbf-4fafc1 8174->8176 8177 4faff0-4faffe 8174->8177 8178 4fb002-4fb015 call 5461b0 8175->8178 8179 4fafc3-4fafe2 8176->8179 8177->8178 8183 4fb01c 8178->8183 8184 4fb017-4fb01a 8178->8184 8179->8179 8181 4fafe4-4fafed 8179->8181 8181->8177 8185 4fb01e-4fb063 call 4fb370 call 4fb5d0 8183->8185 8184->8185 8190 4fb065-4fb07e call 5475d0 8185->8190 8191 4fb083-4fb0d1 call 51ba20 * 2 8185->8191 8190->8154 8191->8154 8198 4fb0d7-4fb102 call 5475d0 call 4fb710 8191->8198 8203 4fb108-4fb10d 8198->8203 8204 4fb1a4-4fb1b2 8198->8204 8207 4fb110-4fb114 8203->8207 8205 4fb1b8-4fb1bd 8204->8205 8206 4fb2c1-4fb2cb 8204->8206 8210 4fb1c0-4fb1c7 8205->8210 8208 4fb2df-4fb2e3 8206->8208 8209 4fb2cd-4fb2d2 8206->8209 8207->8207 8211 4fb116-4fb127 8207->8211 8208->8156 8213 4fb2e9-4fb2ef 8208->8213 8209->8208 8212 4fb2d4-4fb2d9 8209->8212 8214 4fb1cd-4fb1dc 8210->8214 8215 4fb1c9-4fb1cb 8210->8215 8216 4fb129-4fb130 8211->8216 8217 4fb133-4fb14b call 51bbd0 8211->8217 8212->8156 8212->8208 8213->8156 8219 4fb2f5-4fb30e call 5475d0 call 4fbbd0 8213->8219 8220 4fb1e8-4fb1ee 8214->8220 8230 4fb1de-4fb1e5 8214->8230 8215->8220 8216->8217 8227 4fb14d-4fb166 call 4fb710 8217->8227 8228 4fb169-4fb16e 8217->8228 8241 4fb313-4fb316 8219->8241 8225 4fb1f7-4fb1fc 8220->8225 8226 4fb1f0-4fb1f5 8220->8226 8231 4fb1ff-4fb201 8225->8231 8226->8231 8227->8228 8236 4fb185-4fb18f 8228->8236 8237 4fb170-4fb180 call 5475d0 8228->8237 8230->8220 8232 4fb20d-4fb214 8231->8232 8233 4fb203-4fb20a 8231->8233 8238 4fb216-4fb227 8232->8238 8239 4fb242-4fb244 8232->8239 8233->8232 8244 4fb19b-4fb19e 8236->8244 8245 4fb191-4fb198 8236->8245 8237->8236 8255 4fb23f 8238->8255 8256 4fb229-4fb23c call 5475d0 8238->8256 8249 4fb246-4fb24d 8239->8249 8250 4fb2b0-4fb2bb 8239->8250 8241->8156 8244->8204 8246 4fb1a0 8244->8246 8245->8244 8246->8204 8252 4fb24f-4fb256 8249->8252 8253 4fb2a6 8249->8253 8250->8206 8250->8210 8257 4fb258-4fb25f 8252->8257 8258 4fb262-4fb282 8252->8258 8260 4fb2ad 8253->8260 8255->8239 8256->8255 8257->8258 8264 4fb28a-4fb29b 8258->8264 8265 4fb284 8258->8265 8260->8250 8264->8250 8267 4fb29d-4fb2a4 8264->8267 8265->8264 8267->8260
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
                                                            • API String ID: 0-1885142750
                                                            • Opcode ID: a864fd7dad79a32950e1a3954983aec6090b04f88dbfbe7a85b3d92d191a67f2
                                                            • Instruction ID: 5912c9be0b5fe0253428befa1510005b8e6d21b15bd6994098c8da1f87b2af15
                                                            • Opcode Fuzzy Hash: a864fd7dad79a32950e1a3954983aec6090b04f88dbfbe7a85b3d92d191a67f2
                                                            • Instruction Fuzzy Hash: 510258B0A007089BEB209F15DC4577B7BE4EF51304F14442EEA4A9B391EBB9E944CBC6
                                                            Function 004C6000 Relevance: 6.3, APIs: 4, Instructions: 310fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8340 4c6000-4c6070 8341 4c608a-4c6133 call 41ab20 8340->8341 8342 4c6072 8340->8342 8348 4c6135 8341->8348 8349 4c6137-4c615c FindFirstFileA call 402df0 8341->8349 8343 4c6074-4c6080 call 402df0 8342->8343 8350 4c6082-4c6087 8343->8350 8348->8349 8353 4c6162-4c6166 8349->8353 8354 4c6463-4c648d call 402df0 8349->8354 8350->8341 8355 4c6168-4c616f 8353->8355 8356 4c6177-4c617e 8353->8356 8358 4c6175 8355->8358 8359 4c6437-4c6447 FindNextFileA 8355->8359 8356->8359 8361 4c6184-4c618d 8356->8361 8358->8361 8359->8353 8363 4c644d-4c6456 GetLastError 8359->8363 8362 4c6190-4c6195 8361->8362 8362->8362 8365 4c6197-4c61a2 8362->8365 8363->8353 8364 4c645c-4c645d FindClose 8363->8364 8364->8354 8366 4c61ad-4c61b0 8365->8366 8367 4c61a4-4c61a7 8365->8367 8368 4c61b2-4c61b5 8366->8368 8369 4c61c3-4c61c7 8366->8369 8367->8359 8367->8366 8368->8369 8370 4c61b7-4c61bd 8368->8370 8371 4c61cd-4c6295 call 41ab20 8369->8371 8372 4c6385-4c63b7 call 403040 8369->8372 8370->8359 8370->8369 8379 4c6298-4c629d 8371->8379 8377 4c63b9-4c63e1 8372->8377 8378 4c63e3-4c63ef call 4242a0 8372->8378 8381 4c63f2-4c63f9 8377->8381 8378->8381 8379->8379 8380 4c629f-4c62ef call 418f00 8379->8380 8390 4c62f1-4c6310 8380->8390 8391 4c6312-4c631e call 4242a0 8380->8391 8385 4c63fb-4c6409 8381->8385 8386 4c6425-4c6433 8381->8386 8388 4c641b-4c6422 call 4338f3 8385->8388 8389 4c640b-4c6419 8385->8389 8386->8359 8388->8386 8389->8388 8392 4c648e-4c6493 call 438c70 8389->8392 8394 4c6321-4c632e 8390->8394 8391->8394 8400 4c635c-4c6380 call 402df0 8394->8400 8401 4c6330-4c633c 8394->8401 8400->8359 8402 4c633e-4c634c 8401->8402 8403 4c6352-4c6359 call 4338f3 8401->8403 8402->8392 8402->8403 8403->8400
                                                            APIs
                                                            • FindFirstFileA.KERNELBASE(00000000,?), ref: 004C613F
                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 004C643F
                                                            • GetLastError.KERNEL32 ref: 004C644D
                                                            • FindClose.KERNEL32(00000000), ref: 004C645D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseErrorFirstLastNext
                                                            • String ID:
                                                            • API String ID: 819619735-0
                                                            • Opcode ID: a7ad18d51658f77bd61d09f36d0788fbadf79f2108f720d862e139cd03739d85
                                                            • Instruction ID: afe6fe270f27518361ed143ef8865d869d8c660e8b4c9bb3a5978c93709ae348
                                                            • Opcode Fuzzy Hash: a7ad18d51658f77bd61d09f36d0788fbadf79f2108f720d862e139cd03739d85
                                                            • Instruction Fuzzy Hash: ACD17CB4C043488FDB24CF98C994BEEBBB1BF45314F14829ED4496B392D7785A84CB59
                                                            Function 004C6B00 Relevance: 4.7, APIs: 3, Instructions: 206encryptionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8492 4c6b00-4c6b3f 8493 4c6b42-4c6b5b CryptUnprotectData 8492->8493 8494 4c6b5d-4c6b66 8493->8494 8495 4c6b68-4c6b6e 8493->8495 8494->8493 8494->8495 8496 4c6b8c-4c6ba0 8495->8496 8497 4c6b70-4c6b81 call 4423ec 8495->8497 8500 4c6ba1-4c6bfc call 4359b0 call 435270 call 403040 8497->8500 8501 4c6b83-4c6b86 LocalFree 8497->8501 8508 4c6bfe-4c6c29 call 402df0 8500->8508 8509 4c6c2b 8500->8509 8501->8496 8511 4c6c2e-4c6c38 8508->8511 8509->8511 8513 4c6c3a-4c6c48 8511->8513 8514 4c6c64-4c6c77 call 441c96 8511->8514 8515 4c6c5a-4c6c61 call 4338f3 8513->8515 8516 4c6c4a-4c6c58 8513->8516 8520 4c6c7c-4c6c9c LocalFree 8514->8520 8515->8514 8516->8515 8518 4c6c9d-4c6d10 call 438c70 call 4163b0 * 2 8516->8518 8528 4c6d22-4c6d23 call 423800 8518->8528 8529 4c6d12-4c6d20 call 42bb70 8518->8529 8533 4c6d28-4c6d7a call 402df0 * 4 8528->8533 8529->8533
                                                            APIs
                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004C6B57
                                                            • LocalFree.KERNEL32(?), ref: 004C6B86
                                                            • LocalFree.KERNEL32(?), ref: 004C6C82
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: FreeLocal$CryptDataUnprotect
                                                            • String ID:
                                                            • API String ID: 2835072361-0
                                                            • Opcode ID: 1533ca36fc6368f71f1706799fb82bbbf52b30dfe3248a4a7a1959e0c4880e2a
                                                            • Instruction ID: 6019ec204b0dd747d4126109e6a4f8e7bf51aa55734569d67b400ef60c6c0d13
                                                            • Opcode Fuzzy Hash: 1533ca36fc6368f71f1706799fb82bbbf52b30dfe3248a4a7a1959e0c4880e2a
                                                            • Instruction Fuzzy Hash: 6171B171C002489BDB00DFA8C945BEEFBB4EF14314F10826EE851B3391EB786A44DBA5
                                                            Function 0053F550 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8782 53f550-53f568 8783 53f5b3-53f5b7 8782->8783 8784 53f56a-53f56f 8782->8784 8785 53f5c1-53f5cb 8783->8785 8786 53f5b9-53f5bb 8783->8786 8787 53f571-53f577 8784->8787 8788 53f579 8784->8788 8790 53f5d3-53f5e7 call 540540 8785->8790 8791 53f5cd-53f5d1 8785->8791 8786->8785 8789 53f6c6-53f6cd 8786->8789 8787->8788 8792 53f581-53f58c 8787->8792 8788->8792 8805 53f601 8790->8805 8806 53f5e9-53f5ef 8790->8806 8793 53f605-53f60a 8791->8793 8795 53f59e-53f5af call 543e60 8792->8795 8796 53f58e 8792->8796 8797 53f610-53f624 8793->8797 8798 53f81d-53f821 8793->8798 8795->8783 8801 53f590-53f59c 8796->8801 8807 53f629-53f634 8797->8807 8802 53f823-53f83b 8798->8802 8803 53f86c-53f872 8798->8803 8801->8795 8801->8801 8821 53f864-53f868 8802->8821 8822 53f83d-53f843 8802->8822 8810 53f878-53f896 8803->8810 8811 53f90e-53f938 8803->8811 8805->8793 8808 53f5f1-53f5f4 8806->8808 8809 53f5f6 8806->8809 8812 53f801 8807->8812 8813 53f63a-53f63e 8807->8813 8808->8809 8815 53f5f9-53f600 8808->8815 8809->8815 8835 53f6bf-53f6c1 call 541710 8810->8835 8836 53f89c-53f8a0 8810->8836 8816 53f956-53f95d 8811->8816 8817 53f93a-53f94e call 540af0 8811->8817 8824 53f803-53f805 8812->8824 8813->8812 8820 53f644-53f65f 8813->8820 8818 53f982-53f986 8816->8818 8819 53f95f-53f96a 8816->8819 8817->8822 8841 53f954 8817->8841 8833 53fa2a-53fa2f 8818->8833 8834 53f98c-53f990 8818->8834 8829 53f970-53f97c 8819->8829 8830 53facf-53fad1 8819->8830 8820->8812 8853 53f665-53f669 8820->8853 8821->8803 8831 53f845-53f848 8822->8831 8832 53f84e-53f863 call 541710 8822->8832 8826 53f6bb 8824->8826 8827 53f80b-53f817 8824->8827 8826->8835 8827->8798 8827->8816 8829->8818 8829->8830 8830->8789 8843 53fad7-53fae5 call 541710 8830->8843 8831->8826 8831->8832 8837 53fa42-53fa46 8833->8837 8838 53fa31-53fa41 call 541710 8833->8838 8846 53f992-53f995 8834->8846 8847 53f99a-53f9aa 8834->8847 8835->8789 8839 53f8a2-53f8ca 8836->8839 8840 53f8f1-53f906 call 541490 8836->8840 8849 53fa48-53fa65 8837->8849 8850 53fa6d-53fa70 8837->8850 8839->8835 8867 53f8d0-53f8d5 8839->8867 8840->8826 8872 53f90c 8840->8872 8841->8816 8856 53fa1c-53fa22 8846->8856 8857 53f9f8 8847->8857 8858 53f9ac-53f9bc 8847->8858 8849->8835 8875 53fa6b 8849->8875 8863 53fa75-53fa80 8850->8863 8853->8812 8862 53f66f-53f674 8853->8862 8856->8833 8866 53fa24 8856->8866 8864 53f9fc-53fa07 call 458660 8857->8864 8881 53f9d0-53f9d9 8858->8881 8882 53f9be-53f9c4 8858->8882 8862->8835 8869 53f676-53f679 8862->8869 8870 53fa84-53fa88 8863->8870 8880 53fa0c-53fa10 8864->8880 8866->8833 8867->8811 8874 53f8d7-53f8f0 call 54ac20 call 541710 8867->8874 8876 53f683-53f693 8869->8876 8877 53f67b-53f67e 8869->8877 8878 53fa8a-53fa95 8870->8878 8879 53fa99-53fa9d 8870->8879 8872->8811 8875->8863 8886 53f6f5-53f6f9 8876->8886 8887 53f695-53f6a9 8876->8887 8885 53f71a-53f720 8877->8885 8878->8870 8888 53fa97 8878->8888 8879->8830 8890 53fa9f-53faa7 8879->8890 8880->8856 8889 53fa12-53fa18 8880->8889 8881->8864 8883 53f9db 8881->8883 8891 53f9c6-53f9c9 8882->8891 8892 53f9cb-53f9ce 8882->8892 8893 53f9e1-53f9e9 8883->8893 8894 53f9dd-53f9df 8883->8894 8895 53f722 8885->8895 8896 53f728-53f72c 8885->8896 8898 53f6fd-53f705 call 458660 8886->8898 8916 53f6ab-53f6b1 8887->8916 8917 53f6ce-53f6d8 8887->8917 8888->8830 8889->8856 8899 53faa9 8890->8899 8900 53fabe-53facb call 543e60 8890->8900 8891->8833 8891->8892 8892->8833 8893->8864 8903 53f9eb 8893->8903 8894->8864 8894->8893 8895->8896 8904 53f785-53f7b5 8896->8904 8905 53f72e-53f735 8896->8905 8909 53f70a-53f70e 8898->8909 8901 53fab0-53fabc 8899->8901 8900->8830 8901->8900 8901->8901 8911 53f9f1-53f9f6 8903->8911 8912 53f9ed-53f9ef 8903->8912 8923 53f7b7-53f7f6 call 54ac20 8904->8923 8924 53f7f8-53f7fb 8904->8924 8913 53f737 8905->8913 8914 53f739-53f74b 8905->8914 8909->8885 8920 53f710-53f716 8909->8920 8911->8880 8912->8864 8912->8911 8913->8914 8929 53f771-53f778 8914->8929 8930 53f74d-53f76e 8914->8930 8918 53f6b3-53f6b6 8916->8918 8919 53f6b8 8916->8919 8917->8898 8922 53f6da 8917->8922 8918->8826 8918->8919 8919->8826 8920->8885 8925 53f6e0-53f6e6 8922->8925 8926 53f6dc-53f6de 8922->8926 8923->8824 8924->8812 8931 53f7fd-53f7ff 8924->8931 8925->8898 8928 53f6e8 8925->8928 8926->8898 8926->8925 8934 53f6ea-53f6ec 8928->8934 8935 53f6ee-53f6f3 8928->8935 8929->8816 8932 53f77e-53f780 8929->8932 8930->8929 8931->8798 8932->8816 8934->8898 8934->8935 8935->8909
                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053F705
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053FA07
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 885266447-0
                                                            • Opcode ID: 6ae8c637088de4902e6d455990272f9b247a4e20bc2d6b6d02b88d9e5933e8eb
                                                            • Instruction ID: 1f76d2344d35fe0e13097961589cbfb84b6978ae6f877586e2245b879765d82e
                                                            • Opcode Fuzzy Hash: 6ae8c637088de4902e6d455990272f9b247a4e20bc2d6b6d02b88d9e5933e8eb
                                                            • Instruction Fuzzy Hash: E3029C71A04702AFDB18CF29C840B6ABBE4BF88318F14867DE859D7650D774ED94CB92
                                                            Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 5071 4c8590-4c85c2 WSAStartup 5072 4c85c8-4c85f2 call 4ea420 * 2 5071->5072 5073 4c8696-4c869f 5071->5073 5078 4c85fe-4c8644 getaddrinfo 5072->5078 5079 4c85f4-4c85f8 5072->5079 5080 4c8646-4c864c 5078->5080 5081 4c8690 WSACleanup 5078->5081 5079->5073 5079->5078 5082 4c864e 5080->5082 5083 4c86a4-4c86ae FreeAddrInfoW 5080->5083 5081->5073 5085 4c8654-4c8668 socket 5082->5085 5083->5081 5084 4c86b0-4c86b8 5083->5084 5085->5081 5086 4c866a-4c867a connect 5085->5086 5087 4c867c-4c8684 closesocket 5086->5087 5088 4c86a0 5086->5088 5087->5085 5089 4c8686-4c868a FreeAddrInfoW 5087->5089 5088->5083 5089->5081
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                                            • String ID:
                                                            • API String ID: 448659506-0
                                                            • Opcode ID: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                                            • Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
                                                            • Opcode Fuzzy Hash: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                                            • Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7
                                                            Function 00448910 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7999 448910-448920 8000 448922-448935 call 4416ec call 4416ff 7999->8000 8001 44893a-44893c 7999->8001 8015 448c94 8000->8015 8002 448942-448948 8001->8002 8003 448c7c-448c89 call 4416ec call 4416ff 8001->8003 8002->8003 8006 44894e-448977 8002->8006 8020 448c8f call 438c60 8003->8020 8006->8003 8010 44897d-448986 8006->8010 8013 4489a0-4489a2 8010->8013 8014 448988-44899b call 4416ec call 4416ff 8010->8014 8018 448c78-448c7a 8013->8018 8019 4489a8-4489ac 8013->8019 8014->8020 8021 448c97-448c9a 8015->8021 8018->8021 8019->8018 8023 4489b2-4489b6 8019->8023 8020->8015 8023->8014 8026 4489b8-4489cf 8023->8026 8028 448a04-448a0a 8026->8028 8029 4489d1-4489d4 8026->8029 8032 448a0c-448a13 8028->8032 8033 4489de-4489f5 call 4416ec call 4416ff call 438c60 8028->8033 8030 4489d6-4489dc 8029->8030 8031 4489fa-448a02 8029->8031 8030->8031 8030->8033 8035 448a77-448a96 8031->8035 8036 448a15 8032->8036 8037 448a17-448a35 call 44b094 call 44b01a * 2 8032->8037 8064 448baf 8033->8064 8039 448b52-448b5b call 453be3 8035->8039 8040 448a9c-448aa8 8035->8040 8036->8037 8068 448a37-448a4d call 4416ff call 4416ec 8037->8068 8069 448a52-448a75 call 4425fd 8037->8069 8052 448bcc 8039->8052 8053 448b5d-448b6f 8039->8053 8040->8039 8044 448aae-448ab0 8040->8044 8044->8039 8048 448ab6-448ad7 8044->8048 8048->8039 8054 448ad9-448aef 8048->8054 8057 448bd0-448be6 ReadFile 8052->8057 8053->8052 8059 448b71-448b80 GetConsoleMode 8053->8059 8054->8039 8055 448af1-448af3 8054->8055 8055->8039 8060 448af5-448b18 8055->8060 8062 448c44-448c4f GetLastError 8057->8062 8063 448be8-448bee 8057->8063 8059->8052 8065 448b82-448b86 8059->8065 8060->8039 8067 448b1a-448b30 8060->8067 8070 448c51-448c63 call 4416ff call 4416ec 8062->8070 8071 448c68-448c6b 8062->8071 8063->8062 8072 448bf0 8063->8072 8066 448bb2-448bbc call 44b01a 8064->8066 8065->8057 8073 448b88-448ba0 ReadConsoleW 8065->8073 8066->8021 8067->8039 8075 448b32-448b34 8067->8075 8068->8064 8069->8035 8070->8064 8082 448c71-448c73 8071->8082 8083 448ba8-448bae call 4416a5 8071->8083 8079 448bf3-448c05 8072->8079 8080 448bc1-448bca 8073->8080 8081 448ba2 GetLastError 8073->8081 8075->8039 8085 448b36-448b4d 8075->8085 8079->8066 8089 448c07-448c0b 8079->8089 8080->8079 8081->8083 8082->8066 8083->8064 8085->8039 8093 448c24-448c31 8089->8093 8094 448c0d-448c1d call 448622 8089->8094 8096 448c33 call 448779 8093->8096 8097 448c3d-448c42 call 448468 8093->8097 8106 448c20-448c22 8094->8106 8104 448c38-448c3b 8096->8104 8097->8104 8104->8106 8106->8066
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 902ce7424542a7d6309be3872ecc1540050696f48f214c3cf9d5a8d8ad4329c7
                                                            • Instruction ID: d4d7462daa34083545f9d93f0c5ebf53bf58a01a885379ada905c47cec286c1a
                                                            • Opcode Fuzzy Hash: 902ce7424542a7d6309be3872ecc1540050696f48f214c3cf9d5a8d8ad4329c7
                                                            • Instruction Fuzzy Hash: E2B1F4B0A00245AFFB11DF99C881BAE7BB1FF55304F14015EE414AB392CB78AD81CB69
                                                            Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382libraryloadernetworkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8269 409280-4092dd call 4163b0 8272 409413-409521 call 402df0 call 4ea420 8269->8272 8273 4092e3-4092e9 8269->8273 8289 409523-409535 8272->8289 8290 409537-40953f call 418dc0 8272->8290 8274 4092f0-409313 8273->8274 8276 409324-409331 8274->8276 8277 409315-40931f 8274->8277 8280 409342-40934f 8276->8280 8281 409333-40933d 8276->8281 8279 409403-409406 8277->8279 8283 409409-40940d 8279->8283 8284 409360-40936d 8280->8284 8285 409351-40935b 8280->8285 8281->8279 8283->8272 8283->8274 8287 40937e-40938b 8284->8287 8288 40936f-409379 8284->8288 8285->8279 8293 409399-4093a6 8287->8293 8294 40938d-409397 8287->8294 8288->8279 8291 409544-409597 call 4ea420 * 2 8289->8291 8290->8291 8306 409599-4095c8 call 4ea420 call 435270 8291->8306 8307 4095cb-4095e1 call 4ea420 8291->8307 8295 4093b4-4093c1 8293->8295 8296 4093a8-4093b2 8293->8296 8294->8279 8298 4093c3-4093cd 8295->8298 8299 4093cf-4093dc 8295->8299 8296->8279 8298->8279 8301 4093ea-4093f4 8299->8301 8302 4093de-4093e8 8299->8302 8301->8283 8305 4093f6-4093ff 8301->8305 8302->8279 8305->8279 8306->8307 8313 4096e2 8307->8313 8314 4095e7-4095ed 8307->8314 8316 4096e6-4096f0 8313->8316 8315 4095f0-4096ce GetModuleHandleA GetProcAddress WSASend 8314->8315 8318 4096d4-4096dc 8315->8318 8319 40975f-409763 8315->8319 8320 4096f2-4096fe 8316->8320 8321 40971e-40973d 8316->8321 8318->8313 8318->8315 8319->8316 8322 409700-40970e 8320->8322 8323 409714-40971b call 4338f3 8320->8323 8324 40976f-409796 8321->8324 8325 40973f-40974b 8321->8325 8322->8323 8326 409797-4097fe call 438c70 call 402df0 * 2 8322->8326 8323->8321 8328 409765-40976c call 4338f3 8325->8328 8329 40974d-40975b 8325->8329 8328->8324 8329->8326 8332 40975d 8329->8332 8332->8328
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(Ws2_32.dll), ref: 004096A6
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
                                                            • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 004096C9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProcSend
                                                            • String ID: Ws2_32.dll
                                                            • API String ID: 2819740048-3093949381
                                                            • Opcode ID: 64b94343ee35b0d26e9cca6c242c160ae38be4edcc292f427b63a3fe9f64685c
                                                            • Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
                                                            • Opcode Fuzzy Hash: 64b94343ee35b0d26e9cca6c242c160ae38be4edcc292f427b63a3fe9f64685c
                                                            • Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96
                                                            Function 004E6CA0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8408 4e6ca0-4e6cd5 call 432b99 8411 4e6d4d-4e6d4f call 432534 8408->8411 8412 4e6cd7-4e6ce1 8408->8412 8414 4e6d54-4e6d65 call 432534 8411->8414 8412->8414 8415 4e6ce3-4e6ce8 8412->8415 8417 4e6cea-4e6cef 8415->8417 8418 4e6d25 8415->8418 8420 4e6cf0-4e6cf5 8417->8420 8421 4e6d27-4e6d4c call 432baa 8418->8421 8420->8420 8422 4e6cf7-4e6cf9 8420->8422 8422->8418 8424 4e6cfb-4e6d05 GetFileAttributesA 8422->8424 8426 4e6d07-4e6d10 GetLastError 8424->8426 8427 4e6d21-4e6d23 8424->8427 8426->8427 8428 4e6d12-4e6d15 8426->8428 8427->8421 8428->8427 8429 4e6d17-4e6d1a 8428->8429 8429->8427 8430 4e6d1c-4e6d1f 8429->8430 8430->8418 8430->8427
                                                            APIs
                                                            • GetFileAttributesA.KERNELBASE ref: 004E6CFC
                                                            • GetLastError.KERNEL32 ref: 004E6D07
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 995686243-0
                                                            • Opcode ID: 751d59ce9cbdb692ee5bb2d2431e64d06372360fcf2dbebe5d89e7aefb34e6ec
                                                            • Instruction ID: 241e2f942859b358e1133ab4bf22632851a161ac9c5554c12c2f2fb0b7350d8e
                                                            • Opcode Fuzzy Hash: 751d59ce9cbdb692ee5bb2d2431e64d06372360fcf2dbebe5d89e7aefb34e6ec
                                                            • Instruction Fuzzy Hash: DF11CE71A0028496DB205F6A5C08F6A7F60EB22772F64031BD8359B3D4DB3948058759
                                                            Function 004D6790 Relevance: 4.8, APIs: 3, Instructions: 278fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8431 4d6790-4d686c 8432 4d6870-4d6875 8431->8432 8432->8432 8433 4d6877-4d68ad call 403040 8432->8433 8436 4d68b0-4d68b5 8433->8436 8436->8436 8437 4d68b7-4d68f2 call 403040 call 4e64d0 8436->8437 8442 4d6a4c-4d6a5c call 4fad00 8437->8442 8443 4d68f8-4d6a28 call 4e63a0 call 41ab20 call 41e710 call 41ad80 call 402df0 * 3 CopyFileA 8437->8443 8449 4d6a5e-4d6a81 call 4185d0 8442->8449 8463 4d6a2a-4d6a3e call 4d6ba0 8443->8463 8464 4d6a82-4d6a9b call 432b99 8443->8464 8463->8464 8471 4d6a40-4d6a47 call 402df0 8463->8471 8469 4d6aa1-4d6aab 8464->8469 8470 4d6b82-4d6b84 call 432534 8464->8470 8472 4d6b89-4d6b9a call 432534 8469->8472 8473 4d6ab1-4d6ac8 call 4fad00 8469->8473 8470->8472 8471->8442 8478 4d6acd-4d6af9 call 4163b0 8473->8478 8482 4d6afb-4d6b42 8478->8482 8483 4d6b44-4d6b4c call 423a30 8478->8483 8484 4d6b51-4d6b7d call 402df0 call 432baa call 402df0 8482->8484 8483->8484 8484->8449
                                                            APIs
                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6A20
                                                              • Part of subcall function 004D6BA0: GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                                              • Part of subcall function 004D6BA0: 6D7C7CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B84
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B95
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Cpp_errorThrow_std::_$CopyErrorFileLast
                                                            • String ID:
                                                            • API String ID: 1723067277-0
                                                            • Opcode ID: 11b4a0396a972c246044828ff9232c2c340543bbb575df0b1910f0ee348e8719
                                                            • Instruction ID: af59b977606615079acd7a310a8afa41bd250120d803ccb4a837ad8b48953fd5
                                                            • Opcode Fuzzy Hash: 11b4a0396a972c246044828ff9232c2c340543bbb575df0b1910f0ee348e8719
                                                            • Instruction Fuzzy Hash: 5BD18BB0C00249DBDB04DFA9C9557EEBBB1BF54304F14419ED80577382EB785A45CBA6
                                                            Function 0044B9D0 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8542 44b9d0-44b9e0 DeleteFileW 8543 44b9f4-44b9f7 8542->8543 8544 44b9e2-44b9f3 GetLastError call 4416a5 8542->8544
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(?,?,0043D2B1,?), ref: 0044B9D8
                                                            • GetLastError.KERNEL32(?,0043D2B1,?), ref: 0044B9E2
                                                            • __dosmaperr.LIBCMT ref: 0044B9E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: DeleteErrorFileLast__dosmaperr
                                                            • String ID:
                                                            • API String ID: 1545401867-0
                                                            • Opcode ID: f2de21c809301a92c9af270f6a0d9b299ea33e9ee836554a714f56a71f06c523
                                                            • Instruction ID: 29a5b21677c8caf908dcad016bfb5ae84cbfd6cad116b975ceede8be2d8f2443
                                                            • Opcode Fuzzy Hash: f2de21c809301a92c9af270f6a0d9b299ea33e9ee836554a714f56a71f06c523
                                                            • Instruction Fuzzy Hash: 00D0C9321146086BEA106BB6BC089163B6D9A913797140616F52CC52A0EE25C895A665
                                                            Function 004C7EF0 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 399COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8662 4c7ef0-4c7f3c 8663 4c7f6c-4c7f72 8662->8663 8664 4c7f3e-4c7f5f call 402cf0 call 409280 8662->8664 8665 4c7f8e-4c7f94 8663->8665 8666 4c7f74-4c7f89 call 416290 8663->8666 8679 4c7f64-4c7f67 8664->8679 8669 4c7f96-4c7fab call 416290 8665->8669 8670 4c7fb0-4c7fb6 8665->8670 8680 4c84db-4c8504 call 402df0 8666->8680 8669->8680 8675 4c7fb8-4c7fbc 8670->8675 8676 4c7fd5-4c7fdb 8670->8676 8675->8680 8682 4c7fc2-4c7fcb call 416290 8675->8682 8677 4c7fdd-4c7ff6 call 4412b7 8676->8677 8678 4c7ffb-4c8001 8676->8678 8677->8680 8685 4c800f-4c8015 8678->8685 8686 4c8003-4c800a 8678->8686 8679->8680 8692 4c7fd0 8682->8692 8690 4c801b-4c8040 call 405400 8685->8690 8691 4c82c0-4c82c6 8685->8691 8686->8680 8703 4c8042-4c805d 8690->8703 8694 4c82c8-4c82f5 call 41b430 8691->8694 8695 4c831b-4c8321 8691->8695 8692->8680 8704 4c82fa-4c8316 call 413cb0 8694->8704 8696 4c8376-4c837c 8695->8696 8697 4c8323-4c8371 call 41b430 call 413cb0 8695->8697 8701 4c837e-4c83ab call 41b430 8696->8701 8702 4c83d1-4c83d7 8696->8702 8697->8680 8717 4c83b0-4c83cc call 413cb0 8701->8717 8709 4c842c-4c8432 8702->8709 8710 4c83d9-4c8427 call 41b430 call 413cb0 8702->8710 8707 4c82a5-4c82b2 call 432baa 8703->8707 8708 4c8063-4c8105 call 402cf0 call 4132d0 call 41ace0 call 416030 call 402df0 * 2 8703->8708 8704->8680 8707->8680 8749 4c810b-4c81b0 call 402d30 call 4d62c0 call 402df0 call 4132d0 call 415ff0 8708->8749 8750 4c82b7-4c82bb 8708->8750 8713 4c8484-4c848a 8709->8713 8714 4c8434-4c8482 call 41b430 call 413cb0 8709->8714 8710->8680 8713->8680 8724 4c848c-4c84bf call 458b00 call 4162c0 call 402df0 8713->8724 8714->8680 8717->8680 8724->8680 8761 4c81e5-4c823c call 4132d0 8749->8761 8762 4c81b2-4c81e0 GetCurrentProcess call 4163b0 call 4cf280 8749->8762 8750->8703 8768 4c823e 8761->8768 8769 4c8240-4c824e call 439820 8761->8769 8772 4c827c-4c82a0 call 415230 call 402df0 8762->8772 8768->8769 8769->8772 8775 4c8250-4c8279 call 441628 call 43d0a8 8769->8775 8772->8707 8775->8772
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8.46.123.33
                                                            • API String ID: 0-2289477214
                                                            • Opcode ID: 78568ed3c46049f99870abff71a8a0af4428d9f19c2022d6b1a423dafea535bf
                                                            • Instruction ID: 65307ecbef6fb9e01e3d4ad067897c34c173f6a72c2a6aa1ef5fcaa49911cde8
                                                            • Opcode Fuzzy Hash: 78568ed3c46049f99870abff71a8a0af4428d9f19c2022d6b1a423dafea535bf
                                                            • Instruction Fuzzy Hash: 0E02A070D04248DFDB14DF68C945BDDBBB0AB14308F14419ED8057B386EBB95E88DB9A
                                                            Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 8941 449789-4497ab 8942 4497b1-4497b3 8941->8942 8943 44999e 8941->8943 8945 4497b5-4497d4 call 438be3 8942->8945 8946 4497df-449802 8942->8946 8944 4499a0-4499a4 8943->8944 8954 4497d7-4497da 8945->8954 8947 449804-449806 8946->8947 8948 449808-44980e 8946->8948 8947->8948 8950 449810-449821 8947->8950 8948->8945 8948->8950 8952 449834-449844 call 4492ce 8950->8952 8953 449823-449831 call 44263d 8950->8953 8959 449846-44984c 8952->8959 8960 44988d-44989f 8952->8960 8953->8952 8954->8944 8963 449875-44988b call 448e9f 8959->8963 8964 44984e-449851 8959->8964 8961 4498f6-449916 WriteFile 8960->8961 8962 4498a1-4498a7 8960->8962 8965 449921 8961->8965 8966 449918-44991e GetLastError 8961->8966 8968 4498e2-4498f4 call 44934b 8962->8968 8969 4498a9-4498ac 8962->8969 8979 44986e-449870 8963->8979 8970 449853-449856 8964->8970 8971 44985c-44986b call 449266 8964->8971 8973 449924-44992f 8965->8973 8966->8965 8987 4498c9-4498cc 8968->8987 8974 4498ce-4498e0 call 44950f 8969->8974 8975 4498ae-4498b1 8969->8975 8970->8971 8976 449936-449939 8970->8976 8971->8979 8980 449931-449934 8973->8980 8981 449999-44999c 8973->8981 8974->8987 8982 44993c-44993e 8975->8982 8983 4498b7-4498c4 call 449426 8975->8983 8976->8982 8979->8973 8980->8976 8981->8944 8988 449940-449945 8982->8988 8989 44996c-449978 8982->8989 8983->8987 8987->8979 8992 449947-449959 8988->8992 8993 44995e-449967 call 4416c8 8988->8993 8994 449982-449994 8989->8994 8995 44997a-449980 8989->8995 8992->8954 8993->8954 8994->8954 8995->8943 8995->8994
                                                            APIs
                                                              • Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(DCECFDFE,00000000,00000000,?), ref: 00448F02
                                                            • WriteFile.KERNELBASE(?,00000000,0043D547,?,00000000,00000000,00000000,?,00000000,?,00432B5E,0043D547,00000000,00432B5E,?,?), ref: 0044990E
                                                            • GetLastError.KERNEL32(?,0043D547,00000000,?,00432B5E,?,00000000,00000000), ref: 00449918
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ConsoleErrorFileLastOutputWrite
                                                            • String ID:
                                                            • API String ID: 2915228174-0
                                                            • Opcode ID: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
                                                            • Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
                                                            • Opcode Fuzzy Hash: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
                                                            • Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65
                                                            Function 004D65F0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004D676A
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004D677B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Cpp_errorThrow_std::_
                                                            • String ID:
                                                            • API String ID: 2134207285-0
                                                            • Opcode ID: c3335601a286ff14ab24843b336300d125ec5bb5c0d0c190e445c5a424deb578
                                                            • Instruction ID: 177bb7d1701b8dda1f5a90c4ee3be826f8175b366ab48e47effb054e9b4aa952
                                                            • Opcode Fuzzy Hash: c3335601a286ff14ab24843b336300d125ec5bb5c0d0c190e445c5a424deb578
                                                            • Instruction Fuzzy Hash: 6441F2B1E002058BC720DF68995136EBBA1BB94314F19072FE815673D1EB79EA04C795
                                                            Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E55
                                                            • GetLastError.KERNEL32(?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E5F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseErrorFindLastNotification
                                                            • String ID:
                                                            • API String ID: 1687624791-0
                                                            • Opcode ID: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
                                                            • Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
                                                            • Opcode Fuzzy Hash: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
                                                            • Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D
                                                            Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(00000000,00000000,00579E30,00432B5E,00000002,00432B5E,00000000,?,?,?,00442626,00000000,?,00432B5E,00000002,00579E30), ref: 00442558
                                                            • GetLastError.KERNEL32(00432B5E,?,?,?,00442626,00000000,?,00432B5E,00000002,00579E30,00000000,00432B5E,00000000,00579E30,0000000C,0043D61E), ref: 00442565
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
                                                            • Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
                                                            • Opcode Fuzzy Hash: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
                                                            • Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4
                                                            Function 0044B01A Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,00441CAE,00000001,?,?,00434B65,00000000,?,0046AB17,18EC83FF,?,00403522,?,?), ref: 0044B030
                                                            • GetLastError.KERNEL32(00000000,?,00441CAE,00000001,?,?,00434B65,00000000,?,0046AB17,18EC83FF,?,00403522,?,?), ref: 0044B03B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 485612231-0
                                                            • Opcode ID: 1c4e9b2b04b0a897153f19679bc75b8cfe8e1d75e6b310813c54f5389fc1414e
                                                            • Instruction ID: f233056e1464041c82b2d36bf1c88bdb576215b3e64377b8de55bab97aefa9e3
                                                            • Opcode Fuzzy Hash: 1c4e9b2b04b0a897153f19679bc75b8cfe8e1d75e6b310813c54f5389fc1414e
                                                            • Instruction Fuzzy Hash: 66E08C32100204ABEB212FA5AC0CB9A3B69EF00756F15802AF608971B0DB38C894D798
                                                            Function 00423800 Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 004239F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::cancel_current_task
                                                            • String ID:
                                                            • API String ID: 118556049-0
                                                            • Opcode ID: 2dba059dac2344147ab23dc7ec51248a0e8c85eac08d8f155e3ce09378acd2e4
                                                            • Instruction ID: ae0d64c3ee62d8e2c2672323fae3dbdcf3c597174b0ef38ce080d0ce73c77a4b
                                                            • Opcode Fuzzy Hash: 2dba059dac2344147ab23dc7ec51248a0e8c85eac08d8f155e3ce09378acd2e4
                                                            • Instruction Fuzzy Hash: 7E51D671B001149FCB04EF68DD82A6EBBB5AB48304F54462EF801EB3D1DB78AA44CB95
                                                            Function 00438E02 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 604db14e0144287d266912850847b33f66d011360b7442347f2fca8d2ff93654
                                                            • Instruction ID: 9663080612542d3e5f9b84a36c3ecf1ef98ea00319430370267f097460dfd66c
                                                            • Opcode Fuzzy Hash: 604db14e0144287d266912850847b33f66d011360b7442347f2fca8d2ff93654
                                                            • Instruction Fuzzy Hash: 2651C670A00204AFDF14DF59C881AAABBA2EF8D328F24915EF8089B352D775DD41CB55
                                                            Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0040331F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::cancel_current_task
                                                            • String ID:
                                                            • API String ID: 118556049-0
                                                            • Opcode ID: 6b439644f511b7bf5bd0b924e2b63d29697b7510f9c6a7035d7f710025fe36b7
                                                            • Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
                                                            • Opcode Fuzzy Hash: 6b439644f511b7bf5bd0b924e2b63d29697b7510f9c6a7035d7f710025fe36b7
                                                            • Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788
                                                            Function 0044B094 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 0044B0C6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: b7e36a13cebc6b94fc046e7096c459fccaa7ac3397201fdc4f87793c7ed3808e
                                                            • Instruction ID: 07eaf642519ac51a5bd3283dd2addbb445c80e248ae9cef49388ffb333b33e8c
                                                            • Opcode Fuzzy Hash: b7e36a13cebc6b94fc046e7096c459fccaa7ac3397201fdc4f87793c7ed3808e
                                                            • Instruction Fuzzy Hash: 99E022322006206BFF313AA69C14B5B764CEF413A3F190227EC25A62D1DB3CCC0092EE

                                                            Non-executed Functions

                                                            Function 004E6770 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 350COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004E6C55
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C84
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C95
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Cpp_errorThrow_std::_$CreateDirectory
                                                            • String ID: \*.*
                                                            • API String ID: 2715195259-1173974218
                                                            • Opcode ID: 9ffcfe6f386bd44e4457b7549f93ccb94d1878c7bcdfd22b0aebf5f6654fecd0
                                                            • Instruction ID: b2be1bc9108cd25bcd87be18baf4e69fd7455a47ff8891d9a14199d40660ba90
                                                            • Opcode Fuzzy Hash: 9ffcfe6f386bd44e4457b7549f93ccb94d1878c7bcdfd22b0aebf5f6654fecd0
                                                            • Instruction Fuzzy Hash: 7AE10470C00388DFDB10DFA9C9487EEBBB0FF25315F20425AE454AB292D7746A49DB65
                                                            Function 004CF280 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 240injectionmemorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 004CF2F1
                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004CF30D
                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004CF342
                                                            • VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004CF36B
                                                            • WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000), ref: 004CF50F
                                                            • WriteProcessMemory.KERNEL32(?,00000218,004CF5E0,-00000010,00000000), ref: 004CF531
                                                            • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 004CF544
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004CF54D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
                                                            • String ID: %s|%s$131
                                                            • API String ID: 2137838514-1629954864
                                                            • Opcode ID: ce5de6916eb82fb2c3e2b46286935f90e1821b5ebdf5ce2d493db38828e4aca6
                                                            • Instruction ID: 2ab717f03d3c912496b66fb944616d360f792c6fe5d042a247d22025e7d5b78f
                                                            • Opcode Fuzzy Hash: ce5de6916eb82fb2c3e2b46286935f90e1821b5ebdf5ce2d493db38828e4aca6
                                                            • Instruction Fuzzy Hash: 36B16BB1D002089FDB14CFA4CC95BAEBBB5FF18300F10426DE905BB291D774A984DBA5
                                                            Function 004963B0 Relevance: 17.5, APIs: 5, Strings: 4, Instructions: 1775stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00496504
                                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00496602
                                                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 004967F5
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498078
                                                            • lstrlen.KERNEL32(?), ref: 0049854F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$FolderNamesPathSectionStringUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                            • String ID: ;Yb.$Tz}9$cannot use operator[] with a string argument with $cannot use push_back() with
                                                            • API String ID: 3203477177-4100205650
                                                            • Opcode ID: 83d1c3ab1b6e3db52684e05b2f36f2496c3e8480c2a973d5a971f7f2431674d0
                                                            • Instruction ID: 6b3be8cf9a559e92d133cc3b6572ed682d4dab2050fd03768d9c929fe5be15d2
                                                            • Opcode Fuzzy Hash: 83d1c3ab1b6e3db52684e05b2f36f2496c3e8480c2a973d5a971f7f2431674d0
                                                            • Instruction Fuzzy Hash: 352300B0D052688BDB25CF28C9947EDBBB5BF49304F1082EAE449A7281DB746BC4CF55
                                                            Function 004986B0 Relevance: 16.1, APIs: 4, Strings: 4, Instructions: 2129stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00498804
                                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00498902
                                                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00498AF8
                                                            • lstrlen.KERNEL32(?), ref: 0049AE11
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                                            • String ID: ;Yb.$AN|5$cannot use operator[] with a string argument with $cannot use push_back() with
                                                            • API String ID: 1311570089-1903585501
                                                            • Opcode ID: 3da693805c04dce9bee472caddb77135d006d4dcd2ef7d97c51c55debd035886
                                                            • Instruction ID: e112265f5291f7fbed9e5ebb381307dd27655726dfd0f1f0b2bb5fda635101ca
                                                            • Opcode Fuzzy Hash: 3da693805c04dce9bee472caddb77135d006d4dcd2ef7d97c51c55debd035886
                                                            • Instruction Fuzzy Hash: D44322B0D052688BDB25CF28C8947EEBBB5BF49304F1082EAD449A7242DB756BC4CF55
                                                            Function 00432022 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesExW.KERNEL32(?,00000000,?,771AE010,?), ref: 004320BA
                                                            • GetLastError.KERNEL32 ref: 004320C4
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004320DB
                                                            • GetLastError.KERNEL32 ref: 004320E6
                                                            • FindClose.KERNEL32(00000000), ref: 004320F2
                                                            • ___std_fs_open_handle@16.LIBCPMT ref: 004321AB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
                                                            • String ID:
                                                            • API String ID: 2340820627-0
                                                            • Opcode ID: 399e9fa649e6a34084e5cc74f8c51f104b45a1f2b4104aba3408bb700d2d57cc
                                                            • Instruction ID: 7e0e21ba57e1066c6160095fdf5a0f96b949db91fc8e8bea8e80148e62c7c079
                                                            • Opcode Fuzzy Hash: 399e9fa649e6a34084e5cc74f8c51f104b45a1f2b4104aba3408bb700d2d57cc
                                                            • Instruction Fuzzy Hash: D971D275A007199FCB24CF28CE84BABB3B8BF09310F145296E954E3390D7B49E85CB95
                                                            Function 004E77E0 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1467processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004E7942
                                                            • Process32First.KERNEL32(00000000,?), ref: 004E7952
                                                            • Process32Next.KERNEL32(00000000,?), ref: 004E796F
                                                            • Process32Next.KERNEL32(00000000,?), ref: 004E7C06
                                                            • CloseHandle.KERNEL32(00000000), ref: 004E7C12
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                                            • String ID: exists
                                                            • API String ID: 2284531361-2996790960
                                                            • Opcode ID: 2b52750ecead61fc5423a51023d5c30c361313469b31e81f1a91713908b5e493
                                                            • Instruction ID: 97c7b09e85b18bfbd9d584b3fdec642588b5c84936fa195d86b40cf47ab6f1ca
                                                            • Opcode Fuzzy Hash: 2b52750ecead61fc5423a51023d5c30c361313469b31e81f1a91713908b5e493
                                                            • Instruction Fuzzy Hash: 24F232B0C042688BDB25CF69C994BEDBBB1BF49310F1082DED849A7391DB345A86CF55
                                                            Function 004534CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                                              • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004535D7
                                                            • IsValidCodePage.KERNEL32(?), ref: 00453615
                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00453628
                                                            • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00453670
                                                            • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045368B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                            • String ID: *V
                                                            • API String ID: 415426439-2897881622
                                                            • Opcode ID: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
                                                            • Instruction ID: 4a54d826d8e8e5dc964d84ffa3ac1e49b68ae0fe58eca9cd8e7cd24ca5604c7d
                                                            • Opcode Fuzzy Hash: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
                                                            • Instruction Fuzzy Hash: 4E517471A00209AFDB20DFA5CC41ABF77B8AF05743F14446AED01E7252EB74DA48DB65
                                                            Function 004C6D80 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 535fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004C7051
                                                              • Part of subcall function 00432534: __EH_prolog3.LIBCMT ref: 00432570
                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 004C7062
                                                              • Part of subcall function 004E74C0: __fread_nolock.LIBCMT ref: 004E7609
                                                            • DeleteFileA.KERNEL32(?), ref: 004C70EB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Cpp_errorThrow_std::_$DeleteFileH_prolog3__fread_nolock
                                                            • String ID: 131$selta
                                                            • API String ID: 3880692912-3297328945
                                                            • Opcode ID: 1cfe391f2a750f8d8f57f4610aeea9365e09def46e9aee0ee0e7997436c851c8
                                                            • Instruction ID: 7966019704e3fd473910eda9b3190c6326d4c2da0caac65bea49cbac806563d6
                                                            • Opcode Fuzzy Hash: 1cfe391f2a750f8d8f57f4610aeea9365e09def46e9aee0ee0e7997436c851c8
                                                            • Instruction Fuzzy Hash: 1E32ACB4D04248CFCB04DFA8C985BAEBBB1BF58304F14419EE8056B392D779AA45CF95
                                                            Function 00452B5A Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                                              • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                                            • GetACP.KERNEL32(?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?,?), ref: 00452C19
                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?), ref: 00452C50
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00452DB3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CodeInfoLocalePageValid
                                                            • String ID: *V$utf8
                                                            • API String ID: 607553120-210452255
                                                            • Opcode ID: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
                                                            • Instruction ID: 742b11dcb7ff0b0bfa38c284345f0d68b4d7ce619a9ba0daefdf44cafbbca61f
                                                            • Opcode Fuzzy Hash: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
                                                            • Instruction Fuzzy Hash: F071FA32600602A6D725AF75CD45B6B73A8EF16705F10042FFD05D7283EBF8E94C9699
                                                            Function 004532F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00453605,?,?), ref: 0045338C
                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00453605,?,?), ref: 004533B5
                                                            • GetACP.KERNEL32(?,?,00453605,?,?), ref: 004533CA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID: ACP$OCP
                                                            • API String ID: 2299586839-711371036
                                                            • Opcode ID: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
                                                            • Instruction ID: 0023b8279c9b3e3643c8ce07df61025d6c2b7e12d2ffc4f7461f6cfcb2a1a3ae
                                                            • Opcode Fuzzy Hash: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
                                                            • Instruction Fuzzy Hash: 8021C432600100A7DB308F54C900A9BB3A6AF50FD3B568466EC06D7312EF36EF49D358
                                                            Function 004E9A70 Relevance: 7.7, APIs: 5, Instructions: 181memorylibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?,771AE010,?), ref: 004E9BEE
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004E9BF9
                                                            • GetProcessHeap.KERNEL32 ref: 004E9C04
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00010000), ref: 004E9C1E
                                                            • RtlAllocateHeap.NTDLL(?,00000000,00010000), ref: 004E9C57
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Heap$Allocate$AddressHandleModuleProcProcess
                                                            • String ID:
                                                            • API String ID: 3330366720-0
                                                            • Opcode ID: 13763fb7ed65d7034848c90db75977a8d0748b960893ffa14e62b2712247cb23
                                                            • Instruction ID: d3ba1316c3404c5ffc03a5be9701c45b2826e37c75856fc641be7cc60fa5c5e8
                                                            • Opcode Fuzzy Hash: 13763fb7ed65d7034848c90db75977a8d0748b960893ffa14e62b2712247cb23
                                                            • Instruction Fuzzy Hash: CF81F0B5D04229ABDB14CF9AD884AAEFBB4FF48311F10856AE924B7350E7746A01CF54
                                                            Function 0043C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                                            • Instruction ID: 01dad5c531b3804b6668612822d9feb5b6f7af541a2af8c3bc89036eeee974e8
                                                            • Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                                            • Instruction Fuzzy Hash: DA023A71E002199BDF14CFA9D9C06AEFBB1FF48314F24926AE919B7380D735A9418B94
                                                            Function 004A3610 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 857COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,18EC83FF,0046AB17,?,00431D09,?,005799D8,0046AB17,?,0046AB17,0106133C), ref: 0043525B
                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 004A4302
                                                              • Part of subcall function 00402B50: ___std_exception_copy.LIBVCRUNTIME ref: 00402BA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::cancel_current_taskExceptionRaise___std_exception_copy
                                                            • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                                            • API String ID: 3394888853-3306948993
                                                            • Opcode ID: 8f53216de675892d6c656b907a8b4eaf3a4f216d5fc2d4a714e1e5bf0b6a4eda
                                                            • Instruction ID: 6c1cbe624ddbfb0a3fb1f462f7f99e90fcb4139636a8997a18e518a2115dafd1
                                                            • Opcode Fuzzy Hash: 8f53216de675892d6c656b907a8b4eaf3a4f216d5fc2d4a714e1e5bf0b6a4eda
                                                            • Instruction Fuzzy Hash: F5927970C04258CBDB21CF68C9447DEBBB1AF59304F24829EE44967382EB786B84CF95
                                                            Function 0043361D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimePreciseAsFileTime.KERNEL32(?,00433077,?,00000000,00000000,?,00433036,?,?,?,?,00432C52,?,?), ref: 00433655
                                                            • GetSystemTimeAsFileTime.KERNEL32(?,DCECFDFE,?,?,00551382,000000FF,?,00433077,?,00000000,00000000,?,00433036,?,?), ref: 00433659
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Time$FileSystem$Precise
                                                            • String ID: `-@
                                                            • API String ID: 743729956-3781167437
                                                            • Opcode ID: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
                                                            • Instruction ID: 3e04e591088ee8cc2650925c1d28f2227fba881fd4e87dc1a7d03300bd93dc66
                                                            • Opcode Fuzzy Hash: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
                                                            • Instruction Fuzzy Hash: 73F0A032904A54EFCB118F44DC11B59BBA8F708B21F004626EC12A3790DB34A9049F94
                                                            Function 00452F77 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                                              • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452FCB
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00453015
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004530DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: InfoLocale$ErrorLast
                                                            • String ID:
                                                            • API String ID: 661929714-0
                                                            • Opcode ID: 771d62436c19abd6dcce3df2e29dd49345e6d4ea3a13af81162c9b3a780b437f
                                                            • Instruction ID: 48740d242bba4bd8a9c349c0ec2c6d2d1cd0f344531baebb5e7d544be35332ed
                                                            • Opcode Fuzzy Hash: 771d62436c19abd6dcce3df2e29dd49345e6d4ea3a13af81162c9b3a780b437f
                                                            • Instruction Fuzzy Hash: 4661C2315006079FEB249F25CC82BABB7A8EF04787F10417AED05C6686EB7CDA49CB54
                                                            Function 00438A64 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 00438B5C
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 00438B66
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 00438B73
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 190c57a89f893cc3a60c21e64f5d89c3dc83bf777de16abb744d2c180980a4ce
                                                            • Instruction ID: 8ec399b23226fa191ec5ef1820ea8a0bb8d05e2da4fe9e987d2f7c16b8c22cf0
                                                            • Opcode Fuzzy Hash: 190c57a89f893cc3a60c21e64f5d89c3dc83bf777de16abb744d2c180980a4ce
                                                            • Instruction Fuzzy Hash: 8331D4759013189BCB21DF65D8897CDBBB8BF08310F5051EAF81CA7251EB749B858F48
                                                            Function 00431F9C Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindClose.KERNEL32(000000FF,?,0041D027,?,?,00000000,00424721), ref: 00431FA8
                                                            • FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,0041D027,?,?,00000000,00424721), ref: 00431FD7
                                                            • GetLastError.KERNEL32(?,0041D027,?,?,00000000,00424721), ref: 00431FE9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseErrorFileFirstLast
                                                            • String ID:
                                                            • API String ID: 4020440971-0
                                                            • Opcode ID: b16ae3ed5c4ea8c825a7741cabbb9deee3b3ed014939fe7a26025e30d09a83a3
                                                            • Instruction ID: 374c7283d1fee54890fd1da0f93e4c1b7d6ed331c4205a5270736a92a01d96fc
                                                            • Opcode Fuzzy Hash: b16ae3ed5c4ea8c825a7741cabbb9deee3b3ed014939fe7a26025e30d09a83a3
                                                            • Instruction Fuzzy Hash: D9F08232000208BFDB206FB5DC08DBA7BADEB18371F108626FD68C16B0D731D9A596B5
                                                            Function 004A4320 Relevance: 3.6, Strings: 2, Instructions: 1124COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                                            • API String ID: 0-3306948993
                                                            • Opcode ID: 72d5261657c7658768fe5faedfc2c35b4241755d3c66d4b5e806afb36eedee21
                                                            • Instruction ID: 8821a8bfd1e48b799a2abfd01eecbd4ab6b0e4478dc98b90df7da55720a0e0c1
                                                            • Opcode Fuzzy Hash: 72d5261657c7658768fe5faedfc2c35b4241755d3c66d4b5e806afb36eedee21
                                                            • Instruction Fuzzy Hash: 37C26770D042688BDB21DF68C9847EEBBB0BF69304F1481DAD44967282EB785E85CF95
                                                            Function 0044B734 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?,?,?,00447E76,?,20001004,?,00000002,?,?,00447468), ref: 0044B768
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID: `-@
                                                            • API String ID: 2299586839-3781167437
                                                            • Opcode ID: 49b4b54da173fcca6da5c5c7afb6aecc463d0371a21e889a3031e465fe0a4c2b
                                                            • Instruction ID: 6cde8863e94abc83afdff9d02dc43b85bf30edba8fd47250f688fa8aae92868b
                                                            • Opcode Fuzzy Hash: 49b4b54da173fcca6da5c5c7afb6aecc463d0371a21e889a3031e465fe0a4c2b
                                                            • Instruction Fuzzy Hash: 65E04F36500218BBEF223F61EC05EAE7F26EF447A2F008416FD0565271CB75C921BAE9
                                                            Function 00546D20 Relevance: 3.5, APIs: 2, Instructions: 465COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005470C3
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00547121
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 885266447-0
                                                            • Opcode ID: 704cbafd83cb264c74fc3d14c4ddb0be6021144597e852803927d713c5b9569e
                                                            • Instruction ID: ee470a65dbc593a795070072979824b2ac82643cc29d3266eaeb19038688183b
                                                            • Opcode Fuzzy Hash: 704cbafd83cb264c74fc3d14c4ddb0be6021144597e852803927d713c5b9569e
                                                            • Instruction Fuzzy Hash: 9B02D475E0465A8BCB18CF6DD8943FDFFF1BF9A318F1542AAE859AB281D73049448B40
                                                            Function 00458E30 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: +$/
                                                            • API String ID: 0-2439032044
                                                            • Opcode ID: dd95fb86a40a875793c4cbbc2990c09bff94f118c65fea2c5132c9262adc59a0
                                                            • Instruction ID: 806c9ae79926dcaf8cececc9d71f70d18bc6a9957051dde4d486c1f800b17d24
                                                            • Opcode Fuzzy Hash: dd95fb86a40a875793c4cbbc2990c09bff94f118c65fea2c5132c9262adc59a0
                                                            • Instruction Fuzzy Hash: A602D171900245DFCB05CF68C4946EEBBF5BF49310F24426AE865A7382D7389E49CBA5
                                                            Function 00534D40 Relevance: 2.0, Strings: 1, Instructions: 710COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %s-mj%08X
                                                            • API String ID: 0-77246884
                                                            • Opcode ID: 8640a528e6cf7eea0fde200176c328cb614cdc5be86cb0c0014a19372e8a067b
                                                            • Instruction ID: 5d18eec4070a212f04a33d48acd2be0269bb50243265832a54b6b75d81467ec3
                                                            • Opcode Fuzzy Hash: 8640a528e6cf7eea0fde200176c328cb614cdc5be86cb0c0014a19372e8a067b
                                                            • Instruction Fuzzy Hash: CC42CEB4A006069FDB14CFA8D884BAEBBF5FF88304F149469E81AA7311E735ED45CB50
                                                            Function 004531CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                                              • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045321E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$InfoLocale
                                                            • String ID:
                                                            • API String ID: 3736152602-0
                                                            • Opcode ID: 4ab9832fe99221dde9f501d391a089cb7a2462732883aa12bf08d4854e9c0ffe
                                                            • Instruction ID: c68ba993faf54d01c6f16d81f3f5077507b086e8cfab0080940638b83f1b5490
                                                            • Opcode Fuzzy Hash: 4ab9832fe99221dde9f501d391a089cb7a2462732883aa12bf08d4854e9c0ffe
                                                            • Instruction Fuzzy Hash: 8D219872514606ABDB189E25DC42A7BB3A8EF04756F1000BFFD01D6242EB7CDE489758
                                                            Function 00452E51 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                                              • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                                            • EnumSystemLocalesW.KERNEL32(00452F77,00000001,00000000,?,?,?,004535AB,?), ref: 00452EC3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                            • String ID:
                                                            • API String ID: 2417226690-0
                                                            • Opcode ID: ed3a15461aa07a0672f4d58e186f542e4a9ded439744096cd7c499f36c17fdd7
                                                            • Instruction ID: 0b970845e1a8773270f0425e193d970e9e25a52c90aa89fa5165c8154eb0a54b
                                                            • Opcode Fuzzy Hash: ed3a15461aa07a0672f4d58e186f542e4a9ded439744096cd7c499f36c17fdd7
                                                            • Instruction Fuzzy Hash: 8B11593B2007014FDB189F39D99267BB7A1FF84319B14442EED8687B41D3B5B806DB44
                                                            Function 004533F9 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                                              • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00453274,00000000,00000000,?), ref: 00453425
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$InfoLocale
                                                            • String ID:
                                                            • API String ID: 3736152602-0
                                                            • Opcode ID: 9fb8eb4d6cfb5dc9ab71851ad247751131481363ade4371d576ad0b9e7960359
                                                            • Instruction ID: 7310505bafe8fff12ee8f5912ce4e44c5146d6de948bcf0b33cac505e4352342
                                                            • Opcode Fuzzy Hash: 9fb8eb4d6cfb5dc9ab71851ad247751131481363ade4371d576ad0b9e7960359
                                                            • Instruction Fuzzy Hash: 72014E336002127BDB195E25CC45BBB7764DB41797F14442AEC06A3281DA78FE45D994
                                                            Function 00452D5F Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                                              • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00452DB3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$InfoLocale
                                                            • String ID: *V$utf8
                                                            • API String ID: 3736152602-210452255
                                                            • Opcode ID: 59e00f747d9bc6cf307ab543fe27e9585fa5185e009a5a777542dc83f29e6ce8
                                                            • Instruction ID: aeef1e48df53c0e1e1989da3d76282249285fc4edbaa792ed956cb55b8cc0ce8
                                                            • Opcode Fuzzy Hash: 59e00f747d9bc6cf307ab543fe27e9585fa5185e009a5a777542dc83f29e6ce8
                                                            • Instruction Fuzzy Hash: E3F0C832610205ABD714AF35DC4AEBB73A8DB59316F10017FF902D7282EA7CAD099768
                                                            Function 00452EEC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                                              • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                                            • EnumSystemLocalesW.KERNEL32(004531CA,00000001,?,?,?,?,00453573,?,?,?,?), ref: 00452F36
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                            • String ID:
                                                            • API String ID: 2417226690-0
                                                            • Opcode ID: a7aabdafeecc33135d5ef59119c1dd02303f614df75aa08249f401847eac2aa8
                                                            • Instruction ID: 46f5077cb0f7882f4a3a694ed1b059b17750918d15d6876221f24d4c3ab0ea03
                                                            • Opcode Fuzzy Hash: a7aabdafeecc33135d5ef59119c1dd02303f614df75aa08249f401847eac2aa8
                                                            • Instruction Fuzzy Hash: 38F022372003045FDB249F35AC81A7B7BA1FB82769B15842FFE068B692C2B59C02A654
                                                            Function 0044B1B1 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0044424B: RtlEnterCriticalSection.NTDLL(-00588967), ref: 0044425A
                                                            • EnumSystemLocalesW.KERNEL32(0044B1A4,00000001,0057A298,0000000C,0044B5D9,?,?,?,?), ref: 0044B1E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                            • String ID:
                                                            • API String ID: 1272433827-0
                                                            • Opcode ID: c95449866fe5fa4667aabee73304f47e4942a34859e8fff04667a9b00fb14092
                                                            • Instruction ID: e80e171ad64c81d089edaf6c836f83e2cf4dda05f2f2c126e8d7e53f9a4c0b50
                                                            • Opcode Fuzzy Hash: c95449866fe5fa4667aabee73304f47e4942a34859e8fff04667a9b00fb14092
                                                            • Instruction Fuzzy Hash: F3F04F76A00200DFE700DF99E806B9C7BF0FB59B25F10819BF810E7290DBB999049F45
                                                            Function 00452E06 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                                              • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                                            • EnumSystemLocalesW.KERNEL32(00452D5F,00000001,?,?,?,004535CD,?,?,?,?), ref: 00452E3D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                            • String ID:
                                                            • API String ID: 2417226690-0
                                                            • Opcode ID: 5ffb0c9d813d6eba6d8fd2e10c847f2c312efa30acac4b18343fb8da06ef6d7e
                                                            • Instruction ID: fee7300587f55c0c421301d99721cdf1a1ff6f595eefe83fa7d5e966eb6188b0
                                                            • Opcode Fuzzy Hash: 5ffb0c9d813d6eba6d8fd2e10c847f2c312efa30acac4b18343fb8da06ef6d7e
                                                            • Instruction Fuzzy Hash: 8FF0553A30020557CB04AF35D80666BBFA0EFC2711B06405BEE09CB392C2B99846DB94
                                                            Function 004EEC40 Relevance: .8, Instructions: 763COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
                                                            • Instruction ID: 9b29181f1e73fb818f8d5afe29d750a692cb89b7e5c93380094c3e3283dda0cb
                                                            • Opcode Fuzzy Hash: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
                                                            • Instruction Fuzzy Hash: 383273B3F5161447DF1CCA6ECC922EDB2E36FD821871E813DE80AE3345EA79E9454684
                                                            Function 004F2FD0 Relevance: .7, Instructions: 735COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4b4a0174d0d62f2b1227807bd6e07e9c018e82f5f56551d9681256b3b92353b2
                                                            • Instruction ID: 68aa0d5ee95f80c7a91d8174e86b503e14c67071ff11744bcabbed3cfa87bcc2
                                                            • Opcode Fuzzy Hash: 4b4a0174d0d62f2b1227807bd6e07e9c018e82f5f56551d9681256b3b92353b2
                                                            • Instruction Fuzzy Hash: F96270B0D002599FDB14CF59C5846BEBBB1BF84308F2481AEDA14AB346C779DA46CF94
                                                            Function 00547760 Relevance: .4, Instructions: 429COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9fbac4b70a9c3c67ada46d8963e84295cc0882089f898ae31994d500bf3d20ec
                                                            • Instruction ID: 2807212ea96b117041c7bec1f3afc05bff6e45bf6fd572f3e89de87d1ee8a68d
                                                            • Opcode Fuzzy Hash: 9fbac4b70a9c3c67ada46d8963e84295cc0882089f898ae31994d500bf3d20ec
                                                            • Instruction Fuzzy Hash: C7F16D7290D69A8FDB158E38C4813EDBF62FF69304F1C4AA6C4A597383D3389A45C791
                                                            Function 0042F580 Relevance: .4, Instructions: 394COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
                                                            • Instruction ID: 0e8ddfc969875e3dd00111f91a6503ca4c3a70c52638cfea05a5ef0fdf848abd
                                                            • Opcode Fuzzy Hash: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
                                                            • Instruction Fuzzy Hash: 1EE10276F1022A9FDB05CFA8D4816ADFBF1AF88320B5942AAD814B7340D774A945CB94
                                                            Function 0044036F Relevance: .3, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a41b321b0bedac8989d8c8297ce8e3211a7e70ffbcb0090baa5e3f65be106bda
                                                            • Instruction ID: 86fdf0966577921a64d033a0687854855d7760d31b02c963075edfb0c817f6d8
                                                            • Opcode Fuzzy Hash: a41b321b0bedac8989d8c8297ce8e3211a7e70ffbcb0090baa5e3f65be106bda
                                                            • Instruction Fuzzy Hash: 45C1DA709006069FEB24CF68C484A6BBBB1EF45304F14461FDB969B791C338ED66CB5A
                                                            Function 00452610 Relevance: .3, Instructions: 327COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 337bf9b0213a408d992dbd779b211f999c4c3a8d278f465cc99103b402b18e84
                                                            • Instruction ID: 7c06e8313ae742015ce167e0291709e23a9c2e608a4b019449313ff3a09dc83f
                                                            • Opcode Fuzzy Hash: 337bf9b0213a408d992dbd779b211f999c4c3a8d278f465cc99103b402b18e84
                                                            • Instruction Fuzzy Hash: 21B129315007019BDB38EB65CD82AB7B3A8EF45309F14452FED43C6642EBB9E989C718
                                                            Function 00545DE0 Relevance: .3, Instructions: 284COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: af51445418b551fcf1678b85b0f98f1f354c0bd79bc812c4d64e5654522ea52e
                                                            • Instruction ID: 58693602e5fae249548aecd5a5cda3cf3ec8d10b115813b1b7ba796d0def4e87
                                                            • Opcode Fuzzy Hash: af51445418b551fcf1678b85b0f98f1f354c0bd79bc812c4d64e5654522ea52e
                                                            • Instruction Fuzzy Hash: 9EA14AB1A016069FDB14CF69C4846AAFBE5FF85318B28C1AAD818CB301E731ED11CB81
                                                            Function 00458BB0 Relevance: .2, Instructions: 221COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cab0755b21c077cf839bf9405ed2cf93180bce573716b191f7f6d9c196173859
                                                            • Instruction ID: f297913e25a3591813c030fa515b242fba5e7fe6b87ce0d9dc90972f2508a2cf
                                                            • Opcode Fuzzy Hash: cab0755b21c077cf839bf9405ed2cf93180bce573716b191f7f6d9c196173859
                                                            • Instruction Fuzzy Hash: 0281FDB4A002469FDB118F69D8817BEFBF4AB2A315F04016EDC55A7383CB38990DD7A4
                                                            Function 004EFC40 Relevance: .2, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d9e1b96ebeb8905ce8cf41e2ed65b6f129fd888b54bee42289f6865976a0455
                                                            • Instruction ID: 9260139a4ef8e20400bb9b6c572cac56afe306f3fbbdb3538d7680a8b6287584
                                                            • Opcode Fuzzy Hash: 5d9e1b96ebeb8905ce8cf41e2ed65b6f129fd888b54bee42289f6865976a0455
                                                            • Instruction Fuzzy Hash: 506195356345684FE708CF1EECD04363B52A39E30538542AAEA81C7395C576FA2EE7E0
                                                            Function 0043A928 Relevance: .2, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                                                            • Instruction ID: 0bb0d4fe57c201db2c152aeff89cf209e4ab217caaafa113e802d716cdce1c0b
                                                            • Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                                                            • Instruction Fuzzy Hash: 5B517D72D00219AFDF04CF99C940AEFBBB6FF88314F198459E955AB301D7389A50CB95
                                                            Function 004371A0 Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                            • Instruction ID: 4ba24db855cab2182e42f47a77fd888252c09f86d43135b4b8e5651c7dd79236
                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                            • Instruction Fuzzy Hash: B21131F724D08143EA74863DC8B46BBA795EBCD320F2D63BBE0C14BB58D52AD5459908
                                                            Function 004E90C0 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 423libraryloaderthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?,771AE010,?), ref: 004E92A0
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004E92B0
                                                            • GetModuleHandleA.KERNEL32(?), ref: 004E93C8
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004E93D2
                                                            • OpenProcess.KERNEL32(00000040,00000000,?), ref: 004E93DE
                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000), ref: 004E944D
                                                            • CloseHandle.KERNEL32(?), ref: 004E9480
                                                            • CloseHandle.KERNEL32(?), ref: 004E94A6
                                                            • CloseHandle.KERNEL32(00000000), ref: 004E94C6
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 004E9668
                                                            • ResetEvent.KERNEL32(00000000), ref: 004E9671
                                                            • CreateThread.KERNEL32(00000000,00000000,004E97A0,?,00000000,00000000), ref: 004E9695
                                                            • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 004E96A1
                                                            • RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 004E96E7
                                                            • CloseHandle.KERNEL32(?), ref: 004E9728
                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000001), ref: 004E9734
                                                            • CloseHandle.KERNEL32(?), ref: 004E9753
                                                            • TerminateThread.KERNEL32(?,00000000), ref: 004E9781
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Handle$Close$Process$AddressCreateCurrentEventModuleProcStringThread$AnsiObjectOpenResetSingleTerminateUnicodeWait
                                                            • String ID: File
                                                            • API String ID: 3681783469-749574446
                                                            • Opcode ID: 02c975d743a992077f3dbef84ff0a07a20ddd4842273eff2ca5adffffcfc23b6
                                                            • Instruction ID: b9b0c17e31d3cfe0bbc2e9151a178c1e78e3251af3666c5291f23336d4f8ce8a
                                                            • Opcode Fuzzy Hash: 02c975d743a992077f3dbef84ff0a07a20ddd4842273eff2ca5adffffcfc23b6
                                                            • Instruction Fuzzy Hash: 6322D2B4D042599FDB24CF99D981BEEBBB4BF08310F104199E909B7390E7746A81CFA5
                                                            Function 0041A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0041A09D
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0041A0BF
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A0E7
                                                            • __Getctype.LIBCPMT ref: 0041A1C5
                                                            • std::_Facet_Register.LIBCPMT ref: 0041A1F9
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A223
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                            • String ID: PD@$PG@$E@
                                                            • API String ID: 1102183713-4120405683
                                                            • Opcode ID: 9c2fb5f23b8a6ef50c0a87551a20d9a1a173f7e45579ddf469c0ebb2b07afed2
                                                            • Instruction ID: b372b58ab1bb25eec4b44a09b7f8f3aef2cc67a410616163416d5e42c3dffe19
                                                            • Opcode Fuzzy Hash: 9c2fb5f23b8a6ef50c0a87551a20d9a1a173f7e45579ddf469c0ebb2b07afed2
                                                            • Instruction Fuzzy Hash: 6E51BAB0D01245DFCB11CF98C9457AEBBF0FB14714F14825ED855AB391DB78AA88CB92
                                                            Function 004372D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 00437307
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 0043730F
                                                            • _ValidateLocalCookies.LIBCMT ref: 00437398
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004373C3
                                                            • _ValidateLocalCookies.LIBCMT ref: 00437418
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: `-@$csm
                                                            • API String ID: 1170836740-3738301566
                                                            • Opcode ID: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
                                                            • Instruction ID: bde692452db8eba3752ab90a3e7788ac0719a0bf92b2230e47b89eff8dfd02fd
                                                            • Opcode Fuzzy Hash: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
                                                            • Instruction Fuzzy Hash: B041F8709042099FCF20DF59C885A9FBBA4BF08328F14905BFC54AB392D739E905DB95
                                                            Function 0041C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0041C45A
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0041C47C
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0041C4A4
                                                            • std::_Facet_Register.LIBCPMT ref: 0041C59A
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0041C5C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                            • String ID: E@$PD@
                                                            • API String ID: 459529453-4103272508
                                                            • Opcode ID: 5d5041aa5d60d0880ebdc6a58bad771eee35cf9a11b34294d639c79e11cc1adc
                                                            • Instruction ID: e4bc83ced0ac359faa997fd18d4eeb760fe14de2594101695cc0fd15b6690fbc
                                                            • Opcode Fuzzy Hash: 5d5041aa5d60d0880ebdc6a58bad771eee35cf9a11b34294d639c79e11cc1adc
                                                            • Instruction Fuzzy Hash: C351EFB0900255EFDB11CF58C991BAEBBF0FB10314F24415EE846AB381D7B9AA45CB95
                                                            Function 0044B37E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(00000000,?,0044B48D,?,?,00000000,00000016,?,?,0044B6B7,00000022,FlsSetValue,00561B88,00561B90,00000016), ref: 0044B43F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID: api-ms-$ext-ms-
                                                            • API String ID: 3664257935-537541572
                                                            • Opcode ID: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
                                                            • Instruction ID: e3d7dbf8d3e43151f67a2d3675c4fcd7809fc0c9af6198dcb17880ded4e1cd5b
                                                            • Opcode Fuzzy Hash: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
                                                            • Instruction Fuzzy Hash: A2212B36A01220A7E7319F619C45A6B7768EB51761F140112FC06A7392D734ED05D6D9
                                                            Function 00443633 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DCECFDFE,?,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 00443668
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044367A
                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 0044369C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$`-@$mscoree.dll
                                                            • API String ID: 4061214504-3731901874
                                                            • Opcode ID: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
                                                            • Instruction ID: 11f561727bfec435161e86ab51d2faaed74d5e09c0b89d0474703e999051cdf2
                                                            • Opcode Fuzzy Hash: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
                                                            • Instruction Fuzzy Hash: 5601A232A44715AFDB219F44DC19BAFBBB8FB14B52F014526E812E27E0DB749A04CA94
                                                            Function 004D6BA0 Relevance: 9.2, APIs: 6, Instructions: 164fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                                            • 6D7C7CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                                            • SetLastError.KERNEL32(00000000), ref: 004D6CFE
                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D25
                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 004D6D33
                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D47
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CopyFile
                                                            • String ID:
                                                            • API String ID: 936320341-0
                                                            • Opcode ID: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                                            • Instruction ID: cca443e56f4e81c83c2dc89493b37bcb85ee1d7da0cfa031959f485395bd6110
                                                            • Opcode Fuzzy Hash: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                                            • Instruction Fuzzy Hash: 6051C172D01219ABCB21CF94DC55BEEBBB8EB04320F10026AE804B3390D7396E05CBA4
                                                            Function 00432729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog3.LIBCMT ref: 00432730
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0043273B
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004327A9
                                                              • Part of subcall function 0043288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004328A4
                                                            • std::locale::_Setgloballocale.LIBCPMT ref: 00432756
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                            • String ID: `-@
                                                            • API String ID: 677527491-3781167437
                                                            • Opcode ID: 37577bf2a80403a51899406bddbde92f65c249edf66a066c41dee1567bca50bf
                                                            • Instruction ID: 335728d06f8999c9367bb6f0cb93ad347570f0e44e9dcbef2930aaa8ccdcd417
                                                            • Opcode Fuzzy Hash: 37577bf2a80403a51899406bddbde92f65c249edf66a066c41dee1567bca50bf
                                                            • Instruction Fuzzy Hash: 9D01FC35A006109BC70AFB20CC5157D7BB0FF98790F44250EE81163391CFB8AE06DB89
                                                            Function 00432BC8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00432BDC
                                                            • RtlAcquireSRWLockExclusive.NTDLL(?), ref: 00432BFB
                                                            • RtlAcquireSRWLockExclusive.NTDLL(?), ref: 00432C29
                                                            • RtlTryAcquireSRWLockExclusive.NTDLL(?), ref: 00432C84
                                                            • RtlTryAcquireSRWLockExclusive.NTDLL(?), ref: 00432C9B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AcquireExclusiveLock$CurrentThread
                                                            • String ID:
                                                            • API String ID: 66001078-0
                                                            • Opcode ID: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
                                                            • Instruction ID: ee0d2db44a198d3d02c1eb3b1b0ff5a364ec90963e300245c4d31640e9e12550
                                                            • Opcode Fuzzy Hash: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
                                                            • Instruction Fuzzy Hash: B2415931900A0ADFCB20DF65CA8096EB3B4FF0C311F20692BD446D7650D7B8E986DB69
                                                            Function 00406180 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 353COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00406587
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ___std_exception_destroy
                                                            • String ID: )@$", "$: "
                                                            • API String ID: 4194217158-2520320562
                                                            • Opcode ID: c1c11d7fb1cd80d3ff13af8c623d0fecf0494c18f99482b571f58a5e7d9cf1ae
                                                            • Instruction ID: 193815703dc37f45cda184aa0d75e7307a57ae547af4f9c577389d6cf834964f
                                                            • Opcode Fuzzy Hash: c1c11d7fb1cd80d3ff13af8c623d0fecf0494c18f99482b571f58a5e7d9cf1ae
                                                            • Instruction Fuzzy Hash: 85D1E370D00205DFCB14DFA8C945AAEBBF5FF44304F10462EE456A7381DB78AA55CB99
                                                            Function 00407350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0040750C
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00407522
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ___std_exception_destroy
                                                            • String ID: )@$[json.exception.
                                                            • API String ID: 4194217158-3378332251
                                                            • Opcode ID: e4330e840f4c54607f5232ae7e228b7ade3f40d7aa291d92d50d17836804149a
                                                            • Instruction ID: d1fd1ad00dbeab1566b73d8112c34bc80c76f551163e59ed82d928a5322bc1a2
                                                            • Opcode Fuzzy Hash: e4330e840f4c54607f5232ae7e228b7ade3f40d7aa291d92d50d17836804149a
                                                            • Instruction Fuzzy Hash: 8C51CFB1C046489BD710DFA8C905B9EBBB4FF15318F14426EE850A73C2E7B86A44C7A5
                                                            Function 00404900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F
                                                              • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,18EC83FF,0046AB17,?,00431D09,?,005799D8,0046AB17,?,0046AB17,0106133C), ref: 0043525B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 1903096808-1866435925
                                                            • Opcode ID: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
                                                            • Instruction ID: 99c94d1e80f512c720ba00148ae48faeb0acee82eabb402b7e5943aa58dcc262
                                                            • Opcode Fuzzy Hash: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
                                                            • Instruction Fuzzy Hash: AC119CF2844644ABCB10DF688C03BAB37C8E744715F04463EFE58972C1EB399800C79A
                                                            Function 00448E9F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleOutputCP.KERNEL32(DCECFDFE,00000000,00000000,?), ref: 00448F02
                                                              • Part of subcall function 0044EC55: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0044A862,?,00000000,-00000008), ref: 0044ECB6
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00449154
                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0044919A
                                                            • GetLastError.KERNEL32 ref: 0044923D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                            • String ID:
                                                            • API String ID: 2112829910-0
                                                            • Opcode ID: 91d99b140007bd56c2f11d9a0fac077867534d6b54893de6431ff092d3abe5dd
                                                            • Instruction ID: b6f9ea87837ca93654473fd2bae4ec290e60b55bc3ade45d2d9d29a5185f0d60
                                                            • Opcode Fuzzy Hash: 91d99b140007bd56c2f11d9a0fac077867534d6b54893de6431ff092d3abe5dd
                                                            • Instruction Fuzzy Hash: 70D1BC75D00249AFDF14CFA8C880AAEBBB5FF09304F28456AE856EB351D734AD45CB54
                                                            Function 004E97A0 Relevance: 6.2, APIs: 4, Instructions: 161libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?), ref: 004E98CE
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004E98DA
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 004E9A55
                                                            • SetEvent.KERNEL32(00000000), ref: 004E9A5C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Event$AddressCreateHandleModuleProc
                                                            • String ID:
                                                            • API String ID: 2341598627-0
                                                            • Opcode ID: 2850c510e0873b556520308870891a000327a13676cc7a4ce2949c56bcf108ea
                                                            • Instruction ID: 94e94f94aa147367d366308f7bbda68d1ba073eefd2343970e9372381d670d86
                                                            • Opcode Fuzzy Hash: 2850c510e0873b556520308870891a000327a13676cc7a4ce2949c56bcf108ea
                                                            • Instruction Fuzzy Hash: 88819AB490C3829FC304CF59C48195AFBE5AFA8390F10891EF89587361E775D989CF96
                                                            Function 00431F0C Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(?,00000400,?,?,?,?,00000000,00000000,?,?,?,0041A856,00000000,?,?,00000000), ref: 00431F29
                                                            • GetLastError.KERNEL32(?,0041A856,00000000,?,?,00000000,00000000,?,?), ref: 00431F35
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,0041A856,00000000,?,?,00000000,00000000,?), ref: 00431F5B
                                                            • GetLastError.KERNEL32(?,0041A856,00000000,?,?,00000000,00000000,?,?), ref: 00431F67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharErrorLastMultiWide
                                                            • String ID:
                                                            • API String ID: 203985260-0
                                                            • Opcode ID: 35e7bea43bf35a340b569ac256c958a5570a5f93565d5de543f4fdf7da8372b1
                                                            • Instruction ID: 5e8341cea1a57eda6e9d4b8ca3b7a39c6f892c49641055c0ca5066718be154a8
                                                            • Opcode Fuzzy Hash: 35e7bea43bf35a340b569ac256c958a5570a5f93565d5de543f4fdf7da8372b1
                                                            • Instruction Fuzzy Hash: C901FF36600255BBCF221FA1DC08D9B3E36EBD97A1F104015FE1556230C7318866E7B5
                                                            Function 00456D32 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteConsoleW.KERNEL32(00000000,00000000,0043D547,00000000,00000000,?,00453DCE,00000000,00000001,?,?,?,00449291,?,00000000,00000000), ref: 00456D49
                                                            • GetLastError.KERNEL32(?,00453DCE,00000000,00000001,?,?,?,00449291,?,00000000,00000000,?,?,?,0044986B,00000000), ref: 00456D55
                                                              • Part of subcall function 00456D1B: CloseHandle.KERNEL32(FFFFFFFE,00456D65,?,00453DCE,00000000,00000001,?,?,?,00449291,?,00000000,00000000,?,?), ref: 00456D2B
                                                            • ___initconout.LIBCMT ref: 00456D65
                                                              • Part of subcall function 00456CDD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00456D0C,00453DBB,?,?,00449291,?,00000000,00000000,?), ref: 00456CF0
                                                            • WriteConsoleW.KERNEL32(00000000,00000000,0043D547,00000000,?,00453DCE,00000000,00000001,?,?,?,00449291,?,00000000,00000000,?), ref: 00456D7A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                            • String ID:
                                                            • API String ID: 2744216297-0
                                                            • Opcode ID: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
                                                            • Instruction ID: b582005f90f2c4d159ccd48a3422ceca8e6e351b7b3b67145bbef734a6de3f3c
                                                            • Opcode Fuzzy Hash: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
                                                            • Instruction Fuzzy Hash: F4F01C37500518BBCF221FD1DC18A8A3F76EB583A2B814415FE0D96231D6328928EB94
                                                            Function 00408F20 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 272libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(Ws2_32.dll), ref: 004091C8
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004091D3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: Ws2_32.dll
                                                            • API String ID: 1646373207-3093949381
                                                            • Opcode ID: 4029716d11f6571ef0759e38241cbf9d70b68e10af6bbd003f6e88ce5b02a30e
                                                            • Instruction ID: cb5ead6240095672237fdab8273f91d80b82b8d73d4ae51f565ea22395c8577a
                                                            • Opcode Fuzzy Hash: 4029716d11f6571ef0759e38241cbf9d70b68e10af6bbd003f6e88ce5b02a30e
                                                            • Instruction Fuzzy Hash: E7C16A70E01214DFCB24CFA8C84579EBBB0BF08714F24859EE955AB392D779AD01CB95
                                                            Function 004036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 00403819
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 004038F0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ___std_exception_copy___std_exception_destroy
                                                            • String ID: )@
                                                            • API String ID: 2970364248-4120265097
                                                            • Opcode ID: 81d5d02e461f4f166f6459a7f61821ba362e836743d5e8eb3d1cfbc247b2b74e
                                                            • Instruction ID: 269ef50febfdc4b1c22cf7239a576f40f0b19685bcb009e1facc48eb6157c32a
                                                            • Opcode Fuzzy Hash: 81d5d02e461f4f166f6459a7f61821ba362e836743d5e8eb3d1cfbc247b2b74e
                                                            • Instruction Fuzzy Hash: DD6169B1C00248DBDB10DF98C945B9EFFB5FF19324F14825EE814AB282D7B95A44CBA5
                                                            Function 00407B10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00407CAC
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00407CC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ___std_exception_destroy
                                                            • String ID: )@
                                                            • API String ID: 4194217158-4120265097
                                                            • Opcode ID: 7f39d47836504a7423aab65aa40483168d682e35b864809af48f52d19c8c8e2a
                                                            • Instruction ID: 2d5fa3d367423be86db8b91485125f203ee18fb15550ca5d49c40f7a3d1822d9
                                                            • Opcode Fuzzy Hash: 7f39d47836504a7423aab65aa40483168d682e35b864809af48f52d19c8c8e2a
                                                            • Instruction Fuzzy Hash: 0051D3B1C052489BDB00DF98D9457DEFBF4EF19318F10426EE814A7381E7B96A44C7A5
                                                            Function 004047F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F
                                                              • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,18EC83FF,0046AB17,?,00431D09,?,005799D8,0046AB17,?,0046AB17,0106133C), ref: 0043525B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
                                                            • String ID: ios_base::badbit set$ios_base::failbit set
                                                            • API String ID: 1903096808-1240500531
                                                            • Opcode ID: fed3493b01e8557903b528af4f88663475c45d25b4347422020baa5cab059aa8
                                                            • Instruction ID: 59789774a96eacd1a5b8f49c51d8e497543063f0a2ed12b155596828dbf76f3a
                                                            • Opcode Fuzzy Hash: fed3493b01e8557903b528af4f88663475c45d25b4347422020baa5cab059aa8
                                                            • Instruction Fuzzy Hash: E84124B2C00244ABCB04DF68C845BAEBBB8FB49710F14826EF554A73C1D7795A00CBA5
                                                            Function 00404040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00404061
                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004040C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                            • String ID: bad locale name
                                                            • API String ID: 3988782225-1405518554
                                                            • Opcode ID: 4f86f9a361d865152f401e3e2a632dcf866a544c369ba022f9cf666f0f7b581e
                                                            • Instruction ID: 65c2995a4cce64452fc0e082f9126f7f9302ed92d60cad1113ce5137d9e79936
                                                            • Opcode Fuzzy Hash: 4f86f9a361d865152f401e3e2a632dcf866a544c369ba022f9cf666f0f7b581e
                                                            • Instruction Fuzzy Hash: DB112670805B84EED321CF69C50474BBFF0AF25714F10868DD09597781D3B9A604CB95
                                                            Function 00416590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 004165C9
                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 004165FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ___std_exception_copy
                                                            • String ID: )@
                                                            • API String ID: 2659868963-4120265097
                                                            • Opcode ID: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
                                                            • Instruction ID: 79ebb971947c26e29da123751e765caa72f3f100f47198c89106861aa63fe252
                                                            • Opcode Fuzzy Hash: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
                                                            • Instruction Fuzzy Hash: F0112EB6910649EBCB11CF99C980B86FBF8FF09724F10876AE82497641E774A5448BA0
                                                            Function 00407A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00407A5C
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00407A72
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ___std_exception_destroy
                                                            • String ID: )@
                                                            • API String ID: 4194217158-4120265097
                                                            • Opcode ID: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
                                                            • Instruction ID: 96290d15a7b89a27e7413382239de33ac52fdad5c525fa7f0e86a9c1871ea130
                                                            • Opcode Fuzzy Hash: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
                                                            • Instruction Fuzzy Hash: 68F012B1805744DFC711DF98C90178DFFF8FB05728F50466AE855A3780E7B5660487A5
                                                            Function 0044B7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(00000016,00000001,004389D2,00000001,00000016,00438BE1,?,?,?,?,?,00000000), ref: 0044B834
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1406765755.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1406717830.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406892270.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406927004.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.0000000000771000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1406941275.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1408216672.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalInitializeSectionSpin
                                                            • String ID: InitializeCriticalSectionEx$`-@
                                                            • API String ID: 2593887523-3269949891
                                                            • Opcode ID: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
                                                            • Instruction ID: 5bcc12c1b0658f8dc7434a33690804c70bb56e7eadbb0958c8ec10a8e9d05d13
                                                            • Opcode Fuzzy Hash: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
                                                            • Instruction Fuzzy Hash: BDE09236581318BBCB212F92DC06DAE7F25EB24BA2F048022FD1956161C7768821BBD9

                                                            Execution Graph

                                                            Execution Coverage:23.7%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:2.1%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:43
                                                            execution_graph 46765 45e140 46821 40b8e0 46765->46821 46767 45e1a1 46768 41ab20 41 API calls 46767->46768 46769 45e218 CreateDirectoryA 46768->46769 46775 45e8de 46769->46775 46796 45e24c 46769->46796 46770 45f16d 46771 402df0 std::_Throw_Cpp_error 41 API calls 46770->46771 46774 45f17c 46771->46774 46772 45e8a5 46773 4163b0 std::_Throw_Cpp_error 41 API calls 46772->46773 46776 45e8b9 46773->46776 46775->46770 46777 41ab20 41 API calls 46775->46777 47460 4df030 46776->47460 46779 45e962 CreateDirectoryA 46777->46779 46781 45f15b 46779->46781 46797 45e990 46779->46797 46782 402df0 std::_Throw_Cpp_error 41 API calls 46781->46782 46782->46770 46783 45f11f 46785 4163b0 std::_Throw_Cpp_error 41 API calls 46783->46785 46784 4e6770 93 API calls 46784->46775 46786 45f136 46785->46786 47565 4d7600 46786->47565 46790 4e6ca0 86 API calls 46790->46796 46791 41ad80 41 API calls 46791->46797 46792 45e3bf CreateDirectoryA 46792->46796 46793 41ab20 41 API calls 46793->46796 46794 402df0 41 API calls std::_Throw_Cpp_error 46794->46796 46795 45eb09 CreateDirectoryA 46795->46797 46796->46772 46796->46790 46796->46792 46796->46793 46796->46794 46800 45e4b2 CreateDirectoryA 46796->46800 46802 41ad80 41 API calls 46796->46802 46803 402cf0 std::_Throw_Cpp_error 41 API calls 46796->46803 46806 45e59f CreateDirectoryA 46796->46806 46809 4162c0 41 API calls 46796->46809 46815 45e7f4 CreateDirectoryA 46796->46815 46817 4163b0 41 API calls std::_Throw_Cpp_error 46796->46817 48424 416290 41 API calls 46796->48424 48425 41ae20 46796->48425 48428 4dff00 46796->48428 46797->46783 46797->46791 46797->46795 46798 402df0 41 API calls std::_Throw_Cpp_error 46797->46798 46801 45ebfc CreateDirectoryA 46797->46801 46804 41ab20 41 API calls 46797->46804 46807 402cf0 std::_Throw_Cpp_error 41 API calls 46797->46807 46810 45edd0 CreateDirectoryA 46797->46810 46811 4163b0 41 API calls std::_Throw_Cpp_error 46797->46811 46812 45ece9 CreateDirectoryA 46797->46812 46814 41ae20 41 API calls 46797->46814 46816 4e6ca0 86 API calls 46797->46816 46818 45f050 CreateDirectoryA 46797->46818 46820 4dff00 205 API calls 46797->46820 48663 4162c0 46797->48663 48667 416290 41 API calls 46797->48667 46798->46797 46800->46796 46801->46797 46802->46796 46803->46796 46804->46797 46806->46796 46807->46797 46809->46796 46810->46797 46811->46797 46812->46797 46814->46797 46815->46796 46816->46797 46817->46796 46818->46797 46820->46797 46822 40b916 46821->46822 46823 40c004 46822->46823 46824 41ab20 41 API calls 46822->46824 46825 40f393 46823->46825 46827 41ab20 41 API calls 46823->46827 46826 40b9e7 CreateDirectoryA 46824->46826 46828 411da6 46825->46828 46833 41ab20 41 API calls 46825->46833 46830 40bff2 46826->46830 46831 40ba12 46826->46831 46832 40c0ab CreateDirectoryA 46827->46832 46829 412294 46828->46829 46834 41ab20 41 API calls 46828->46834 46829->46767 46835 402df0 std::_Throw_Cpp_error 41 API calls 46830->46835 46836 41ab20 41 API calls 46831->46836 46837 40f381 46832->46837 46838 40c0d6 46832->46838 46839 40f43a CreateDirectoryA 46833->46839 46842 411e4d CreateDirectoryA 46834->46842 46835->46823 46843 40bab4 CreateDirectoryA 46836->46843 46844 402df0 std::_Throw_Cpp_error 41 API calls 46837->46844 46845 41ab20 41 API calls 46838->46845 46840 411d94 46839->46840 46841 40f465 46839->46841 46846 402df0 std::_Throw_Cpp_error 41 API calls 46840->46846 46848 41ab20 41 API calls 46841->46848 46849 412282 46842->46849 46850 411e78 46842->46850 46851 40bae2 __fread_nolock 46843->46851 46852 40bc4c 46843->46852 46844->46825 46847 40c178 CreateDirectoryA 46845->46847 46846->46828 46853 40c1a0 46847->46853 46854 40c4b9 46847->46854 46855 40f507 CreateDirectoryA 46848->46855 46858 402df0 std::_Throw_Cpp_error 41 API calls 46849->46858 46857 41ab20 41 API calls 46850->46857 46865 40baf5 SHGetFolderPathA 46851->46865 46856 41ab20 41 API calls 46852->46856 46859 402cf0 std::_Throw_Cpp_error 41 API calls 46853->46859 46864 41ab20 41 API calls 46854->46864 46860 40f877 46855->46860 46861 40f52f 46855->46861 46862 40bcea CreateDirectoryA 46856->46862 46863 411fa0 CreateDirectoryA 46857->46863 46858->46829 46867 40c2be 46859->46867 46866 41ab20 41 API calls 46860->46866 46885 403040 std::_Throw_Cpp_error 41 API calls 46861->46885 46868 40bd12 __fread_nolock 46862->46868 46869 40bfbf 46862->46869 46870 411fc8 46863->46870 47111 41225e 46863->47111 46871 40c557 CreateDirectoryA 46864->46871 46872 402cf0 std::_Throw_Cpp_error 41 API calls 46865->46872 46873 40f915 CreateDirectoryA 46866->46873 46893 41ace0 41 API calls 46867->46893 46886 40bd25 SHGetFolderPathA 46868->46886 46874 40bfd1 46869->46874 46882 4e6770 93 API calls 46869->46882 46898 403040 std::_Throw_Cpp_error 41 API calls 46870->46898 46876 40d1de 46871->46876 46877 40c57f 46871->46877 46878 40bba1 46872->46878 46880 40fb99 46873->46880 46881 40f93d 46873->46881 46883 402df0 std::_Throw_Cpp_error 41 API calls 46874->46883 46875 4e6770 93 API calls 46884 412270 46875->46884 46887 41ab20 41 API calls 46876->46887 46888 402cf0 std::_Throw_Cpp_error 41 API calls 46877->46888 46879 41ace0 41 API calls 46878->46879 46890 40bbb7 46879->46890 46897 41ab20 41 API calls 46880->46897 46891 402cf0 std::_Throw_Cpp_error 41 API calls 46881->46891 46882->46874 46892 40bfe3 46883->46892 46903 402df0 std::_Throw_Cpp_error 41 API calls 46884->46903 46894 40f704 46885->46894 46895 402cf0 std::_Throw_Cpp_error 41 API calls 46886->46895 46896 40d27c CreateDirectoryA 46887->46896 46889 40c727 46888->46889 46915 41ace0 41 API calls 46889->46915 46899 402df0 std::_Throw_Cpp_error 41 API calls 46890->46899 46900 40fa5b 46891->46900 46901 402df0 std::_Throw_Cpp_error 41 API calls 46892->46901 46902 40c367 46893->46902 46920 41ace0 41 API calls 46894->46920 46904 40be57 46895->46904 46905 40d2a4 46896->46905 46906 40d63c 46896->46906 46907 40fc37 CreateDirectoryA 46897->46907 46908 41211c 46898->46908 46909 40bbc9 46899->46909 46925 41ace0 41 API calls 46900->46925 46901->46830 46911 402df0 std::_Throw_Cpp_error 41 API calls 46902->46911 46903->46849 46912 41ace0 41 API calls 46904->46912 46932 402cf0 std::_Throw_Cpp_error 41 API calls 46905->46932 46910 41ab20 41 API calls 46906->46910 46913 40fe35 46907->46913 46914 40fc5f 46907->46914 46934 41ace0 41 API calls 46908->46934 46916 4e6ca0 86 API calls 46909->46916 46918 40d6da CreateDirectoryA 46910->46918 46919 40c379 46911->46919 46921 40be6d 46912->46921 46917 41ab20 41 API calls 46913->46917 46922 402cf0 std::_Throw_Cpp_error 41 API calls 46914->46922 46923 40c7d0 46915->46923 46924 40bbe2 46916->46924 46926 40fed3 CreateDirectoryA 46917->46926 46927 40d702 46918->46927 46928 40da1b 46918->46928 46929 402cf0 std::_Throw_Cpp_error 41 API calls 46919->46929 46930 40f7b1 46920->46930 46931 402df0 std::_Throw_Cpp_error 41 API calls 46921->46931 46933 40fcf7 46922->46933 46937 402df0 std::_Throw_Cpp_error 41 API calls 46923->46937 46951 4163b0 std::_Throw_Cpp_error 41 API calls 46924->46951 47036 40bc21 46924->47036 46938 40fb04 46925->46938 46939 410e56 46926->46939 46940 40fefb 46926->46940 46941 402cf0 std::_Throw_Cpp_error 41 API calls 46927->46941 46936 41ab20 41 API calls 46928->46936 46942 40c39b 46929->46942 46963 40f7d6 46930->46963 48734 402fe0 41 API calls 2 library calls 46930->48734 46943 40be7f 46931->46943 46957 40d3bb 46932->46957 46960 41ace0 41 API calls 46933->46960 46935 4121c9 46934->46935 46944 402df0 std::_Throw_Cpp_error 41 API calls 46935->46944 46949 40dab9 CreateDirectoryA 46936->46949 46950 40c7e2 46937->46950 46945 402df0 std::_Throw_Cpp_error 41 API calls 46938->46945 46956 41ab20 41 API calls 46939->46956 46952 402cf0 std::_Throw_Cpp_error 41 API calls 46940->46952 46953 40d820 46941->46953 46954 4e6d70 78 API calls 46942->46954 46947 402cf0 std::_Throw_Cpp_error 41 API calls 46943->46947 46961 4121db 46944->46961 46962 40fb16 46945->46962 46964 40bea1 46947->46964 46948 4e6ca0 86 API calls 46965 40f80d 46948->46965 46966 40de80 46949->46966 46967 40dae1 46949->46967 46968 402cf0 std::_Throw_Cpp_error 41 API calls 46950->46968 46969 40bbfa 46951->46969 46970 40ff97 46952->46970 47000 41ace0 41 API calls 46953->47000 46971 40c3a8 46954->46971 46955 4e6770 93 API calls 46958 40bc28 46955->46958 46959 410ef4 CreateDirectoryA 46956->46959 46974 41ace0 41 API calls 46957->46974 46985 402df0 std::_Throw_Cpp_error 41 API calls 46958->46985 46972 411842 46959->46972 46973 410f1c 46959->46973 46975 40fda0 46960->46975 46976 4e6ca0 86 API calls 46961->46976 46977 4e6ca0 86 API calls 46962->46977 46963->46948 48668 4e6d70 46964->48668 46980 40f84c 46965->46980 46994 4163b0 std::_Throw_Cpp_error 41 API calls 46965->46994 46979 41ab20 41 API calls 46966->46979 46981 402cf0 std::_Throw_Cpp_error 41 API calls 46967->46981 46982 40c804 46968->46982 46983 4163b0 std::_Throw_Cpp_error 41 API calls 46969->46983 47017 41ace0 41 API calls 46970->47017 46984 40c49b 46971->46984 47001 41ab20 41 API calls 46971->47001 46995 41ab20 41 API calls 46972->46995 46986 402cf0 std::_Throw_Cpp_error 41 API calls 46973->46986 46987 40d464 46974->46987 46988 402df0 std::_Throw_Cpp_error 41 API calls 46975->46988 46989 4121f4 46976->46989 46991 40fb2f 46977->46991 46993 40df1e CreateDirectoryA 46979->46993 46999 4e6770 93 API calls 46980->46999 47016 40f853 46980->47016 46996 40dc85 46981->46996 46997 4e6d70 78 API calls 46982->46997 46998 40bc12 46983->46998 46990 4e6770 93 API calls 46984->46990 46985->46852 47003 410fb9 46986->47003 47004 402df0 std::_Throw_Cpp_error 41 API calls 46987->47004 47005 40fdb2 46988->47005 47006 412233 46989->47006 47024 4163b0 std::_Throw_Cpp_error 41 API calls 46989->47024 47007 40c4a7 46990->47007 47008 40fb6e 46991->47008 47026 4163b0 std::_Throw_Cpp_error 41 API calls 46991->47026 47010 40df46 46993->47010 47011 40e638 46993->47011 47012 40f825 46994->47012 47013 4118e6 CreateDirectoryA 46995->47013 47053 41ace0 41 API calls 46996->47053 47014 40c811 46997->47014 47015 4dff00 205 API calls 46998->47015 46999->47016 47018 40d8c9 47000->47018 47002 40c451 47001->47002 47020 40c460 47002->47020 47021 40c462 CopyFileA 47002->47021 47064 41ace0 41 API calls 47003->47064 47022 40d476 47004->47022 47023 4e6ca0 86 API calls 47005->47023 47025 4e6770 93 API calls 47006->47025 47046 41223a 47006->47046 47045 402df0 std::_Throw_Cpp_error 41 API calls 47007->47045 47031 4e6770 93 API calls 47008->47031 47052 40fb75 47008->47052 47009 40bfa1 47035 4e6770 93 API calls 47009->47035 47028 402cf0 std::_Throw_Cpp_error 41 API calls 47010->47028 47029 41ab20 41 API calls 47011->47029 47030 4163b0 std::_Throw_Cpp_error 41 API calls 47012->47030 47032 411d25 47013->47032 47033 41190e 47013->47033 47034 40c98c 47014->47034 47054 41ab20 41 API calls 47014->47054 47015->47036 47056 402df0 std::_Throw_Cpp_error 41 API calls 47016->47056 47037 410040 47017->47037 47019 402df0 std::_Throw_Cpp_error 41 API calls 47018->47019 47039 40d8db 47019->47039 47020->47021 47040 402df0 std::_Throw_Cpp_error 41 API calls 47021->47040 47042 402cf0 std::_Throw_Cpp_error 41 API calls 47022->47042 47043 40fdcb 47023->47043 47044 41220c 47024->47044 47025->47046 47047 40fb47 47026->47047 47027 41ab20 41 API calls 47048 40bf57 47027->47048 47049 40dfe3 47028->47049 47050 40e6dc CreateDirectoryA 47029->47050 47051 40f83d 47030->47051 47031->47052 47038 411d37 47032->47038 47059 4e6770 93 API calls 47032->47059 47091 403040 std::_Throw_Cpp_error 41 API calls 47033->47091 47041 402cf0 std::_Throw_Cpp_error 41 API calls 47034->47041 47055 40bfad 47035->47055 47036->46955 47036->46958 47057 402df0 std::_Throw_Cpp_error 41 API calls 47037->47057 47061 402df0 std::_Throw_Cpp_error 41 API calls 47038->47061 47060 402cf0 std::_Throw_Cpp_error 41 API calls 47039->47060 47062 40c491 47040->47062 47063 40cb30 47041->47063 47065 40d498 47042->47065 47066 40fe0a 47043->47066 47082 4163b0 std::_Throw_Cpp_error 41 API calls 47043->47082 47067 4163b0 std::_Throw_Cpp_error 41 API calls 47044->47067 47045->46854 47086 402df0 std::_Throw_Cpp_error 41 API calls 47046->47086 47068 4163b0 std::_Throw_Cpp_error 41 API calls 47047->47068 47069 40bf66 47048->47069 47070 40bf68 CopyFileA 47048->47070 47104 41ace0 41 API calls 47049->47104 47071 40f2fd 47050->47071 47072 40e704 47050->47072 47073 4dff00 205 API calls 47051->47073 47090 402df0 std::_Throw_Cpp_error 41 API calls 47052->47090 47074 40dd2e 47053->47074 47075 40c940 47054->47075 47056->46860 47058 410052 47057->47058 47076 4e6ca0 86 API calls 47058->47076 47059->47038 47077 40d8fd 47060->47077 47078 411d49 47061->47078 47062->46984 47079 40c495 47062->47079 47118 41ace0 41 API calls 47063->47118 47080 411062 47064->47080 47081 4e6d70 78 API calls 47065->47081 47085 4e6770 93 API calls 47066->47085 47110 40fe11 47066->47110 47083 412224 47067->47083 47087 40fb5f 47068->47087 47069->47070 47084 40f315 47071->47084 47101 4e6770 93 API calls 47071->47101 47089 402cf0 std::_Throw_Cpp_error 41 API calls 47072->47089 47073->46980 47092 402df0 std::_Throw_Cpp_error 41 API calls 47074->47092 47093 40c951 CopyFileA 47075->47093 47094 40c94f 47075->47094 47097 41006b 47076->47097 47107 4e6d70 78 API calls 47077->47107 47098 402df0 std::_Throw_Cpp_error 41 API calls 47078->47098 47079->47007 47099 402df0 std::_Throw_Cpp_error 41 API calls 47080->47099 47100 40d4a5 47081->47100 47108 40fde3 47082->47108 47109 4dff00 205 API calls 47083->47109 47102 402df0 std::_Throw_Cpp_error 41 API calls 47084->47102 47085->47110 47086->47111 47103 4dff00 205 API calls 47087->47103 47105 40e826 47089->47105 47090->46880 47106 4119dc 47091->47106 47113 40dd40 47092->47113 47096 402df0 std::_Throw_Cpp_error 41 API calls 47093->47096 47094->47093 47114 40c980 47096->47114 47115 410e32 47097->47115 47128 41ab20 41 API calls 47097->47128 47119 411074 47099->47119 47120 40d61e 47100->47120 47132 41ab20 41 API calls 47100->47132 47101->47084 47103->47008 47123 40e08c 47104->47123 47142 41ace0 41 API calls 47106->47142 47116 40d90a 47107->47116 47121 4163b0 std::_Throw_Cpp_error 41 API calls 47108->47121 47109->47006 47139 402df0 std::_Throw_Cpp_error 41 API calls 47110->47139 47111->46875 47111->46884 47126 402cf0 std::_Throw_Cpp_error 41 API calls 47113->47126 47114->47034 47140 4e6770 93 API calls 47115->47140 47154 410e44 47115->47154 47137 40d9fd 47116->47137 47144 41ab20 41 API calls 47116->47144 47130 40cbd9 47118->47130 47131 4163b0 std::_Throw_Cpp_error 41 API calls 47119->47131 47134 4e6770 93 API calls 47120->47134 47138 40fdfb 47121->47138 47135 402df0 std::_Throw_Cpp_error 41 API calls 47123->47135 47127 40dd62 47126->47127 47143 410111 47128->47143 47146 402df0 std::_Throw_Cpp_error 41 API calls 47130->47146 47148 40d5d4 47132->47148 47152 40d62a 47134->47152 47149 4dff00 205 API calls 47138->47149 47139->46913 47140->47154 47166 411a89 47142->47166 47159 40cbeb 47146->47159 47161 40d5e3 47148->47161 47162 40d5e5 CopyFileA 47148->47162 47149->47066 47180 402df0 std::_Throw_Cpp_error 41 API calls 47152->47180 47161->47162 47178 402df0 std::_Throw_Cpp_error 41 API calls 47162->47178 47180->46906 47461 4359b0 __fread_nolock 47460->47461 47462 4df088 SHGetFolderPathA 47461->47462 47463 4df150 47462->47463 47463->47463 47464 403040 std::_Throw_Cpp_error 41 API calls 47463->47464 47465 4df16c 47464->47465 47466 41fbf0 41 API calls 47465->47466 47467 4df19d 47466->47467 47470 4dfed9 47467->47470 47472 4df210 std::ios_base::_Ios_base_dtor 47467->47472 47468 4e6ca0 86 API calls 47469 4df245 47468->47469 47473 41ab20 41 API calls 47469->47473 47474 4dfe6b 47469->47474 47471 438c70 std::_Throw_Cpp_error 41 API calls 47470->47471 47481 4dfede 47471->47481 47472->47468 47477 4df2e8 47473->47477 47475 4dfe9b std::ios_base::_Ios_base_dtor 47474->47475 47474->47481 47476 402df0 std::_Throw_Cpp_error 41 API calls 47475->47476 47478 45e8c9 47476->47478 47479 4e6ca0 86 API calls 47477->47479 47478->46775 47478->46784 47480 4df308 47479->47480 47483 4df312 CreateDirectoryA 47480->47483 47487 4df333 47480->47487 47482 438c70 std::_Throw_Cpp_error 41 API calls 47481->47482 47484 4dfef2 47482->47484 47483->47487 47487->47481 47566 4d7636 __fread_nolock 47565->47566 47567 4d7654 SHGetFolderPathA 47566->47567 47568 4359b0 __fread_nolock 47567->47568 47569 4d7681 SHGetFolderPathA 47568->47569 47570 4d77c8 47569->47570 47570->47570 47571 403040 std::_Throw_Cpp_error 41 API calls 47570->47571 47572 4d77e4 47571->47572 47573 41ace0 41 API calls 47572->47573 47576 4d7800 std::ios_base::_Ios_base_dtor 47573->47576 47574 4e6ca0 86 API calls 47577 4d7875 47574->47577 47575 4de427 47579 438c70 std::_Throw_Cpp_error 41 API calls 47575->47579 47576->47574 47576->47575 47578 4d79fb 47577->47578 47580 41ab20 41 API calls 47577->47580 47581 4de42c 47579->47581 48424->46796 49013 41e710 48425->49013 48427 41ae54 48427->46796 48429 41ab20 41 API calls 48428->48429 48432 4e005f 48429->48432 48430 402df0 std::_Throw_Cpp_error 41 API calls 48431 4e00f2 FindFirstFileA 48430->48431 48440 4e058f std::ios_base::_Ios_base_dtor 48431->48440 48504 4e011f std::locale::_Locimp::_Locimp 48431->48504 48433 4e06bc 48432->48433 48434 4e009f std::ios_base::_Ios_base_dtor 48432->48434 48435 438c70 std::_Throw_Cpp_error 41 API calls 48433->48435 48434->48430 48436 4e06c1 48435->48436 48439 438c70 std::_Throw_Cpp_error 41 API calls 48436->48439 48437 4e0564 FindNextFileA 48438 4e057b FindClose GetLastError 48437->48438 48437->48504 48438->48440 48441 4e06cb 48439->48441 48440->48436 48442 4e0670 std::ios_base::_Ios_base_dtor 48440->48442 48446 41ab20 41 API calls 48441->48446 48443 402df0 std::_Throw_Cpp_error 41 API calls 48442->48443 48444 4e0698 48443->48444 48445 402df0 std::_Throw_Cpp_error 41 API calls 48444->48445 48447 4e06a7 48445->48447 48448 4e083a 48446->48448 48447->46796 48449 439820 43 API calls 48448->48449 48450 4e08e8 48449->48450 48451 4e4585 48450->48451 49018 4e71e0 GetCurrentProcess IsWow64Process 48450->49018 48452 4163b0 std::_Throw_Cpp_error 41 API calls 48451->48452 48455 4e45a8 48452->48455 48454 41e8a0 41 API calls 48454->48504 49091 4e7640 48455->49091 48458 403350 78 API calls 48460 4e09c4 48458->48460 48461 403350 78 API calls 48460->48461 48463 4e0a6e 48461->48463 49020 44196b GetSystemTimeAsFileTime 48463->49020 48464 418f00 41 API calls std::_Throw_Cpp_error 48464->48504 48474 402df0 41 API calls std::_Throw_Cpp_error 48474->48504 48479 4e053f CopyFileA 48485 4e05a0 GetLastError 48479->48485 48479->48504 48483 4e6ca0 86 API calls 48483->48504 48485->48440 48487 4e03cd CreateDirectoryA 48487->48485 48487->48504 48504->48436 48504->48437 48504->48440 48504->48454 48504->48464 48504->48474 48504->48479 48504->48483 48504->48487 48506 4dff00 155 API calls 48504->48506 48507 4032d0 41 API calls std::_Throw_Cpp_error 48504->48507 48506->48504 48507->48504 48664 4162d3 48663->48664 48665 4162ce 48663->48665 48664->46797 48666 402df0 std::_Throw_Cpp_error 41 API calls 48665->48666 48666->48664 48667->46797 48669 439820 43 API calls 48668->48669 48670 4e6e2f 48669->48670 48671 4e6e3c 48670->48671 48672 43d0a8 78 API calls 48670->48672 48673 402df0 std::_Throw_Cpp_error 41 API calls 48671->48673 48672->48671 48674 40beae 48673->48674 48674->47009 48674->47027 48734->46963 49014 41e753 49013->49014 49015 4032d0 std::_Throw_Cpp_error 41 API calls 49014->49015 49016 41e758 std::locale::_Locimp::_Locimp 49014->49016 49017 41e843 std::locale::_Locimp::_Locimp 49015->49017 49016->48427 49017->48427 49019 4e0900 49018->49019 49019->48458 49092 439820 43 API calls 49091->49092 49093 4e7740 49092->49093 49094 4e77b9 49093->49094 49181 43d5f6 49093->49181 49428 45f740 49429 45f794 49428->49429 49430 4602fc 49428->49430 49431 41ab20 41 API calls 49429->49431 49432 41ab20 41 API calls 49430->49432 49433 45f876 49431->49433 49434 4603de 49432->49434 49435 4e6ca0 86 API calls 49433->49435 49436 4e6ca0 86 API calls 49434->49436 49437 45f89c 49435->49437 49438 460404 49436->49438 49440 4e6c10 85 API calls 49437->49440 49442 45f8bf 49437->49442 49445 460427 49438->49445 49575 4e6c10 49438->49575 49440->49442 49441 4602cf 49446 4602ea 49441->49446 49451 4e6770 93 API calls 49441->49451 49442->49441 49442->49446 49447 41b260 41 API calls 49442->49447 49443 461b1b 49448 402df0 std::_Throw_Cpp_error 41 API calls 49443->49448 49444 461b00 49444->49443 49452 4e6770 93 API calls 49444->49452 49445->49443 49445->49444 49587 41b260 49445->49587 49449 402df0 std::_Throw_Cpp_error 41 API calls 49446->49449 49488 45f8ef 49447->49488 49453 461b2d 49448->49453 49449->49430 49451->49446 49452->49443 49454 4602c0 49623 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49454->49623 49455 461af1 49626 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49455->49626 49458 4130f0 41 API calls 49491 460457 std::ios_base::_Ios_base_dtor 49458->49491 49459 4130f0 41 API calls 49459->49488 49460 41b260 41 API calls 49460->49488 49461 41b260 41 API calls 49461->49491 49464 4163b0 41 API calls std::_Throw_Cpp_error 49464->49488 49465 41ac50 41 API calls 49465->49488 49466 4163b0 41 API calls std::_Throw_Cpp_error 49466->49491 49467 416240 41 API calls 49467->49491 49470 4e6ca0 86 API calls 49470->49491 49471 402df0 41 API calls std::_Throw_Cpp_error 49471->49488 49472 4e6c10 85 API calls 49472->49491 49473 41ac50 41 API calls 49473->49491 49474 4e6ca0 86 API calls 49474->49488 49475 439820 43 API calls 49475->49488 49476 439820 43 API calls 49476->49491 49477 4e6c10 85 API calls 49477->49488 49478 41ae20 41 API calls 49478->49488 49479 41ae20 41 API calls 49479->49491 49480 41abb0 41 API calls 49480->49488 49481 41abb0 41 API calls 49481->49491 49482 416240 41 API calls 49482->49488 49483 413200 41 API calls 49483->49491 49484 43d0a8 78 API calls 49484->49491 49485 413200 41 API calls 49485->49488 49486 43d0a8 78 API calls 49486->49488 49487 402cf0 41 API calls std::_Throw_Cpp_error 49487->49488 49488->49454 49488->49459 49488->49460 49488->49464 49488->49465 49488->49471 49488->49474 49488->49475 49488->49477 49488->49478 49488->49480 49488->49482 49488->49485 49488->49486 49488->49487 49489 41af80 41 API calls 49488->49489 49493 403350 78 API calls 49488->49493 49619 416210 41 API calls std::_Throw_Cpp_error 49488->49619 49620 41b400 41 API calls 49488->49620 49621 41bae0 41 API calls 2 library calls 49488->49621 49622 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49488->49622 49489->49488 49490 402cf0 41 API calls std::_Throw_Cpp_error 49490->49491 49491->49455 49491->49458 49491->49461 49491->49466 49491->49467 49491->49470 49491->49472 49491->49473 49491->49476 49491->49479 49491->49481 49491->49483 49491->49484 49491->49490 49495 41af80 41 API calls 49491->49495 49497 403040 std::_Throw_Cpp_error 41 API calls 49491->49497 49498 41ace0 41 API calls 49491->49498 49499 4162c0 41 API calls 49491->49499 49500 402df0 41 API calls std::_Throw_Cpp_error 49491->49500 49501 41b400 41 API calls 49491->49501 49502 461e04 49491->49502 49510 416260 41 API calls 49491->49510 49511 403350 78 API calls 49491->49511 49608 4219a0 49491->49608 49624 416210 41 API calls std::_Throw_Cpp_error 49491->49624 49625 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49491->49625 49493->49488 49495->49491 49497->49491 49498->49491 49499->49491 49500->49491 49501->49491 49503 438c70 std::_Throw_Cpp_error 41 API calls 49502->49503 49504 461e09 49503->49504 49505 41ab20 41 API calls 49504->49505 49506 461f34 49505->49506 49507 4e6ca0 86 API calls 49506->49507 49508 461f5a 49507->49508 49509 4e6c10 85 API calls 49508->49509 49513 461f7d 49508->49513 49509->49513 49510->49491 49511->49491 49512 46299f 49516 4629be 49512->49516 49513->49512 49514 41b260 41 API calls 49513->49514 49513->49516 49576 432b99 12 API calls 49575->49576 49577 4e6c3d 49576->49577 49578 4e6c44 49577->49578 49579 4e6c82 49577->49579 49581 4e6c89 49578->49581 49582 4e6c50 CreateDirectoryA 49578->49582 49580 432534 std::_Throw_Cpp_error 76 API calls 49579->49580 49580->49581 49583 432534 std::_Throw_Cpp_error 76 API calls 49581->49583 49584 432baa RtlReleaseSRWLockExclusive 49582->49584 49585 4e6c9a 49583->49585 49586 4e6c6e 49584->49586 49586->49445 49588 433672 std::_Facet_Register 3 API calls 49587->49588 49589 41b2b8 49588->49589 49590 41b2e2 49589->49590 49591 41b3b4 49589->49591 49592 433672 std::_Facet_Register 3 API calls 49590->49592 49594 402cf0 std::_Throw_Cpp_error 41 API calls 49591->49594 49593 41b2f7 49592->49593 49633 42e7e0 49593->49633 49595 41b3c4 49594->49595 49596 41ace0 41 API calls 49595->49596 49598 41b3d9 49596->49598 49600 407cf0 41 API calls 49598->49600 49599 41b33b 49601 41b352 49599->49601 49602 41d1d0 41 API calls 49599->49602 49604 41b3ee 49600->49604 49645 41d1d0 49601->49645 49602->49601 49605 4351fb Concurrency::cancel_current_task RaiseException 49604->49605 49606 41b3ff 49605->49606 49607 41b390 std::ios_base::_Ios_base_dtor 49607->49491 49609 4219d0 49608->49609 49610 4219f5 49608->49610 49609->49491 49611 402cf0 std::_Throw_Cpp_error 41 API calls 49610->49611 49612 421a03 49611->49612 49613 41ace0 41 API calls 49612->49613 49614 421a18 49613->49614 49615 407cf0 41 API calls 49614->49615 49616 421a2d 49615->49616 49617 4351fb Concurrency::cancel_current_task RaiseException 49616->49617 49619->49488 49620->49488 49621->49488 49622->49488 49623->49441 49624->49491 49625->49491 49626->49444 49639 42e82a 49633->49639 49644 42e9ff 49633->49644 49635 4163b0 41 API calls std::_Throw_Cpp_error 49635->49639 49636 42ea1a 49683 407260 RaiseException 49636->49683 49637 433672 std::_Facet_Register 3 API calls 49637->49639 49639->49635 49639->49636 49639->49637 49642 402df0 std::_Throw_Cpp_error 41 API calls 49639->49642 49639->49644 49650 413d50 49639->49650 49640 42ea1f 49641 42ea3d 49640->49641 49684 42d6a0 41 API calls std::_Throw_Cpp_error 49640->49684 49641->49599 49642->49639 49644->49599 49646 41d24d 49645->49646 49648 41d1f8 std::ios_base::_Ios_base_dtor 49645->49648 49646->49607 49647 41d1d0 41 API calls 49647->49648 49648->49646 49648->49647 49649 402df0 std::_Throw_Cpp_error 41 API calls 49648->49649 49649->49648 49651 413d8f 49650->49651 49676 413df7 std::locale::_Locimp::_Locimp 49650->49676 49652 413d96 49651->49652 49653 413e69 49651->49653 49654 413f7d 49651->49654 49655 413f1e 49651->49655 49651->49676 49657 433672 std::_Facet_Register 3 API calls 49652->49657 49656 433672 std::_Facet_Register 3 API calls 49653->49656 49658 433672 std::_Facet_Register 3 API calls 49654->49658 49687 417e80 41 API calls 2 library calls 49655->49687 49660 413e73 49656->49660 49661 413da0 49657->49661 49662 413f8a 49658->49662 49660->49676 49686 42bf30 41 API calls 3 library calls 49660->49686 49663 433672 std::_Facet_Register 3 API calls 49661->49663 49666 413fd3 49662->49666 49667 41408e 49662->49667 49662->49676 49665 413dd2 49663->49665 49685 42f460 41 API calls 2 library calls 49665->49685 49671 414004 49666->49671 49672 413fdb 49666->49672 49688 403330 RaiseException 49667->49688 49668 413eb1 49668->49676 49679 413d50 41 API calls 49668->49679 49675 433672 std::_Facet_Register 3 API calls 49671->49675 49673 414093 49672->49673 49674 413fe6 49672->49674 49689 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 49673->49689 49678 433672 std::_Facet_Register 3 API calls 49674->49678 49675->49676 49676->49639 49680 413fec 49678->49680 49679->49668 49680->49676 49681 438c70 std::_Throw_Cpp_error 41 API calls 49680->49681 49682 41409d 49681->49682 49683->49640 49684->49640 49685->49676 49686->49668 49687->49676 49689->49680 49846 46aa80 50074 46aaba 49846->50074 49847 478b27 49848 46aae1 49849 4163b0 std::_Throw_Cpp_error 41 API calls 49848->49849 49850 4163b0 std::_Throw_Cpp_error 41 API calls 49848->49850 49849->49848 49851 46ab3c 49850->49851 49852 46abc4 49851->49852 49854 46abde 49852->49854 49853 403040 std::_Throw_Cpp_error 41 API calls 49853->49854 49854->49853 49855 403040 std::_Throw_Cpp_error 41 API calls 49854->49855 49856 46ad59 49855->49856 49858 46ad84 49856->49858 51193 47721c 49856->51193 51194 4aa200 49856->51194 49861 46ad96 49858->49861 49859 47722a 49860 47724c 49859->49860 49864 4163b0 std::_Throw_Cpp_error 41 API calls 49860->49864 49862 46adb8 49861->49862 49863 4163b0 std::_Throw_Cpp_error 41 API calls 49862->49863 49865 46adc0 49863->49865 49866 47725b 49864->49866 49867 46adda 49865->49867 49874 477278 49866->49874 49868 46ade1 49867->49868 49870 4163b0 std::_Throw_Cpp_error 41 API calls 49868->49870 49869 4163b0 std::_Throw_Cpp_error 41 API calls 49869->49874 49871 46ade9 49870->49871 49873 402cf0 std::_Throw_Cpp_error 41 API calls 49871->49873 49872 402cf0 std::_Throw_Cpp_error 41 API calls 49872->49874 49875 46ae63 49873->49875 49874->49869 49874->49872 49882 47747b 49874->49882 49876 402cf0 std::_Throw_Cpp_error 41 API calls 49875->49876 49878 46af8d 49876->49878 49877 402cf0 std::_Throw_Cpp_error 41 API calls 49877->49882 49879 4aa200 222 API calls 49878->49879 49881 46afa8 49879->49881 49880 4aa200 222 API calls 49880->49882 49885 46afbd 49881->49885 49882->49877 49882->49880 49883 4774af 49882->49883 49884 4774d1 49883->49884 49887 4163b0 std::_Throw_Cpp_error 41 API calls 49884->49887 49886 46afdf 49885->49886 49888 4163b0 std::_Throw_Cpp_error 41 API calls 49886->49888 49889 4774e0 49887->49889 49890 46afe7 49888->49890 49898 4774fd 49889->49898 49891 46b001 49890->49891 49892 46b008 49891->49892 49894 4163b0 std::_Throw_Cpp_error 41 API calls 49894->49898 49896 402cf0 std::_Throw_Cpp_error 41 API calls 49896->49898 49898->49894 49898->49896 49905 477700 49898->49905 49900 402cf0 std::_Throw_Cpp_error 41 API calls 49900->49905 49903 4aa200 222 API calls 49903->49905 49905->49900 49905->49903 49907 477734 49905->49907 49909 477756 49907->49909 49911 4163b0 std::_Throw_Cpp_error 41 API calls 49909->49911 49913 477765 49911->49913 49923 477782 49913->49923 49917 4163b0 std::_Throw_Cpp_error 41 API calls 49917->49923 49921 402cf0 std::_Throw_Cpp_error 41 API calls 49921->49923 49923->49917 49923->49921 49929 477985 49923->49929 49925 402cf0 std::_Throw_Cpp_error 41 API calls 49925->49929 49927 4aa200 222 API calls 49927->49929 49929->49925 49929->49927 49931 4779b9 49929->49931 49932 4779db 49931->49932 50069 402cf0 std::_Throw_Cpp_error 41 API calls 50069->50074 50072 4aa200 222 API calls 50072->50074 50074->49847 50074->49848 50074->50069 50074->50072 51193->49859 51195 4359b0 __fread_nolock 51194->51195 51196 4aa25b SHGetFolderPathA 51195->51196 52155 41ac50 51196->52155 51198 4aa28f 51199 4aa2ad 51198->51199 51200 4ab3c5 51198->51200 51202 4163b0 std::_Throw_Cpp_error 41 API calls 51199->51202 51201 4152b0 41 API calls 51200->51201 51204 4ab411 51201->51204 51203 4aa2be 51202->51203 51205 4c6000 45 API calls 51203->51205 51206 402df0 std::_Throw_Cpp_error 41 API calls 51204->51206 51207 4aa2d1 51205->51207 51208 4ab3c3 51206->51208 51209 4aa2eb 51207->51209 51464 4aa355 std::locale::_Locimp::_Locimp 51207->51464 51215 4242a0 41 API calls 51208->51215 51216 4ab46b 51208->51216 51465 4ab490 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 51208->51465 51211 4185d0 76 API calls 51209->51211 51210 4ab3b4 51213 4185d0 76 API calls 51210->51213 51212 4aa2f7 51211->51212 51214 4185d0 76 API calls 51212->51214 51213->51208 51217 4aa303 51214->51217 51215->51216 51218 402df0 std::_Throw_Cpp_error 41 API calls 51216->51218 51219 402df0 std::_Throw_Cpp_error 41 API calls 51217->51219 51218->51465 51222 4aa30f 51219->51222 51220 4adb0c 51225 417ef0 41 API calls 51220->51225 51221 41ab20 41 API calls 51221->51465 51223 402df0 std::_Throw_Cpp_error 41 API calls 51222->51223 51227 4adb7a 51225->51227 51229 4140c0 41 API calls 51227->51229 51231 4adba4 51229->51231 52163 41af80 51231->52163 51234 41ad80 41 API calls 51234->51465 51243 4adb07 51247 438c70 std::_Throw_Cpp_error 41 API calls 51243->51247 51247->51220 51255 41e8a0 41 API calls 51255->51465 51263 402df0 41 API calls std::_Throw_Cpp_error 51263->51464 51287 41e8a0 41 API calls 51287->51464 51309 41e710 41 API calls 51309->51465 51312 418f00 std::_Throw_Cpp_error 41 API calls 51312->51465 51320 41abb0 41 API calls 51320->51465 51331 41abb0 41 API calls 51331->51464 51359 4e6d70 78 API calls 51359->51465 51378 403040 41 API calls std::_Throw_Cpp_error 51378->51465 51385 4032d0 41 API calls std::_Throw_Cpp_error 51385->51465 51392 4235f0 41 API calls 51392->51465 51401 402df0 41 API calls std::_Throw_Cpp_error 51401->51465 51404 418f00 41 API calls std::_Throw_Cpp_error 51404->51464 51420 402fe0 41 API calls std::_Throw_Cpp_error 51420->51465 51436 4163b0 41 API calls std::_Throw_Cpp_error 51436->51465 51441 4e6d70 78 API calls 51441->51464 51443 4032d0 std::_Throw_Cpp_error 41 API calls 51443->51464 51448 4163b0 41 API calls std::_Throw_Cpp_error 51448->51464 51464->51210 51464->51220 51464->51263 51464->51287 51464->51331 51464->51404 51464->51441 51464->51443 51464->51448 52330 424400 44 API calls 4 library calls 51464->52330 51465->51212 51465->51220 51465->51221 51465->51234 51465->51243 51465->51255 51465->51309 51465->51312 51465->51320 51465->51359 51465->51378 51465->51385 51465->51392 51465->51401 51465->51420 51465->51436 51466 4098e0 41 API calls 51465->51466 51466->51465 52156 41ac81 52155->52156 52156->52156 52157 41acd3 52156->52157 52158 41ac9b 52156->52158 52161 41fbf0 41 API calls 52157->52161 52159 41e8a0 41 API calls 52158->52159 52160 41acb2 52159->52160 52160->51198 52162 41ad24 52161->52162 52162->51198 52330->51464 52994 46a140 53005 46a17b 52994->53005 52995 46aa60 52996 4163b0 41 API calls std::_Throw_Cpp_error 52996->53005 53000 41af80 41 API calls 53000->53005 53001 413d50 41 API calls 53001->53005 53002 4138b0 41 API calls 53002->53005 53005->52995 53005->52996 53005->53000 53005->53001 53005->53002 53006 49f0d0 53005->53006 53098 49d3a0 53005->53098 53178 49af60 53005->53178 53259 4986b0 53005->53259 53336 4963b0 53005->53336 53007 49f106 53006->53007 53008 417ef0 41 API calls 53007->53008 53009 49f12f 53008->53009 53010 4140c0 41 API calls 53009->53010 53011 49f159 53010->53011 53012 41af80 41 API calls 53011->53012 53013 49f1f4 __fread_nolock 53012->53013 53014 49f212 SHGetFolderPathA 53013->53014 53015 41ac50 41 API calls 53014->53015 53016 49f23f 53015->53016 53017 41ab20 41 API calls 53016->53017 53018 49f2e4 __fread_nolock 53017->53018 53019 49f2fe GetPrivateProfileSectionNamesA 53018->53019 53072 49f331 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 53019->53072 53021 4a348d lstrlen 53022 4a34a3 53021->53022 53021->53072 53023 402df0 std::_Throw_Cpp_error 41 API calls 53022->53023 53025 4a34b2 53023->53025 53024 49f422 GetPrivateProfileStringA 53024->53072 53026 402df0 std::_Throw_Cpp_error 41 API calls 53025->53026 53027 4a34c1 53026->53027 53028 402df0 std::_Throw_Cpp_error 41 API calls 53027->53028 53029 4a34cd 53028->53029 53032 402df0 std::_Throw_Cpp_error 41 API calls 53029->53032 53030 4a34fb 53034 402cf0 std::_Throw_Cpp_error 41 API calls 53030->53034 53031 41abb0 41 API calls 53031->53072 53033 4a34d9 53032->53033 53035 402df0 std::_Throw_Cpp_error 41 API calls 53033->53035 53036 4a3514 53034->53036 53037 4a34e5 53035->53037 53038 41ace0 41 API calls 53036->53038 53037->53005 53039 4a3529 53038->53039 53040 407cf0 41 API calls 53039->53040 53041 4a3541 53040->53041 53042 4351fb Concurrency::cancel_current_task RaiseException 53041->53042 53043 4a3555 53042->53043 53044 438c70 std::_Throw_Cpp_error 41 API calls 53043->53044 53045 4a355a 53044->53045 53047 402cf0 std::_Throw_Cpp_error 41 API calls 53045->53047 53046 41e8a0 41 API calls 53046->53072 53050 4a356d 53047->53050 53048 4d6790 148 API calls 53048->53072 53049 4e7640 87 API calls 53049->53072 53053 41ace0 41 API calls 53050->53053 53051 4032d0 std::_Throw_Cpp_error 41 API calls 53051->53072 53052 41b430 53 API calls 53052->53072 53054 4a3582 53053->53054 53055 407cf0 41 API calls 53054->53055 53056 4a359a 53055->53056 53057 4351fb Concurrency::cancel_current_task RaiseException 53056->53057 53059 4a35ae 53057->53059 53058 4d65f0 87 API calls 53058->53072 53060 402cf0 std::_Throw_Cpp_error 41 API calls 53059->53060 53061 4a35c2 53060->53061 53062 41ace0 41 API calls 53061->53062 53063 4a35d7 53062->53063 53064 407cf0 41 API calls 53063->53064 53065 4a35ef 53064->53065 53066 4351fb Concurrency::cancel_current_task RaiseException 53065->53066 53067 4a3603 53066->53067 53068 417ef0 41 API calls 53068->53072 53069 4130f0 41 API calls 53069->53072 53071 4e6ca0 86 API calls 53071->53072 53072->53021 53072->53024 53072->53030 53072->53031 53072->53043 53072->53045 53072->53046 53072->53048 53072->53049 53072->53051 53072->53052 53072->53058 53072->53059 53072->53068 53072->53069 53072->53071 53073 4a1c5f CreateDirectoryA 53072->53073 53075 426db0 41 API calls 53072->53075 53076 41af80 41 API calls 53072->53076 53077 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53072->53077 53078 41ad80 41 API calls 53072->53078 53079 403040 41 API calls std::_Throw_Cpp_error 53072->53079 53080 413d50 41 API calls 53072->53080 53081 41b0e0 41 API calls 53072->53081 53082 4a1f46 CreateDirectoryA 53072->53082 53083 41ab20 41 API calls 53072->53083 53084 402fe0 41 API calls std::_Throw_Cpp_error 53072->53084 53085 402cf0 std::_Throw_Cpp_error 41 API calls 53072->53085 53087 41ace0 41 API calls 53072->53087 53088 41b7b0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection 53072->53088 53089 4e6d70 78 API calls 53072->53089 53090 439820 43 API calls 53072->53090 53092 413980 41 API calls 53072->53092 53093 402df0 41 API calls std::_Throw_Cpp_error 53072->53093 53094 4a3610 154 API calls 53072->53094 53095 441628 75 API calls 53072->53095 53096 43d0a8 78 API calls 53072->53096 53415 440fae 53072->53415 53429 42c080 41 API calls 2 library calls 53072->53429 53430 424900 41 API calls 53072->53430 53431 413200 53072->53431 53446 41b9d0 41 API calls 2 library calls 53072->53446 53447 4136c0 41 API calls 2 library calls 53072->53447 53073->53072 53075->53072 53076->53072 53077->53072 53078->53072 53079->53072 53080->53072 53081->53072 53082->53072 53083->53072 53084->53072 53085->53072 53087->53072 53088->53072 53089->53072 53090->53072 53092->53072 53093->53072 53094->53072 53095->53072 53096->53072 53099 49d3d6 53098->53099 53100 417ef0 41 API calls 53099->53100 53101 49d3ff 53100->53101 53102 4140c0 41 API calls 53101->53102 53103 49d429 53102->53103 53104 41af80 41 API calls 53103->53104 53105 49d4c4 __fread_nolock 53104->53105 53106 49d4e2 SHGetFolderPathA 53105->53106 53107 41ac50 41 API calls 53106->53107 53108 49d50f 53107->53108 53109 41ab20 41 API calls 53108->53109 53110 49d5b4 __fread_nolock 53109->53110 53111 49d5ce GetPrivateProfileSectionNamesA 53110->53111 53174 49d601 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 53111->53174 53112 440fae 50 API calls 53112->53174 53113 49ef31 lstrlen 53114 49ef47 53113->53114 53113->53174 53116 402df0 std::_Throw_Cpp_error 41 API calls 53114->53116 53115 49d6f2 GetPrivateProfileStringA 53115->53174 53117 49ef56 53116->53117 53118 402df0 std::_Throw_Cpp_error 41 API calls 53117->53118 53119 49ef65 53118->53119 53121 402df0 std::_Throw_Cpp_error 41 API calls 53119->53121 53120 49f068 53125 438c70 std::_Throw_Cpp_error 41 API calls 53120->53125 53123 49ef71 53121->53123 53122 41e8a0 41 API calls 53122->53174 53123->53005 53124 41abb0 41 API calls 53124->53174 53126 49f072 53125->53126 53127 402cf0 std::_Throw_Cpp_error 41 API calls 53126->53127 53128 49f089 53127->53128 53129 41ace0 41 API calls 53128->53129 53130 49f09e 53129->53130 53131 407cf0 41 API calls 53130->53131 53132 49f0b6 53131->53132 53134 4351fb Concurrency::cancel_current_task RaiseException 53132->53134 53133 41ab20 41 API calls 53133->53174 53135 49f0ca 53134->53135 53136 439820 43 API calls 53136->53174 53137 43d0a8 78 API calls 53137->53174 53138 402df0 41 API calls std::_Throw_Cpp_error 53138->53174 53139 4140c0 41 API calls 53139->53174 53140 4032d0 41 API calls std::_Throw_Cpp_error 53140->53174 53141 4e64d0 44 API calls 53141->53174 53142 41c3a0 3 API calls 53142->53174 53143 49efc0 53147 402cf0 std::_Throw_Cpp_error 41 API calls 53143->53147 53144 4185d0 76 API calls 53144->53174 53145 4180a0 41 API calls 53145->53174 53146 416130 41 API calls 53146->53174 53148 49efd7 53147->53148 53149 41ace0 41 API calls 53148->53149 53150 49efec 53149->53150 53152 407cf0 41 API calls 53150->53152 53151 4d6790 148 API calls 53151->53174 53153 49f004 53152->53153 53154 4351fb Concurrency::cancel_current_task RaiseException 53153->53154 53154->53120 53155 49ef86 53157 402cf0 std::_Throw_Cpp_error 41 API calls 53155->53157 53156 4d65f0 87 API calls 53156->53174 53158 49ef99 53157->53158 53159 41ace0 41 API calls 53158->53159 53169 49ee87 53159->53169 53160 407cf0 41 API calls 53160->53153 53161 417ef0 41 API calls 53161->53174 53162 49ee5e 53165 402cf0 std::_Throw_Cpp_error 41 API calls 53162->53165 53163 413d50 41 API calls 53163->53174 53164 424900 41 API calls 53164->53174 53166 49ee72 53165->53166 53167 41ace0 41 API calls 53166->53167 53167->53169 53168 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53168->53174 53169->53160 53170 403040 41 API calls std::_Throw_Cpp_error 53170->53174 53172 426db0 41 API calls 53172->53174 53173 49f014 53175 402cf0 std::_Throw_Cpp_error 41 API calls 53173->53175 53174->53112 53174->53113 53174->53115 53174->53120 53174->53122 53174->53124 53174->53126 53174->53133 53174->53136 53174->53137 53174->53138 53174->53139 53174->53140 53174->53141 53174->53142 53174->53143 53174->53144 53174->53145 53174->53146 53174->53151 53174->53155 53174->53156 53174->53161 53174->53162 53174->53163 53174->53164 53174->53168 53174->53170 53174->53172 53174->53173 53455 423f40 102 API calls 4 library calls 53174->53455 53176 49f027 53175->53176 53177 41ace0 41 API calls 53176->53177 53177->53169 53179 49af96 53178->53179 53180 417ef0 41 API calls 53179->53180 53181 49afbf 53180->53181 53182 4140c0 41 API calls 53181->53182 53183 49afe9 53182->53183 53184 41af80 41 API calls 53183->53184 53185 49b128 __fread_nolock 53184->53185 53186 49b146 SHGetFolderPathA 53185->53186 53187 41ac50 41 API calls 53186->53187 53188 49b173 53187->53188 53189 41ab20 41 API calls 53188->53189 53190 49b227 __fread_nolock 53189->53190 53191 49b241 GetPrivateProfileSectionNamesA 53190->53191 53249 49b274 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 53191->53249 53192 440fae 50 API calls 53192->53249 53193 49d22c lstrlen 53194 49d242 53193->53194 53193->53249 53196 402df0 std::_Throw_Cpp_error 41 API calls 53194->53196 53195 49b365 GetPrivateProfileStringA 53195->53249 53197 49d251 53196->53197 53198 402df0 std::_Throw_Cpp_error 41 API calls 53197->53198 53200 49d260 53198->53200 53199 49d329 53205 438c70 std::_Throw_Cpp_error 41 API calls 53199->53205 53202 402df0 std::_Throw_Cpp_error 41 API calls 53200->53202 53201 41e8a0 41 API calls 53201->53249 53203 49d26c 53202->53203 53203->53005 53204 41abb0 41 API calls 53204->53249 53206 49d333 53205->53206 53456 419e60 RaiseException 53206->53456 53208 49d338 53210 402cf0 std::_Throw_Cpp_error 41 API calls 53208->53210 53209 403040 41 API calls std::_Throw_Cpp_error 53209->53249 53211 49d34f 53210->53211 53212 41ace0 41 API calls 53211->53212 53213 49d364 53212->53213 53214 407cf0 41 API calls 53213->53214 53216 49d37c 53214->53216 53215 41ab20 41 API calls 53215->53249 53217 4351fb Concurrency::cancel_current_task RaiseException 53216->53217 53219 49d390 53217->53219 53218 439820 43 API calls 53218->53249 53220 43d0a8 78 API calls 53220->53249 53221 4140c0 41 API calls 53221->53249 53222 4e64d0 44 API calls 53222->53249 53223 41c3a0 3 API calls 53223->53249 53224 49d281 53228 402cf0 std::_Throw_Cpp_error 41 API calls 53224->53228 53225 4032d0 41 API calls std::_Throw_Cpp_error 53225->53249 53226 4185d0 76 API calls 53226->53249 53227 4180a0 41 API calls 53227->53249 53229 49d298 53228->53229 53231 41ace0 41 API calls 53229->53231 53230 416130 41 API calls 53230->53249 53233 49d2ad 53231->53233 53232 4d6790 148 API calls 53232->53249 53234 407cf0 41 API calls 53233->53234 53235 49d2c5 53234->53235 53237 4351fb Concurrency::cancel_current_task RaiseException 53235->53237 53236 41af80 41 API calls 53236->53249 53237->53199 53238 49d0d3 53241 402cf0 std::_Throw_Cpp_error 41 API calls 53238->53241 53239 4d65f0 87 API calls 53239->53249 53240 413d50 41 API calls 53240->53249 53242 49d0e6 53241->53242 53243 41ace0 41 API calls 53242->53243 53258 49d0fb 53243->53258 53244 407cf0 41 API calls 53244->53235 53245 41fbf0 41 API calls 53245->53249 53246 418f00 std::_Throw_Cpp_error 41 API calls 53246->53249 53247 402df0 41 API calls std::_Throw_Cpp_error 53247->53249 53248 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53248->53249 53249->53192 53249->53193 53249->53195 53249->53199 53249->53201 53249->53204 53249->53206 53249->53208 53249->53209 53249->53215 53249->53218 53249->53220 53249->53221 53249->53222 53249->53223 53249->53224 53249->53225 53249->53226 53249->53227 53249->53230 53249->53232 53249->53236 53249->53238 53249->53239 53249->53240 53249->53245 53249->53246 53249->53247 53249->53248 53250 4163b0 std::_Throw_Cpp_error 41 API calls 53249->53250 53251 426db0 41 API calls 53249->53251 53252 49d2d5 53249->53252 53253 417ef0 41 API calls 53249->53253 53254 424900 41 API calls 53249->53254 53250->53249 53251->53249 53255 402cf0 std::_Throw_Cpp_error 41 API calls 53252->53255 53253->53249 53254->53249 53256 49d2e8 53255->53256 53257 41ace0 41 API calls 53256->53257 53257->53258 53258->53244 53260 4986e6 53259->53260 53261 417ef0 41 API calls 53260->53261 53262 49870f 53261->53262 53263 4140c0 41 API calls 53262->53263 53264 498739 53263->53264 53265 41af80 41 API calls 53264->53265 53266 4987d4 __fread_nolock 53265->53266 53267 4987f2 SHGetFolderPathA 53266->53267 53268 41ac50 41 API calls 53267->53268 53269 49881f 53268->53269 53270 41ab20 41 API calls 53269->53270 53271 4988c4 __fread_nolock 53270->53271 53272 4988de GetPrivateProfileSectionNamesA 53271->53272 53326 498914 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 53272->53326 53273 440fae 50 API calls 53273->53326 53274 49ae10 lstrlen 53275 49ae29 53274->53275 53274->53326 53277 402df0 std::_Throw_Cpp_error 41 API calls 53275->53277 53276 498a05 GetPrivateProfileStringA 53276->53326 53278 49ae38 53277->53278 53279 402df0 std::_Throw_Cpp_error 41 API calls 53278->53279 53281 49ae47 53279->53281 53280 49aef7 53286 438c70 std::_Throw_Cpp_error 41 API calls 53280->53286 53283 402df0 std::_Throw_Cpp_error 41 API calls 53281->53283 53282 41e8a0 41 API calls 53282->53326 53284 49ae53 53283->53284 53284->53005 53285 41abb0 41 API calls 53285->53326 53287 49af01 53286->53287 53289 402cf0 std::_Throw_Cpp_error 41 API calls 53287->53289 53288 402df0 41 API calls std::_Throw_Cpp_error 53288->53326 53290 49af15 53289->53290 53291 41ace0 41 API calls 53290->53291 53292 49af2a 53291->53292 53293 407cf0 41 API calls 53292->53293 53294 49af42 53293->53294 53295 4351fb Concurrency::cancel_current_task RaiseException 53294->53295 53297 49af56 53295->53297 53296 41ab20 41 API calls 53296->53326 53298 439820 43 API calls 53298->53326 53299 43d0a8 78 API calls 53299->53326 53300 417ef0 41 API calls 53300->53326 53301 4140c0 41 API calls 53301->53326 53302 4e64d0 44 API calls 53302->53326 53303 4032d0 41 API calls std::_Throw_Cpp_error 53303->53326 53304 41c3a0 3 API calls 53304->53326 53305 49ae68 53307 402cf0 std::_Throw_Cpp_error 41 API calls 53305->53307 53306 4185d0 76 API calls 53306->53326 53308 49ae7f 53307->53308 53310 41ace0 41 API calls 53308->53310 53309 416130 41 API calls 53309->53326 53312 49ad42 53310->53312 53311 4d6790 148 API calls 53311->53326 53313 407cf0 41 API calls 53312->53313 53314 49aee3 53313->53314 53316 4351fb Concurrency::cancel_current_task RaiseException 53314->53316 53315 41af80 41 API calls 53315->53326 53316->53280 53317 4d65f0 87 API calls 53317->53326 53318 49ad1a 53321 402cf0 std::_Throw_Cpp_error 41 API calls 53318->53321 53319 413d50 41 API calls 53319->53326 53320 424900 41 API calls 53320->53326 53322 49ad2d 53321->53322 53323 41ace0 41 API calls 53322->53323 53323->53312 53324 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53324->53326 53325 403040 41 API calls std::_Throw_Cpp_error 53325->53326 53326->53273 53326->53274 53326->53276 53326->53280 53326->53282 53326->53285 53326->53287 53326->53288 53326->53296 53326->53298 53326->53299 53326->53300 53326->53301 53326->53302 53326->53303 53326->53304 53326->53305 53326->53306 53326->53309 53326->53311 53326->53315 53326->53317 53326->53318 53326->53319 53326->53320 53326->53324 53326->53325 53327 4412f6 50 API calls 53326->53327 53328 426db0 41 API calls 53326->53328 53329 402fe0 41 API calls std::_Throw_Cpp_error 53326->53329 53331 4180a0 41 API calls 53326->53331 53332 49aea3 53326->53332 53457 42c080 41 API calls 2 library calls 53326->53457 53327->53326 53328->53326 53329->53326 53331->53326 53333 402cf0 std::_Throw_Cpp_error 41 API calls 53332->53333 53334 49aeb6 53333->53334 53335 41ace0 41 API calls 53334->53335 53335->53312 53337 4963e6 53336->53337 53338 417ef0 41 API calls 53337->53338 53339 49640f 53338->53339 53340 4140c0 41 API calls 53339->53340 53341 496439 53340->53341 53342 41af80 41 API calls 53341->53342 53343 4964d4 __fread_nolock 53342->53343 53344 4964f2 SHGetFolderPathA 53343->53344 53345 41ac50 41 API calls 53344->53345 53346 49651f 53345->53346 53347 41ab20 41 API calls 53346->53347 53348 4965c4 __fread_nolock 53347->53348 53349 4965de GetPrivateProfileSectionNamesA 53348->53349 53352 496611 std::ios_base::_Ios_base_dtor __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::locale::_Locimp::_Locimp 53349->53352 53350 440fae 50 API calls 53350->53352 53351 49854e lstrlen 53351->53352 53353 498564 53351->53353 53352->53350 53352->53351 53355 496702 GetPrivateProfileStringA 53352->53355 53360 49864b 53352->53360 53361 41e8a0 41 API calls 53352->53361 53364 41abb0 41 API calls 53352->53364 53365 498655 53352->53365 53372 41ab20 41 API calls 53352->53372 53375 439820 43 API calls 53352->53375 53376 43d0a8 78 API calls 53352->53376 53377 402df0 41 API calls std::_Throw_Cpp_error 53352->53377 53378 4140c0 41 API calls 53352->53378 53379 4e64d0 44 API calls 53352->53379 53380 4032d0 41 API calls std::_Throw_Cpp_error 53352->53380 53381 41c3a0 3 API calls 53352->53381 53382 4985a3 53352->53382 53383 4185d0 76 API calls 53352->53383 53384 4180a0 41 API calls 53352->53384 53385 416130 41 API calls 53352->53385 53389 4d6790 148 API calls 53352->53389 53393 41af80 41 API calls 53352->53393 53395 4d65f0 87 API calls 53352->53395 53396 4983f5 53352->53396 53397 424900 41 API calls 53352->53397 53403 41fbf0 41 API calls 53352->53403 53404 418f00 std::_Throw_Cpp_error 41 API calls 53352->53404 53405 433672 std::_Facet_Register 3 API calls 53352->53405 53406 426db0 41 API calls 53352->53406 53407 4412f6 50 API calls 53352->53407 53408 403040 41 API calls std::_Throw_Cpp_error 53352->53408 53409 4985f7 53352->53409 53410 417ef0 41 API calls 53352->53410 53412 413d50 41 API calls 53352->53412 53354 402df0 std::_Throw_Cpp_error 41 API calls 53353->53354 53356 498573 53354->53356 53355->53352 53357 402df0 std::_Throw_Cpp_error 41 API calls 53356->53357 53358 498582 53357->53358 53359 402df0 std::_Throw_Cpp_error 41 API calls 53358->53359 53362 49858e 53359->53362 53363 438c70 std::_Throw_Cpp_error 41 API calls 53360->53363 53361->53352 53362->53005 53363->53365 53364->53352 53366 402cf0 std::_Throw_Cpp_error 41 API calls 53365->53366 53367 49866c 53366->53367 53368 41ace0 41 API calls 53367->53368 53369 498681 53368->53369 53370 407cf0 41 API calls 53369->53370 53371 498699 53370->53371 53373 4351fb Concurrency::cancel_current_task RaiseException 53371->53373 53372->53352 53374 4986ad 53373->53374 53375->53352 53376->53352 53377->53352 53378->53352 53379->53352 53380->53352 53381->53352 53386 402cf0 std::_Throw_Cpp_error 41 API calls 53382->53386 53383->53352 53384->53352 53385->53352 53387 4985ba 53386->53387 53388 41ace0 41 API calls 53387->53388 53390 4985cf 53388->53390 53389->53352 53391 407cf0 41 API calls 53390->53391 53392 4985e7 53391->53392 53394 4351fb Concurrency::cancel_current_task RaiseException 53392->53394 53393->53352 53394->53360 53395->53352 53398 402cf0 std::_Throw_Cpp_error 41 API calls 53396->53398 53397->53352 53399 498408 53398->53399 53400 41ace0 41 API calls 53399->53400 53401 49841d 53400->53401 53402 407cf0 41 API calls 53401->53402 53402->53392 53403->53352 53404->53352 53405->53352 53406->53352 53407->53352 53408->53352 53411 402cf0 std::_Throw_Cpp_error 41 API calls 53409->53411 53410->53352 53413 49860a 53411->53413 53412->53352 53414 41ace0 41 API calls 53413->53414 53414->53401 53416 441005 53415->53416 53417 440fbd 53415->53417 53452 44101b 50 API calls 3 library calls 53416->53452 53419 440fc3 53417->53419 53420 440fe0 53417->53420 53448 4416ff 14 API calls __dosmaperr 53419->53448 53428 440ffe 53420->53428 53450 4416ff 14 API calls __dosmaperr 53420->53450 53421 440fd3 53421->53072 53423 440fc8 53449 438c60 41 API calls __fread_nolock 53423->53449 53426 440fef 53451 438c60 41 API calls __fread_nolock 53426->53451 53428->53072 53429->53072 53430->53072 53432 41325c 53431->53432 53435 413225 53431->53435 53433 402cf0 std::_Throw_Cpp_error 41 API calls 53432->53433 53434 413269 53433->53434 53453 407b10 41 API calls 3 library calls 53434->53453 53436 413235 53435->53436 53439 402cf0 std::_Throw_Cpp_error 41 API calls 53435->53439 53436->53072 53438 413281 53440 4351fb Concurrency::cancel_current_task RaiseException 53438->53440 53441 41329f 53439->53441 53440->53435 53454 407b10 41 API calls 3 library calls 53441->53454 53443 4132b7 53444 4351fb Concurrency::cancel_current_task RaiseException 53443->53444 53445 4132c8 53444->53445 53446->53072 53447->53072 53448->53423 53449->53421 53450->53426 53451->53421 53452->53421 53453->53438 53454->53443 53455->53174 53457->53326 53643 4c7b00 53644 4c7ecc 53643->53644 53646 4c7b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 53643->53646 53645 4c7b87 setsockopt recv WSAGetLastError 53645->53644 53645->53646 53646->53645 53648 4c7eb7 Sleep 53646->53648 53649 4c7e15 recv 53646->53649 53651 4c7eaf Sleep 53646->53651 53652 418dc0 41 API calls 53646->53652 53655 409280 44 API calls 53646->53655 53656 4c7ee1 53646->53656 53657 4163b0 std::_Throw_Cpp_error 41 API calls 53646->53657 53659 4c7cd6 setsockopt recv 53646->53659 53660 418dc0 41 API calls 53646->53660 53663 4c8590 WSAStartup 53646->53663 53676 4c7ef0 53646->53676 53748 433069 53646->53748 53648->53644 53648->53646 53649->53651 53651->53648 53653 4c7c2d recv 53652->53653 53653->53646 53654 4c7c4e recv 53653->53654 53654->53646 53655->53646 53658 438c70 std::_Throw_Cpp_error 41 API calls 53656->53658 53657->53646 53661 4c7ee6 53658->53661 53659->53646 53660->53659 53664 4c85c8 53663->53664 53665 4c8696 53663->53665 53664->53665 53666 4c85fe getaddrinfo 53664->53666 53665->53646 53667 4c8646 53666->53667 53668 4c8690 WSACleanup 53666->53668 53669 4c86a4 FreeAddrInfoW 53667->53669 53671 4c8654 socket 53667->53671 53668->53665 53669->53668 53670 4c86b0 53669->53670 53670->53646 53671->53668 53672 4c866a connect 53671->53672 53673 4c867c closesocket 53672->53673 53674 4c86a0 53672->53674 53673->53671 53675 4c8686 FreeAddrInfoW 53673->53675 53674->53669 53675->53668 53677 4c7f6c 53676->53677 53678 4c7f3e 53676->53678 53680 4c7f8e 53677->53680 53681 4c7f74 53677->53681 53679 402cf0 std::_Throw_Cpp_error 41 API calls 53678->53679 53682 4c7f50 53679->53682 53684 4c7f96 53680->53684 53685 4c7fb0 53680->53685 53751 416290 41 API calls 53681->53751 53688 409280 44 API calls 53682->53688 53752 416290 41 API calls 53684->53752 53686 4c7fb8 53685->53686 53687 4c7fd5 53685->53687 53718 4c7f64 53686->53718 53753 416290 41 API calls 53686->53753 53690 4c7fdd 53687->53690 53691 4c7ffb 53687->53691 53688->53718 53754 4412b7 50 API calls __fread_nolock 53690->53754 53696 4c801b 53691->53696 53697 4c82c0 53691->53697 53691->53718 53694 402df0 std::_Throw_Cpp_error 41 API calls 53695 4c84f1 53694->53695 53695->53646 53755 405400 85 API calls std::_Throw_Cpp_error 53696->53755 53698 4c82c8 53697->53698 53699 4c831b 53697->53699 53701 41b430 53 API calls 53698->53701 53702 4c8376 53699->53702 53703 4c8323 53699->53703 53701->53718 53705 4c837e 53702->53705 53706 4c83d1 53702->53706 53704 41b430 53 API calls 53703->53704 53704->53718 53707 41b430 53 API calls 53705->53707 53709 4c842c 53706->53709 53710 4c83d9 53706->53710 53707->53718 53708 4c82a5 53715 432baa RtlReleaseSRWLockExclusive 53708->53715 53713 4c8484 53709->53713 53714 4c8434 53709->53714 53712 41b430 53 API calls 53710->53712 53711 402cf0 std::_Throw_Cpp_error 41 API calls 53725 4c8040 53711->53725 53712->53718 53713->53718 53760 458b00 50 API calls 2 library calls 53713->53760 53716 41b430 53 API calls 53714->53716 53715->53718 53716->53718 53718->53694 53719 4c849a 53720 4162c0 41 API calls 53719->53720 53722 4c84a9 53720->53722 53721 41ace0 41 API calls 53721->53725 53723 402df0 std::_Throw_Cpp_error 41 API calls 53722->53723 53723->53718 53724 402df0 41 API calls std::_Throw_Cpp_error 53724->53725 53725->53708 53725->53711 53725->53721 53725->53724 53726 4c810b 53725->53726 53756 402d30 41 API calls std::_Throw_Cpp_error 53726->53756 53728 4c812f 53757 4d62c0 43 API calls 5 library calls 53728->53757 53730 4c8140 53731 402df0 std::_Throw_Cpp_error 41 API calls 53730->53731 53732 4c814f 53731->53732 53733 4c81b2 GetCurrentProcess 53732->53733 53736 4c81e5 53732->53736 53734 4163b0 std::_Throw_Cpp_error 41 API calls 53733->53734 53735 4c81ce 53734->53735 53758 4cf280 61 API calls 3 library calls 53735->53758 53738 439820 43 API calls 53736->53738 53740 4c8247 53738->53740 53739 4c81dd 53741 4c8279 53739->53741 53740->53741 53743 441628 75 API calls 53740->53743 53759 415230 41 API calls std::_Throw_Cpp_error 53741->53759 53745 4c8273 53743->53745 53744 4c8296 53746 402df0 std::_Throw_Cpp_error 41 API calls 53744->53746 53747 43d0a8 78 API calls 53745->53747 53746->53708 53747->53741 53761 43361d 53748->53761 53751->53718 53752->53718 53753->53718 53754->53718 53755->53725 53756->53728 53757->53730 53758->53739 53759->53744 53760->53719 53762 433659 GetSystemTimeAsFileTime 53761->53762 53763 43364d GetSystemTimePreciseAsFileTime 53761->53763 53764 433077 53762->53764 53763->53764 53764->53646 45648 419950 45649 419968 45648->45649 45650 419978 std::ios_base::_Ios_base_dtor 45648->45650 45649->45650 45660 438c70 45649->45660 45665 438bac 41 API calls __fread_nolock 45660->45665 45662 438c7f 45666 438c8d 11 API calls std::locale::_Setgloballocale 45662->45666 45664 438c8c 45665->45662 45666->45664 45667 420ad0 45672 4214a0 45667->45672 45669 420ae0 45670 420b2a 45669->45670 45677 429e20 45669->45677 45673 4214cb 45672->45673 45674 4214ee 45673->45674 45675 429e20 41 API calls 45673->45675 45674->45669 45676 42150b 45675->45676 45676->45669 45678 429e62 45677->45678 45679 429f76 45677->45679 45681 429e7c 45678->45681 45682 429eca 45678->45682 45683 429eba 45678->45683 45704 403330 RaiseException 45679->45704 45695 433672 45681->45695 45688 433672 std::_Facet_Register 3 API calls 45682->45688 45692 429e9a std::locale::_Locimp::_Locimp 45682->45692 45683->45681 45684 429f7b 45683->45684 45705 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 45684->45705 45687 429e8f 45689 429f80 45687->45689 45687->45692 45688->45692 45690 438c70 std::_Throw_Cpp_error 41 API calls 45689->45690 45691 429f85 45690->45691 45703 4277d0 41 API calls 2 library calls 45692->45703 45694 429f47 45694->45670 45697 433677 45695->45697 45696 433691 45696->45687 45697->45696 45700 402b50 Concurrency::cancel_current_task 45697->45700 45709 445a89 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45697->45709 45699 43369d 45699->45699 45700->45699 45706 4351fb 45700->45706 45702 402b6c ___std_exception_copy 45702->45687 45703->45694 45705->45689 45707 435242 RaiseException 45706->45707 45708 435215 45706->45708 45707->45702 45708->45707 45709->45697 46520 45dcd0 46521 45de11 46520->46521 46522 45dd1d 46520->46522 46523 41ab20 41 API calls 46521->46523 46524 41ab20 41 API calls 46522->46524 46525 45de6d 46523->46525 46526 45dd79 46524->46526 46527 4163b0 std::_Throw_Cpp_error 41 API calls 46525->46527 46607 41b980 41 API calls 46526->46607 46529 45de88 46527->46529 46540 481c10 46529->46540 46530 45ddd0 46608 4e5ff0 11 API calls 46530->46608 46534 45ddf0 46609 4188d0 46534->46609 46535 402df0 std::_Throw_Cpp_error 41 API calls 46537 45dea7 46535->46537 46538 45de02 46539 402df0 std::_Throw_Cpp_error 41 API calls 46538->46539 46539->46521 46541 4e6ca0 86 API calls 46540->46541 46569 481c6c __fread_nolock std::locale::_Locimp::_Locimp 46541->46569 46542 48443c 46543 402df0 std::_Throw_Cpp_error 41 API calls 46542->46543 46544 45de95 46543->46544 46544->46535 46545 48449d 46546 402cf0 std::_Throw_Cpp_error 41 API calls 46545->46546 46547 4844ad 46546->46547 46696 407b10 41 API calls 3 library calls 46547->46696 46549 4844c8 46552 4351fb Concurrency::cancel_current_task RaiseException 46549->46552 46550 484598 46551 402cf0 std::_Throw_Cpp_error 41 API calls 46550->46551 46553 4845a8 46551->46553 46554 4844dc 46552->46554 46699 407b10 41 API calls 3 library calls 46553->46699 46556 438c70 std::_Throw_Cpp_error 41 API calls 46554->46556 46559 4844e1 46556->46559 46557 48445e 46560 402cf0 std::_Throw_Cpp_error 41 API calls 46557->46560 46558 4845c3 46561 4351fb Concurrency::cancel_current_task RaiseException 46558->46561 46697 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 46559->46697 46563 48446e 46560->46563 46564 4845d7 46561->46564 46695 407b10 41 API calls 3 library calls 46563->46695 46565 4844e6 46698 403330 RaiseException 46565->46698 46568 484489 46571 4351fb Concurrency::cancel_current_task RaiseException 46568->46571 46569->46542 46569->46545 46569->46550 46569->46554 46569->46557 46569->46559 46569->46565 46570 4844eb 46569->46570 46572 41af80 41 API calls 46569->46572 46574 41b0e0 41 API calls 46569->46574 46579 484544 46569->46579 46591 4e64d0 44 API calls 46569->46591 46592 482793 SHGetFolderPathA 46569->46592 46593 482a95 SHGetFolderPathA 46569->46593 46594 482d93 SHGetFolderPathA 46569->46594 46595 403040 41 API calls std::_Throw_Cpp_error 46569->46595 46596 4830f3 SHGetFolderPathA 46569->46596 46597 402df0 41 API calls std::_Throw_Cpp_error 46569->46597 46598 48341b SHGetFolderPathA 46569->46598 46599 402fe0 41 API calls std::_Throw_Cpp_error 46569->46599 46600 483725 SHGetFolderPathA 46569->46600 46601 418b00 41 API calls 46569->46601 46602 4032d0 41 API calls std::_Throw_Cpp_error 46569->46602 46604 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46569->46604 46605 4185d0 76 API calls 46569->46605 46606 4163b0 41 API calls std::_Throw_Cpp_error 46569->46606 46614 4412b7 50 API calls __fread_nolock 46569->46614 46615 4845e0 46569->46615 46694 416130 41 API calls 2 library calls 46569->46694 46573 402cf0 std::_Throw_Cpp_error 41 API calls 46570->46573 46571->46545 46572->46569 46575 484503 46573->46575 46574->46569 46576 41ace0 41 API calls 46575->46576 46577 484518 46576->46577 46578 407cf0 41 API calls 46577->46578 46580 484530 46578->46580 46584 402cf0 std::_Throw_Cpp_error 41 API calls 46579->46584 46582 4351fb Concurrency::cancel_current_task RaiseException 46580->46582 46582->46579 46585 484557 46584->46585 46586 41ace0 41 API calls 46585->46586 46587 48456c 46586->46587 46588 407cf0 41 API calls 46587->46588 46589 484584 46588->46589 46590 4351fb Concurrency::cancel_current_task RaiseException 46589->46590 46590->46550 46591->46569 46592->46569 46593->46569 46594->46569 46595->46569 46596->46569 46597->46569 46598->46569 46599->46569 46600->46569 46601->46569 46602->46569 46604->46569 46605->46569 46606->46569 46607->46530 46608->46534 46610 418914 std::ios_base::_Ios_base_dtor 46609->46610 46611 4188f3 46609->46611 46610->46538 46611->46610 46612 438c70 std::_Throw_Cpp_error 41 API calls 46611->46612 46613 418947 46612->46613 46614->46569 46616 484641 46615->46616 46617 485d64 46615->46617 46619 4e6ca0 86 API calls 46616->46619 46620 485dda 46616->46620 46752 4339b3 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive SleepConditionVariableSRW 46617->46752 46622 484651 46619->46622 46753 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 46620->46753 46624 484a38 46622->46624 46627 4163b0 std::_Throw_Cpp_error 41 API calls 46622->46627 46635 485c79 46622->46635 46623 485ddf 46754 403330 RaiseException 46623->46754 46628 4163b0 std::_Throw_Cpp_error 41 API calls 46624->46628 46624->46635 46626 485de4 46632 438c70 std::_Throw_Cpp_error 41 API calls 46626->46632 46630 4846b0 46627->46630 46631 484a58 46628->46631 46629 485ce9 46637 485d0c 46629->46637 46638 485d15 46629->46638 46700 4c6000 46630->46700 46634 4c6000 45 API calls 46631->46634 46636 485dee 46632->46636 46693 484a6f std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 46634->46693 46635->46629 46635->46635 46639 403040 std::_Throw_Cpp_error 41 API calls 46635->46639 46750 413340 41 API calls 2 library calls 46637->46750 46751 413340 41 API calls 2 library calls 46638->46751 46644 485cc7 46639->46644 46640 484a26 46645 4185d0 76 API calls 46640->46645 46643 485c67 46647 4185d0 76 API calls 46643->46647 46648 4e6770 93 API calls 46644->46648 46645->46624 46646 485d11 46649 402df0 std::_Throw_Cpp_error 41 API calls 46646->46649 46647->46635 46650 485cd7 46648->46650 46652 485d28 46649->46652 46653 402df0 std::_Throw_Cpp_error 41 API calls 46650->46653 46651 4163b0 std::_Throw_Cpp_error 41 API calls 46657 4846c7 46651->46657 46654 402df0 std::_Throw_Cpp_error 41 API calls 46652->46654 46653->46629 46656 485d34 46654->46656 46658 4185d0 76 API calls 46656->46658 46657->46640 46657->46651 46666 48474a 46657->46666 46723 415350 46657->46723 46746 485fa0 76 API calls std::_Throw_Cpp_error 46657->46746 46661 485d40 46658->46661 46662 4185d0 76 API calls 46661->46662 46663 485d4f 46662->46663 46663->46569 46664 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46664->46693 46665 41ab20 41 API calls 46665->46666 46666->46665 46667 41ad80 41 API calls 46666->46667 46669 402df0 std::_Throw_Cpp_error 41 API calls 46666->46669 46667->46666 46668 4163b0 41 API calls std::_Throw_Cpp_error 46668->46693 46670 484870 CreateDirectoryA 46669->46670 46672 41ab20 41 API calls 46670->46672 46671 41ad80 41 API calls 46671->46693 46679 484961 46672->46679 46675 415350 41 API calls 46675->46693 46677 41e8a0 41 API calls 46677->46693 46681 4032d0 41 API calls std::_Throw_Cpp_error 46681->46693 46682 485032 CreateDirectoryA 46682->46693 46683 485bbc CopyFileA 46684 485bdf 46683->46684 46683->46693 46684->46693 46685 402df0 41 API calls std::_Throw_Cpp_error 46685->46693 46686 418b00 41 API calls 46686->46693 46688 4852f2 CoInitialize 46688->46693 46689 4188d0 41 API calls 46689->46693 46690 4854fe PathFindExtensionA 46690->46693 46691 4e7220 79 API calls 46691->46693 46692 403040 41 API calls std::_Throw_Cpp_error 46692->46693 46693->46620 46693->46623 46693->46626 46693->46643 46693->46664 46693->46668 46693->46671 46693->46675 46693->46677 46693->46681 46693->46682 46693->46683 46693->46685 46693->46686 46693->46688 46693->46689 46693->46690 46693->46691 46693->46692 46747 485fa0 76 API calls std::_Throw_Cpp_error 46693->46747 46748 485df0 104 API calls std::_Throw_Cpp_error 46693->46748 46749 4d3320 43 API calls 46693->46749 46694->46569 46695->46568 46696->46549 46697->46565 46699->46558 46701 4c6082 46700->46701 46702 4c6072 46700->46702 46703 41ab20 41 API calls 46701->46703 46702->46701 46704 402df0 std::_Throw_Cpp_error 41 API calls 46702->46704 46705 4c6125 FindFirstFileA 46703->46705 46704->46702 46707 402df0 std::_Throw_Cpp_error 41 API calls 46705->46707 46718 4c6159 std::ios_base::_Ios_base_dtor 46707->46718 46708 4c6463 46709 402df0 std::_Throw_Cpp_error 41 API calls 46708->46709 46711 4c6479 46709->46711 46710 4c6437 FindNextFileA 46712 4c644d GetLastError 46710->46712 46710->46718 46711->46657 46713 4c645c FindClose 46712->46713 46712->46718 46713->46708 46714 41ab20 41 API calls 46714->46718 46715 403040 std::_Throw_Cpp_error 41 API calls 46715->46718 46716 418f00 std::_Throw_Cpp_error 41 API calls 46716->46718 46717 4c648e 46719 438c70 std::_Throw_Cpp_error 41 API calls 46717->46719 46718->46708 46718->46710 46718->46714 46718->46715 46718->46716 46718->46717 46720 4242a0 41 API calls 46718->46720 46722 402df0 std::_Throw_Cpp_error 41 API calls 46718->46722 46721 4c6493 46719->46721 46720->46718 46722->46718 46724 4153a0 46723->46724 46738 415439 46723->46738 46725 415469 46724->46725 46726 4153ab 46724->46726 46762 403330 RaiseException 46725->46762 46727 4153e2 46726->46727 46728 4153b9 46726->46728 46734 433672 std::_Facet_Register 3 API calls 46727->46734 46737 4153d7 46727->46737 46730 4153c4 46728->46730 46731 41546e 46728->46731 46734->46737 46737->46738 46738->46657 46746->46657 46747->46693 46748->46693 46749->46693 46750->46646 46751->46646 46752->46616 46753->46623 49690 461e10 49691 461e60 49690->49691 49692 41ab20 41 API calls 49691->49692 49693 461f34 49692->49693 49694 4e6ca0 86 API calls 49693->49694 49695 461f5a 49694->49695 49696 4e6c10 85 API calls 49695->49696 49698 461f7d 49695->49698 49696->49698 49697 46299f 49700 4e6770 93 API calls 49697->49700 49701 4629be 49697->49701 49698->49697 49699 41b260 41 API calls 49698->49699 49698->49701 49740 461fad 49699->49740 49700->49701 49702 41ab20 41 API calls 49701->49702 49704 462aa3 49702->49704 49703 462990 49762 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49703->49762 49706 4e6ca0 86 API calls 49704->49706 49707 462ac9 49706->49707 49708 4e6c10 85 API calls 49707->49708 49711 462aec 49707->49711 49708->49711 49709 463529 49713 402df0 std::_Throw_Cpp_error 41 API calls 49709->49713 49710 46350e 49710->49709 49715 4e6770 93 API calls 49710->49715 49711->49709 49711->49710 49712 41b260 41 API calls 49711->49712 49741 462b1c 49712->49741 49714 46353b 49713->49714 49716 402df0 std::_Throw_Cpp_error 41 API calls 49714->49716 49715->49709 49718 46354a 49716->49718 49717 4634ff 49765 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49717->49765 49720 413200 41 API calls 49720->49740 49721 41b260 41 API calls 49721->49740 49723 413200 41 API calls 49723->49741 49724 41b260 41 API calls 49724->49741 49725 4163b0 41 API calls std::_Throw_Cpp_error 49725->49740 49727 41ac50 41 API calls 49727->49740 49729 4e6ca0 86 API calls 49729->49740 49730 4e6c10 85 API calls 49730->49740 49731 4163b0 41 API calls std::_Throw_Cpp_error 49731->49741 49732 439820 43 API calls 49732->49740 49733 416240 41 API calls 49733->49741 49734 41ae20 41 API calls 49734->49740 49735 41abb0 41 API calls 49735->49740 49736 4e6ca0 86 API calls 49736->49741 49738 4130f0 41 API calls 49738->49740 49739 416240 41 API calls 49739->49740 49740->49703 49740->49720 49740->49721 49740->49725 49740->49727 49740->49729 49740->49730 49740->49732 49740->49734 49740->49735 49740->49738 49740->49739 49744 43d0a8 78 API calls 49740->49744 49745 402df0 41 API calls std::_Throw_Cpp_error 49740->49745 49748 402cf0 41 API calls std::_Throw_Cpp_error 49740->49748 49754 41b400 41 API calls 49740->49754 49755 41af80 41 API calls 49740->49755 49756 403350 78 API calls 49740->49756 49760 416210 41 API calls std::_Throw_Cpp_error 49740->49760 49761 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49740->49761 49741->49717 49741->49723 49741->49724 49741->49731 49741->49733 49741->49736 49742 4e6c10 85 API calls 49741->49742 49743 41ac50 41 API calls 49741->49743 49746 439820 43 API calls 49741->49746 49747 41ae20 41 API calls 49741->49747 49749 41abb0 41 API calls 49741->49749 49750 4130f0 41 API calls 49741->49750 49751 43d0a8 78 API calls 49741->49751 49752 402cf0 41 API calls std::_Throw_Cpp_error 49741->49752 49753 402df0 41 API calls std::_Throw_Cpp_error 49741->49753 49757 41b400 41 API calls 49741->49757 49758 41af80 41 API calls 49741->49758 49759 403350 78 API calls 49741->49759 49763 416210 41 API calls std::_Throw_Cpp_error 49741->49763 49764 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49741->49764 49742->49741 49743->49741 49744->49740 49745->49740 49746->49741 49747->49741 49748->49740 49749->49741 49750->49741 49751->49741 49752->49741 49753->49741 49754->49740 49755->49740 49756->49740 49757->49741 49758->49741 49759->49741 49760->49740 49761->49740 49762->49697 49763->49741 49764->49741 49765->49710 45710 45f460 45711 45f4cc 45710->45711 45712 45f4ad 45710->45712 45716 4163b0 45712->45716 45714 45f4bf 45721 493f40 45714->45721 45718 4163d8 45716->45718 45717 4163e7 45717->45714 45718->45717 45856 4032d0 45718->45856 45720 41642a std::locale::_Locimp::_Locimp 45720->45714 45871 4359b0 45721->45871 45723 493f95 SHGetFolderPathA 45724 494100 45723->45724 45724->45724 45873 403040 45724->45873 45726 49411c 45879 41fbf0 45726->45879 45729 495779 45731 438c70 std::_Throw_Cpp_error 41 API calls 45729->45731 45730 49414d std::ios_base::_Ios_base_dtor 45730->45729 45888 4e6ca0 45730->45888 45733 49577e 45731->45733 45903 417ef0 45733->45903 45741 4957dd 45922 4140c0 45741->45922 45857 4032e2 45856->45857 45861 403306 45856->45861 45858 4032e9 45857->45858 45859 40331f 45857->45859 45863 433672 std::_Facet_Register 3 API calls 45858->45863 45870 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 45859->45870 45860 403318 45860->45720 45861->45860 45864 433672 std::_Facet_Register 3 API calls 45861->45864 45865 4032ef 45863->45865 45866 403310 45864->45866 45867 438c70 std::_Throw_Cpp_error 41 API calls 45865->45867 45868 4032f8 45865->45868 45866->45720 45869 403329 45867->45869 45868->45720 45870->45865 45872 4359c7 45871->45872 45872->45723 45872->45872 45874 4030c8 45873->45874 45876 403052 45873->45876 45875 403057 std::locale::_Locimp::_Locimp 45875->45726 45876->45875 45877 4032d0 std::_Throw_Cpp_error 41 API calls 45876->45877 45878 4030a3 std::locale::_Locimp::_Locimp 45877->45878 45878->45726 45881 41fc8d 45879->45881 45884 41fc12 std::locale::_Locimp::_Locimp 45879->45884 45880 41fd5e 45881->45880 45882 4032d0 std::_Throw_Cpp_error 41 API calls 45881->45882 45885 41fce1 std::locale::_Locimp::_Locimp 45882->45885 45883 41fd3a std::locale::_Locimp::_Locimp 45883->45730 45884->45730 45885->45883 46088 402fe0 41 API calls 2 library calls 45885->46088 45887 41fd27 45887->45730 46089 432b99 45888->46089 45891 4e6d4d 46095 432534 45891->46095 45892 4e6cd7 45894 4e6d54 45892->45894 45897 4e6ce3 45892->45897 45895 432534 std::_Throw_Cpp_error 76 API calls 45894->45895 45896 4e6d65 45895->45896 45897->45897 45900 4e6cfb GetFileAttributesA 45897->45900 45902 4e6d12 45897->45902 45901 4e6d07 GetLastError 45900->45901 45900->45902 45901->45902 45904 418034 45903->45904 45905 417f1d 45903->45905 45913 402cf0 std::_Throw_Cpp_error 41 API calls 45904->45913 45916 417f29 45904->45916 45906 417fcb 45905->45906 45907 417f83 45905->45907 45908 417f24 45905->45908 45909 417f2b 45905->45909 45910 417f7c 45905->45910 45906->45741 45915 433672 std::_Facet_Register 3 API calls 45907->45915 46227 41c3a0 45908->46227 45912 433672 std::_Facet_Register 3 API calls 45909->45912 46232 41cf80 41 API calls 2 library calls 45910->46232 45912->45916 45917 41804f 45913->45917 45915->45916 45916->45741 46233 407f90 41 API calls 2 library calls 45917->46233 45919 418062 45920 4351fb Concurrency::cancel_current_task RaiseException 45919->45920 45921 418073 45920->45921 45924 4140ff 45922->45924 45923 433672 std::_Facet_Register 3 API calls 45925 41412e 45923->45925 45924->45923 45926 4141ac 45925->45926 46234 42bf30 41 API calls 3 library calls 45925->46234 46088->45887 46103 432bc8 GetCurrentThreadId 46089->46103 46096 43254a std::_Throw_Cpp_error 46095->46096 46127 4324e7 46096->46127 46104 432bf2 46103->46104 46105 432c11 46103->46105 46108 432bf7 RtlAcquireSRWLockExclusive 46104->46108 46114 432c07 46104->46114 46106 432c31 46105->46106 46107 432c1a 46105->46107 46110 432c90 46106->46110 46117 432c49 46106->46117 46109 432c25 RtlAcquireSRWLockExclusive 46107->46109 46107->46114 46108->46114 46109->46114 46112 432c97 RtlTryAcquireSRWLockExclusive 46110->46112 46110->46114 46112->46114 46113 432ba6 46113->45891 46113->45892 46118 433d77 46114->46118 46116 432c80 RtlTryAcquireSRWLockExclusive 46116->46114 46116->46117 46117->46114 46117->46116 46125 43302b GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 46117->46125 46119 433d80 IsProcessorFeaturePresent 46118->46119 46120 433d7f 46118->46120 46122 43455a 46119->46122 46120->46113 46126 43451d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46122->46126 46124 43463d 46124->46113 46125->46117 46126->46124 46228 433672 std::_Facet_Register 3 API calls 46227->46228 46229 41c3c3 46228->46229 46230 433672 std::_Facet_Register 3 API calls 46229->46230 46231 41c3ec 46230->46231 46231->45916 46232->45916 46233->45919 53458 466d20 53459 466d6a 53458->53459 53460 468712 53459->53460 53461 41ab20 41 API calls 53459->53461 53465 46974b 53459->53465 53466 41ab20 41 API calls 53460->53466 53464 466e01 53461->53464 53462 469b34 53575 492440 53462->53575 53467 4e6ca0 86 API calls 53464->53467 53465->53462 53472 41ab20 41 API calls 53465->53472 53468 4687eb 53466->53468 53470 466e27 53467->53470 53474 439820 43 API calls 53468->53474 53469 469e50 53618 412c30 41 API calls 2 library calls 53469->53618 53476 4e6c10 85 API calls 53470->53476 53481 466e4a 53470->53481 53477 469838 53472->53477 53473 469e62 53478 468813 53474->53478 53475 469b42 53475->53469 53483 41ab20 41 API calls 53475->53483 53476->53481 53482 439820 43 API calls 53477->53482 53479 402df0 std::_Throw_Cpp_error 41 API calls 53478->53479 53492 46882a 53479->53492 53480 468700 53484 402df0 std::_Throw_Cpp_error 41 API calls 53480->53484 53481->53480 53485 41b260 41 API calls 53481->53485 53490 467b0b 53481->53490 53486 469860 53482->53486 53487 469c31 53483->53487 53484->53460 53568 466e79 53485->53568 53488 402df0 std::_Throw_Cpp_error 41 API calls 53486->53488 53494 439820 43 API calls 53487->53494 53501 46987a 53488->53501 53489 4686e5 53489->53480 53499 4e6770 93 API calls 53489->53499 53490->53489 53493 41b260 41 API calls 53490->53493 53491 467afc 53613 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53491->53613 53492->53465 53496 403350 78 API calls 53492->53496 53572 467b2e 53493->53572 53497 469c59 53494->53497 53504 4688bd 53496->53504 53498 402df0 std::_Throw_Cpp_error 41 API calls 53497->53498 53507 469c73 53498->53507 53499->53480 53500 4686d6 53615 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53500->53615 53501->53462 53503 403350 78 API calls 53501->53503 53524 469911 53503->53524 53506 41b260 41 API calls 53504->53506 53511 469003 53504->53511 53552 4688e3 53506->53552 53507->53469 53509 403350 78 API calls 53507->53509 53508 469b2e 53510 43d0a8 78 API calls 53508->53510 53525 469d0a 53509->53525 53510->53462 53512 469743 53511->53512 53515 41b260 41 API calls 53511->53515 53517 43d0a8 78 API calls 53512->53517 53513 4130f0 41 API calls 53513->53572 53514 413200 41 API calls 53514->53568 53555 469026 53515->53555 53516 468ff4 53616 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53516->53616 53517->53465 53518 469e4a 53520 43d0a8 78 API calls 53518->53520 53520->53469 53521 413200 41 API calls 53521->53572 53522 469734 53617 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53522->53617 53524->53508 53526 403350 78 API calls 53524->53526 53525->53518 53529 403350 78 API calls 53525->53529 53526->53524 53527 4130f0 41 API calls 53527->53552 53528 402cf0 41 API calls std::_Throw_Cpp_error 53528->53572 53529->53525 53530 402cf0 41 API calls std::_Throw_Cpp_error 53530->53568 53531 4130f0 41 API calls 53531->53555 53532 413200 41 API calls 53532->53552 53533 413200 41 API calls 53533->53555 53534 402cf0 41 API calls std::_Throw_Cpp_error 53534->53552 53535 41af80 41 API calls 53535->53568 53536 402cf0 41 API calls std::_Throw_Cpp_error 53536->53555 53537 41b400 41 API calls 53537->53568 53538 41af80 41 API calls 53538->53572 53539 41b400 41 API calls 53539->53552 53540 41b400 41 API calls 53540->53555 53541 41b400 41 API calls 53541->53572 53542 41ac50 41 API calls 53542->53568 53543 41ac50 41 API calls 53543->53572 53544 416240 41 API calls 53544->53572 53545 41af80 41 API calls 53545->53555 53546 41af80 41 API calls 53546->53552 53547 4163b0 41 API calls std::_Throw_Cpp_error 53547->53568 53548 402df0 41 API calls std::_Throw_Cpp_error 53548->53552 53549 4e6ca0 86 API calls 53549->53572 53550 403350 78 API calls 53550->53552 53551 402df0 41 API calls std::_Throw_Cpp_error 53551->53555 53552->53516 53552->53527 53552->53532 53552->53534 53552->53539 53552->53546 53552->53548 53552->53550 53553 403350 78 API calls 53553->53555 53554 4e6c10 85 API calls 53554->53572 53555->53522 53555->53531 53555->53533 53555->53536 53555->53540 53555->53545 53555->53551 53555->53553 53558 4e6d70 78 API calls 53558->53568 53560 4163b0 41 API calls std::_Throw_Cpp_error 53560->53572 53561 4e6d70 78 API calls 53561->53572 53562 439820 43 API calls 53562->53568 53563 439820 43 API calls 53563->53572 53564 403350 78 API calls 53564->53568 53565 416240 41 API calls 53565->53568 53566 402df0 41 API calls std::_Throw_Cpp_error 53566->53572 53567 402df0 41 API calls std::_Throw_Cpp_error 53567->53568 53568->53491 53568->53514 53568->53530 53568->53535 53568->53537 53568->53542 53568->53547 53568->53558 53568->53562 53568->53564 53568->53565 53568->53567 53569 43d0a8 78 API calls 53568->53569 53570 4e6ca0 86 API calls 53568->53570 53573 4e6c10 85 API calls 53568->53573 53602 4130f0 53568->53602 53611 4e6470 41 API calls 53568->53611 53612 416210 41 API calls std::_Throw_Cpp_error 53568->53612 53569->53568 53570->53568 53571 403350 78 API calls 53571->53572 53572->53500 53572->53513 53572->53521 53572->53528 53572->53538 53572->53541 53572->53543 53572->53544 53572->53549 53572->53554 53572->53560 53572->53561 53572->53563 53572->53566 53572->53571 53574 43d0a8 78 API calls 53572->53574 53614 416210 41 API calls std::_Throw_Cpp_error 53572->53614 53573->53568 53574->53572 53619 493b60 53575->53619 53577 4924ad 53577->53475 53578 4924a7 53578->53577 53579 403040 std::_Throw_Cpp_error 41 API calls 53578->53579 53580 4924ee 53579->53580 53582 418f00 std::_Throw_Cpp_error 41 API calls 53580->53582 53583 4925a0 53582->53583 53637 4938d0 45 API calls 2 library calls 53583->53637 53585 492a33 53586 4185d0 76 API calls 53585->53586 53588 492a49 53586->53588 53587 492a74 53591 438c70 std::_Throw_Cpp_error 41 API calls 53587->53591 53589 402df0 std::_Throw_Cpp_error 41 API calls 53588->53589 53589->53577 53590 41e8a0 41 API calls 53601 4925c7 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 53590->53601 53593 492a7e 53591->53593 53592 41ad80 41 API calls 53592->53601 53594 41ab20 41 API calls 53594->53601 53597 4032d0 std::_Throw_Cpp_error 41 API calls 53597->53601 53598 4163b0 41 API calls std::_Throw_Cpp_error 53598->53601 53600 402df0 41 API calls std::_Throw_Cpp_error 53600->53601 53601->53585 53601->53587 53601->53590 53601->53592 53601->53594 53601->53597 53601->53598 53601->53600 53638 493080 46 API calls 4 library calls 53601->53638 53639 492a80 50 API calls 5 library calls 53601->53639 53640 422ac0 41 API calls 4 library calls 53601->53640 53603 413114 53602->53603 53604 41316c 53602->53604 53603->53568 53605 402cf0 std::_Throw_Cpp_error 41 API calls 53604->53605 53606 413179 53605->53606 53642 407b10 41 API calls 3 library calls 53606->53642 53608 413191 53609 4351fb Concurrency::cancel_current_task RaiseException 53608->53609 53610 4131a2 53609->53610 53611->53568 53612->53568 53613->53490 53614->53572 53615->53489 53616->53511 53617->53512 53618->53473 53620 493ba5 __fread_nolock 53619->53620 53621 493bd7 RegOpenKeyExA 53620->53621 53622 493f1b 53621->53622 53623 493d97 RegQueryValueExA RegCloseKey 53621->53623 53622->53578 53623->53622 53624 493dc5 53623->53624 53625 403040 std::_Throw_Cpp_error 41 API calls 53624->53625 53626 493dea 53625->53626 53627 493e19 53626->53627 53628 493f30 53626->53628 53629 403040 std::_Throw_Cpp_error 41 API calls 53627->53629 53641 419e60 RaiseException 53628->53641 53631 493e35 std::locale::_Locimp::_Locimp 53629->53631 53632 438c70 std::_Throw_Cpp_error 41 API calls 53631->53632 53634 493e97 std::ios_base::_Ios_base_dtor 53631->53634 53632->53634 53633 438c70 std::_Throw_Cpp_error 41 API calls 53635 493f3f 53633->53635 53634->53633 53636 493ee9 std::ios_base::_Ios_base_dtor 53634->53636 53636->53578 53637->53601 53638->53601 53639->53601 53640->53601 53642->53608 49766 463830 49772 463879 49766->49772 49767 463891 49768 465b82 49767->49768 49769 402df0 std::_Throw_Cpp_error 41 API calls 49767->49769 49771 41ab20 41 API calls 49768->49771 49769->49767 49770 41ab20 41 API calls 49770->49772 49773 465c69 49771->49773 49772->49767 49772->49770 49788 4e6770 93 API calls 49772->49788 49801 413200 41 API calls 49772->49801 49802 41b260 41 API calls 49772->49802 49804 408ab0 41 API calls 49772->49804 49806 4163b0 41 API calls std::_Throw_Cpp_error 49772->49806 49808 41ac50 41 API calls 49772->49808 49811 416210 41 API calls 49772->49811 49813 4e6ca0 86 API calls 49772->49813 49814 402cf0 41 API calls std::_Throw_Cpp_error 49772->49814 49820 41ae20 41 API calls 49772->49820 49821 439820 43 API calls 49772->49821 49823 4e6c10 85 API calls 49772->49823 49824 416240 41 API calls 49772->49824 49826 41abb0 41 API calls 49772->49826 49828 43d0a8 78 API calls 49772->49828 49829 4130f0 41 API calls 49772->49829 49836 41b400 41 API calls 49772->49836 49837 41bae0 41 API calls 49772->49837 49838 41b1e0 41 API calls 49772->49838 49839 41af80 41 API calls 49772->49839 49840 403350 78 API calls 49772->49840 49841 402df0 41 API calls std::_Throw_Cpp_error 49772->49841 49774 4e6ca0 86 API calls 49773->49774 49775 465c8f 49774->49775 49776 465c93 CreateDirectoryA 49775->49776 49777 465cbe 49775->49777 49776->49777 49780 4667d7 49776->49780 49781 41b260 41 API calls 49777->49781 49790 4667bc 49777->49790 49778 402df0 std::_Throw_Cpp_error 41 API calls 49779 466a3b 49778->49779 49782 4185d0 76 API calls 49779->49782 49786 41ab20 41 API calls 49780->49786 49796 466a29 49780->49796 49833 465ce6 49781->49833 49784 466a47 49782->49784 49783 4e6770 93 API calls 49783->49780 49785 4667ad 49845 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49785->49845 49789 466922 49786->49789 49788->49772 49791 439820 43 API calls 49789->49791 49790->49780 49790->49783 49792 46694a 49791->49792 49793 402df0 std::_Throw_Cpp_error 41 API calls 49792->49793 49797 466964 49793->49797 49794 466a23 49795 43d0a8 78 API calls 49794->49795 49795->49796 49796->49778 49797->49794 49797->49796 49799 403350 78 API calls 49797->49799 49798 413200 41 API calls 49798->49833 49799->49797 49800 41b260 41 API calls 49800->49833 49801->49772 49802->49772 49804->49772 49805 4163b0 41 API calls std::_Throw_Cpp_error 49805->49833 49806->49772 49807 416240 41 API calls 49807->49833 49808->49772 49809 4e6ca0 86 API calls 49809->49833 49811->49772 49812 465ea9 CreateDirectoryA 49812->49833 49813->49772 49814->49772 49815 439820 43 API calls 49815->49833 49816 465fb8 CreateDirectoryA 49816->49833 49817 41ac50 41 API calls 49817->49833 49818 402df0 41 API calls std::_Throw_Cpp_error 49818->49833 49819 41ae20 41 API calls 49819->49833 49820->49772 49821->49772 49822 41abb0 41 API calls 49822->49833 49823->49772 49824->49772 49825 4130f0 41 API calls 49825->49833 49826->49772 49827 43d0a8 78 API calls 49827->49833 49828->49772 49829->49772 49830 402cf0 41 API calls std::_Throw_Cpp_error 49830->49833 49831 41af80 41 API calls 49831->49833 49832 41b400 41 API calls 49832->49833 49833->49785 49833->49798 49833->49800 49833->49805 49833->49807 49833->49809 49833->49812 49833->49815 49833->49816 49833->49817 49833->49818 49833->49819 49833->49822 49833->49825 49833->49827 49833->49830 49833->49831 49833->49832 49834 403350 78 API calls 49833->49834 49842 416210 41 API calls std::_Throw_Cpp_error 49833->49842 49843 415310 44 API calls std::_Throw_Cpp_error 49833->49843 49844 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49833->49844 49834->49833 49836->49772 49837->49772 49838->49772 49839->49772 49840->49772 49841->49772 49842->49833 49843->49833 49844->49833 49845->49790

                                                            Executed Functions

                                                            Function 004AA200 Relevance: 56.8, APIs: 10, Strings: 11, Instructions: 20001COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 004AA277
                                                              • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1648079157.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 0000000E.00000002.1648062263.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648284086.0000000000585000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648306775.000000000058A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648328888.0000000000596000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000598000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000771000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.00000000007B0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648645366.0000000000980000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_400000_MPGPH131.jbxd
                                                            Similarity
                                                            • API ID: FileFindFirstFolderPath
                                                            • String ID: ;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$Jzv"$WUa5$X<b.$cannot use operator[] with a string argument with $cannot use push_back() with
                                                            • API String ID: 2195519125-383699475
                                                            • Opcode ID: a3e0360778d83ddd9abda925fda10ee934784615eebea6291e1a1d3c0b8b4fbf
                                                            • Instruction ID: d5c29c46e18a526762dbfc7c8aed9f945ae13eab665394adbd88e65e82b678fb
                                                            • Opcode Fuzzy Hash: a3e0360778d83ddd9abda925fda10ee934784615eebea6291e1a1d3c0b8b4fbf
                                                            • Instruction Fuzzy Hash: 29B433B0D052698BDB25CF68C984BEEBBB1BF49304F1081DAD449A7281DB746F84CF95
                                                            Function 0049F0D0 Relevance: 20.7, APIs: 6, Strings: 4, Instructions: 3171stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049F224
                                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049F322
                                                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049F515
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1C76
                                                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1F5D
                                                            • lstrlen.KERNEL32(?), ref: 004A348E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1648079157.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 0000000E.00000002.1648062263.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648284086.0000000000585000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648306775.000000000058A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648328888.0000000000596000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000598000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000771000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.00000000007B0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648645366.0000000000980000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_400000_MPGPH131.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
                                                            • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with $~]d
                                                            • API String ID: 2833034228-1763774129
                                                            • Opcode ID: 66ff86b6ee86fd584d77de4af8526b9e7e9d316f957d28481444bdbe466824e0
                                                            • Instruction ID: 3f98b5ef17dcfaa8f689e4fcb5a5d7fbbd5e2711f2842c60bb6495c93d0a2e70
                                                            • Opcode Fuzzy Hash: 66ff86b6ee86fd584d77de4af8526b9e7e9d316f957d28481444bdbe466824e0
                                                            • Instruction Fuzzy Hash: 2793DCB4D052A98ADB65CF29C990BEDBBB1BF59304F0081EAD84DA7241DB742BC4CF45
                                                            Function 004DF030 Relevance: 8.4, APIs: 5, Instructions: 876COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 14465 4df030-4df14d call 4359b0 SHGetFolderPathA 14468 4df150-4df155 14465->14468 14468->14468 14469 4df157-4df179 call 403040 14468->14469 14472 4df180-4df185 14469->14472 14472->14472 14473 4df187-4df1e9 call 41fbf0 14472->14473 14476 4df1eb-4df1fa 14473->14476 14477 4df21a-4df247 call 4e6ca0 14473->14477 14479 4df1fc-4df20a 14476->14479 14480 4df210-4df217 call 4338f3 14476->14480 14484 4df24d-4df310 call 41ab20 call 4e6ca0 14477->14484 14485 4dfe6b-4dfe7b 14477->14485 14479->14480 14482 4dfed9 call 438c70 14479->14482 14480->14477 14489 4dfede call 402c60 14482->14489 14506 4df333-4df3c3 14484->14506 14507 4df312-4df32d CreateDirectoryA 14484->14507 14490 4dfe7d-4dfe89 14485->14490 14491 4dfea5-4dfed8 call 402df0 14485->14491 14500 4dfee3 call 402c60 14489->14500 14495 4dfe9b-4dfea2 call 4338f3 14490->14495 14496 4dfe8b-4dfe99 14490->14496 14495->14491 14496->14495 14501 4dfeed-4dfef2 call 438c70 14496->14501 14508 4dfee8 call 402c60 14500->14508 14511 4df3c6-4df3cb 14506->14511 14507->14506 14510 4dfe59 14507->14510 14508->14501 14513 4dfe5c-4dfe66 call 402df0 14510->14513 14511->14511 14514 4df3cd-4df3dd 14511->14514 14513->14485 14514->14489 14516 4df3e3-4df44b call 41e8a0 call 4e6ca0 call 402df0 14514->14516 14523 4df65e-4df6ee 14516->14523 14524 4df451-4df511 call 41ab20 call 4e6ca0 14516->14524 14526 4df6f1-4df6f6 14523->14526 14533 4df534-4df603 call 4163b0 call 41ab20 call 4dff00 14524->14533 14534 4df513-4df52e CreateDirectoryA 14524->14534 14526->14526 14528 4df6f8-4df703 14526->14528 14528->14500 14530 4df709-4df76b call 41e8a0 call 4e6ca0 call 402df0 14528->14530 14546 4df771-4df831 call 41ab20 call 4e6ca0 14530->14546 14547 4df982-4dfa9b 14530->14547 14552 4df60d-4df64a call 402cf0 call 4e6770 call 402df0 14533->14552 14553 4df605-4df60b 14533->14553 14534->14533 14536 4df64f-4df659 call 402df0 14534->14536 14536->14523 14563 4df858-4df927 call 4163b0 call 41ab20 call 4dff00 14546->14563 14564 4df833-4df852 CreateDirectoryA 14546->14564 14550 4dfaa0-4dfaa5 14547->14550 14550->14550 14555 4dfaa7-4dfab0 14550->14555 14552->14536 14553->14536 14555->14508 14558 4dfab6-4dfb18 call 41e8a0 call 4e6ca0 call 402df0 14555->14558 14558->14513 14578 4dfb1e-4dfc64 call 41ab20 call 4e6ca0 14558->14578 14582 4df929-4df92f 14563->14582 14583 4df931-4df96e call 402cf0 call 4e6770 call 402df0 14563->14583 14564->14563 14567 4df973-4df97d call 402df0 14564->14567 14567->14547 14590 4dfc8b-4dfdfe call 4163b0 call 41ab20 call 4dff00 14578->14590 14591 4dfc66-4dfc85 CreateDirectoryA 14578->14591 14582->14567 14583->14567 14602 4dfe08-4dfe45 call 402cf0 call 4e6770 call 402df0 14590->14602 14603 4dfe00-4dfe06 14590->14603 14591->14590 14593 4dfe4a-4dfe54 call 402df0 14591->14593 14593->14510 14602->14593 14603->14593
                                                            APIs
                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DF09A
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF329
                                                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF52A
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF84A
                                                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DFC7D
                                                              • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1648079157.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 0000000E.00000002.1648062263.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648284086.0000000000585000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648306775.000000000058A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648328888.0000000000596000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000598000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000771000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.00000000007B0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648645366.0000000000980000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_400000_MPGPH131.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesErrorFindFirstFolderLastPath
                                                            • String ID:
                                                            • API String ID: 2127212259-0
                                                            • Opcode ID: 0a9d66dacc852727762dd02661486b9ec628ab0a78a4986b9bfafa3a96ef7e23
                                                            • Instruction ID: 8e27dc709fe3b7ff7b62f4d1f71842afe3ac2492894b6e8ccfd466f18f63ab33
                                                            • Opcode Fuzzy Hash: 0a9d66dacc852727762dd02661486b9ec628ab0a78a4986b9bfafa3a96ef7e23
                                                            • Instruction Fuzzy Hash: DBA202B4D0425D8BDF25CFA8C995AEEBBB0BF18304F2041AAD949B7351D7341A84CFA5
                                                            Function 004C6000 Relevance: 6.3, APIs: 4, Instructions: 310fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 14881 4c6000-4c6070 14882 4c608a-4c6133 call 41ab20 14881->14882 14883 4c6072 14881->14883 14889 4c6135 14882->14889 14890 4c6137-4c615c FindFirstFileA call 402df0 14882->14890 14885 4c6074-4c6080 call 402df0 14883->14885 14891 4c6082-4c6087 14885->14891 14889->14890 14894 4c6162-4c6166 14890->14894 14895 4c6463-4c648d call 402df0 14890->14895 14891->14882 14896 4c6168-4c616f 14894->14896 14897 4c6177-4c617e 14894->14897 14899 4c6175 14896->14899 14900 4c6437-4c6447 FindNextFileA 14896->14900 14897->14900 14902 4c6184-4c618d 14897->14902 14899->14902 14900->14894 14903 4c644d-4c6456 GetLastError 14900->14903 14904 4c6190-4c6195 14902->14904 14903->14894 14906 4c645c-4c645d FindClose 14903->14906 14904->14904 14905 4c6197-4c61a2 14904->14905 14907 4c61ad-4c61b0 14905->14907 14908 4c61a4-4c61a7 14905->14908 14906->14895 14909 4c61b2-4c61b5 14907->14909 14910 4c61c3-4c61c7 14907->14910 14908->14900 14908->14907 14909->14910 14911 4c61b7-4c61bd 14909->14911 14912 4c61cd-4c6295 call 41ab20 14910->14912 14913 4c6385-4c63b7 call 403040 14910->14913 14911->14900 14911->14910 14918 4c6298-4c629d 14912->14918 14919 4c63b9-4c63e1 14913->14919 14920 4c63e3-4c63ea call 4242a0 14913->14920 14918->14918 14921 4c629f-4c62ef call 418f00 14918->14921 14922 4c63f2-4c63f9 14919->14922 14924 4c63ef 14920->14924 14933 4c62f1-4c6310 14921->14933 14934 4c6312-4c631e call 4242a0 14921->14934 14925 4c63fb-4c6409 14922->14925 14926 4c6425-4c6433 14922->14926 14924->14922 14928 4c641b-4c6422 call 4338f3 14925->14928 14929 4c640b-4c6419 14925->14929 14926->14900 14928->14926 14929->14928 14931 4c648e-4c6493 call 438c70 14929->14931 14936 4c6321-4c632e 14933->14936 14934->14936 14941 4c635c-4c6380 call 402df0 14936->14941 14942 4c6330-4c633c 14936->14942 14941->14900 14943 4c633e-4c634c 14942->14943 14944 4c6352-4c6359 call 4338f3 14942->14944 14943->14931 14943->14944 14944->14941
                                                            APIs
                                                            • FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                                            • FindNextFileA.KERNELBASE(00000000,00000010), ref: 004C643F
                                                            • GetLastError.KERNEL32 ref: 004C644D
                                                            • FindClose.KERNEL32(00000000), ref: 004C645D
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1648079157.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 0000000E.00000002.1648062263.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648284086.0000000000585000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648306775.000000000058A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648328888.0000000000596000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000598000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000771000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.00000000007B0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648645366.0000000000980000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_400000_MPGPH131.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseErrorFirstLastNext
                                                            • String ID:
                                                            • API String ID: 819619735-0
                                                            • Opcode ID: 90cf4eca11af66bb089fdb4a1b4223e767fc84b405f6936ed3c5d03910aaf901
                                                            • Instruction ID: afe6fe270f27518361ed143ef8865d869d8c660e8b4c9bb3a5978c93709ae348
                                                            • Opcode Fuzzy Hash: 90cf4eca11af66bb089fdb4a1b4223e767fc84b405f6936ed3c5d03910aaf901
                                                            • Instruction Fuzzy Hash: ACD17CB4C043488FDB24CF98C994BEEBBB1BF45314F14829ED4496B392D7785A84CB59
                                                            Function 0045E140 Relevance: 21.9, APIs: 11, Strings: 1, Instructions: 889COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 7237 45e140-45e246 call 40b8e0 call 4132d0 call 41ab20 CreateDirectoryA 7244 45e8e1-45e8e8 7237->7244 7245 45e24c-45e250 7237->7245 7246 45f16d-45f452 call 402df0 7244->7246 7247 45e8ee-45e98a call 4132d0 call 41ab20 CreateDirectoryA 7244->7247 7248 45e252-45e26d 7245->7248 7265 45e990-45e994 7247->7265 7266 45f15e-45f168 call 402df0 7247->7266 7251 45e8a5-45e8d0 call 4163b0 call 4df030 7248->7251 7252 45e273-45e3bd call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 7248->7252 7251->7244 7268 45e8d2-45e8d9 call 4e6770 7251->7268 7309 45e3dd-45e4b0 call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 7252->7309 7310 45e3bf-45e3d7 CreateDirectoryA 7252->7310 7269 45e996-45e9b1 7265->7269 7266->7246 7279 45e8de 7268->7279 7272 45e9b7-45eb07 call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 7269->7272 7273 45f11f-45f14d call 4163b0 call 4d7600 7269->7273 7326 45eb27-45ebfa call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 7272->7326 7327 45eb09-45eb21 CreateDirectoryA 7272->7327 7273->7266 7291 45f14f-45f156 call 4e6770 7273->7291 7279->7244 7297 45f15b 7291->7297 7297->7266 7361 45e4d0-45e4d7 7309->7361 7362 45e4b2-45e4ca CreateDirectoryA 7309->7362 7310->7309 7312 45e854-45e8a0 call 402df0 * 5 7310->7312 7312->7248 7386 45ebfc-45ec14 CreateDirectoryA 7326->7386 7387 45ec1a-45ec21 7326->7387 7327->7326 7330 45f0ce-45f11a call 402df0 * 5 7327->7330 7330->7269 7365 45e5e0-45e5e4 7361->7365 7366 45e4dd-45e59d call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 7361->7366 7362->7312 7362->7361 7367 45e5e6-45e649 call 4132d0 7365->7367 7368 45e64e-45e652 7365->7368 7423 45e5c2-45e5cc call 416290 7366->7423 7424 45e59f-45e5c0 CreateDirectoryA 7366->7424 7383 45e704-45e7f2 call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 4162c0 call 402df0 * 3 call 4e6ca0 7367->7383 7375 45e654-45e6b7 call 4132d0 7368->7375 7376 45e6b9-45e6ff call 4132d0 7368->7376 7375->7383 7376->7383 7475 45e7f4-45e80c CreateDirectoryA 7383->7475 7476 45e80e-45e84e call 4163b0 * 2 call 4dff00 7383->7476 7386->7330 7386->7387 7390 45ec27-45ece7 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 7387->7390 7391 45ed2a-45ed2e 7387->7391 7452 45ed0c-45ed16 call 416290 7390->7452 7453 45ece9-45ed0a CreateDirectoryA 7390->7453 7395 45ed34-45edce call 4132d0 call 41ab20 call 4e6ca0 7391->7395 7396 45ee43-45ee47 7391->7396 7440 45edd0-45edf1 CreateDirectoryA 7395->7440 7441 45edf3-45ee31 call 4163b0 * 2 call 4dff00 7395->7441 7401 45eeb1-45eeb5 7396->7401 7402 45ee49-45eeac call 4132d0 7396->7402 7409 45eeb7-45ef1a call 4132d0 7401->7409 7410 45ef1c-45ef7a call 4132d0 7401->7410 7419 45ef7f-45f04e call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 402df0 * 2 call 4e6ca0 7402->7419 7409->7419 7410->7419 7482 45f050-45f071 CreateDirectoryA 7419->7482 7483 45f073-45f0b9 call 4163b0 * 2 call 4dff00 7419->7483 7430 45e5d1-45e5db call 402df0 7423->7430 7424->7423 7424->7430 7430->7365 7440->7441 7445 45ee34-45ee3e 7440->7445 7441->7445 7450 45f0c9 call 402df0 7445->7450 7450->7330 7458 45ed1b-45ed25 call 402df0 7452->7458 7453->7452 7453->7458 7458->7391 7475->7312 7475->7476 7476->7312 7491 45e850 7476->7491 7482->7483 7484 45f0bf-45f0c3 7482->7484 7483->7484 7495 45f0bb 7483->7495 7484->7450 7491->7312 7495->7484
                                                            APIs
                                                              • Part of subcall function 0040B8E0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E242
                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045E3D3
                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045E4C6
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045E5BC
                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 0045E808
                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E986
                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045EB1D
                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045EC10
                                                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045ED06
                                                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045EDED
                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045F06D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1648079157.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 0000000E.00000002.1648062263.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648284086.0000000000585000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648306775.000000000058A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648328888.0000000000596000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000598000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000771000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.00000000007B0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648645366.0000000000980000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_400000_MPGPH131.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                            • String ID: p!
                                                            • API String ID: 453214671-1397568850
                                                            • Opcode ID: e1ed7e54ebd5b020c8e79904b3ae03e0818e29e9e47e40a3245b38651c09fec3
                                                            • Instruction ID: 0e418cf523baa0a35c0a910b93c4bb77d5942d6061cfe1063ad62b245a56bb8b
                                                            • Opcode Fuzzy Hash: e1ed7e54ebd5b020c8e79904b3ae03e0818e29e9e47e40a3245b38651c09fec3
                                                            • Instruction Fuzzy Hash: 4FA226B0D012688BCB25DB65CD95BDDBBB4AF14304F0040EED44A67282EB785F88DF5A
                                                            Function 0044B01A Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B030
                                                            • GetLastError.KERNEL32(?,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B03B
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.1648079157.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 0000000E.00000002.1648062263.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648284086.0000000000585000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648306775.000000000058A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648328888.0000000000596000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000598000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.0000000000771000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648352111.00000000007B0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 0000000E.00000002.1648645366.0000000000980000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_400000_MPGPH131.jbxd
                                                            Similarity
                                                            • API ID: ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 485612231-0
                                                            • Opcode ID: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                                            • Instruction ID: f233056e1464041c82b2d36bf1c88bdb576215b3e64377b8de55bab97aefa9e3
                                                            • Opcode Fuzzy Hash: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                                            • Instruction Fuzzy Hash: 66E08C32100204ABEB212FA5AC0CB9A3B69EF00756F15802AF608971B0DB38C894D798