Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ke5ufWcgxp.exe

Overview

General Information

Sample name:Ke5ufWcgxp.exe
renamed because original name is a hash value
Original sample name:85b0f825ec9f8661f2b1237a0e33ad06.exe
Analysis ID:1461288
MD5:85b0f825ec9f8661f2b1237a0e33ad06
SHA1:16a3542ada51249be3b3a2939b79447b817b7a02
SHA256:9ae617395ad5440f6774902b04f331a59282737d0f3c897d9f21ab73c19b691e
Tags:32exetrojan
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Ke5ufWcgxp.exe (PID: 6172 cmdline: "C:\Users\user\Desktop\Ke5ufWcgxp.exe" MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
    • schtasks.exe (PID: 4024 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2504 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 320 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
  • MPGPH131.exe (PID: 6152 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
  • RageMP131.exe (PID: 7356 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
  • RageMP131.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 85B0F825EC9F8661F2B1237A0E33AD06)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Ke5ufWcgxp.exe PID: 6172JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    Process Memory Space: MPGPH131.exe PID: 320JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      Process Memory Space: MPGPH131.exe PID: 6152JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        Process Memory Space: RageMP131.exe PID: 7356JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          Process Memory Space: RageMP131.exe PID: 7692JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Ke5ufWcgxp.exe, ProcessId: 6172, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

            Snort Signatures

            Timestamp:06/23/24-16:17:36.899727
            SID:2046269
            Source Port:49707
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:38.200223
            SID:2046269
            Source Port:49716
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:04.473158
            SID:2046267
            Source Port:58709
            Destination Port:49716
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:15:23.534284
            SID:2046266
            Source Port:58709
            Destination Port:49716
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:36.899737
            SID:2046269
            Source Port:49706
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:37.415514
            SID:2046269
            Source Port:49708
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:15:00.772679
            SID:2049060
            Source Port:49705
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:01.678127
            SID:2046267
            Source Port:58709
            Destination Port:49706
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:36.603047
            SID:2046269
            Source Port:49705
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:02.960524
            SID:2046267
            Source Port:58709
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:15:15.298112
            SID:2046266
            Source Port:58709
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:01.182074
            SID:2046267
            Source Port:58709
            Destination Port:49705
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:17:01.624141
            SID:2046267
            Source Port:58709
            Destination Port:49707
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:15:01.352624
            SID:2046266
            Source Port:58709
            Destination Port:49705
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:15:05.509073
            SID:2046266
            Source Port:58709
            Destination Port:49707
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/23/24-16:15:05.517411
            SID:2046266
            Source Port:58709
            Destination Port:49706
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 44%
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 52%Perma Link
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 44%
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 52%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Ke5ufWcgxp.exeReversingLabs: Detection: 44%
            Source: Ke5ufWcgxp.exeVirustotal: Detection: 52%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Ke5ufWcgxp.exeJoe Sandbox ML: detected
            Source: Ke5ufWcgxp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49705
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49707
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49706
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49707 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49708
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49716
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49716 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49705
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49707
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49706
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49708
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49716
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
            Source: global trafficTCP traffic: 192.168.2.5:49705 -> 77.91.77.66:58709
            Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
            Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_00589280 recv,WSASend,0_2_00589280
            Source: Ke5ufWcgxp.exe, 00000000.00000003.2027583976.0000000005040000.00000004.00001000.00020000.00000000.sdmp, Ke5ufWcgxp.exe, 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2056577894.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2056606690.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2160020226.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2243205056.0000000004D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
            Source: RageMP131.exe, 0000000A.00000002.3647150748.000000000120C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
            Source: RageMP131.exe, 0000000A.00000002.3647150748.00000000011F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Namespace
            Source: RageMP131.exe, 00000008.00000002.3646900740.000000000121E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ameSpace/
            Source: MPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/d0
            Source: MPGPH131.exe, 00000007.00000002.3646701337.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/h
            Source: Ke5ufWcgxp.exe, 00000000.00000003.2027583976.0000000005040000.00000004.00001000.00020000.00000000.sdmp, Ke5ufWcgxp.exe, 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2056577894.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2056606690.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2160020226.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2243205056.0000000004D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
            Source: RageMP131.exe, 00000008.00000002.3646900740.0000000001261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/l
            Source: Ke5ufWcgxp.exe, 00000000.00000002.3646592079.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3646701337.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3646900740.000000000125C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3647150748.00000000011FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
            Source: Ke5ufWcgxp.exe, 00000000.00000002.3646592079.00000000011EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33%Um
            Source: MPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.330c
            Source: RageMP131.exe, 00000008.00000002.3646900740.000000000121E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33t
            Source: RageMP131.exe, 00000008.00000002.3646900740.000000000121E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33x
            Source: Ke5ufWcgxp.exe, 00000000.00000002.3646592079.000000000117E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3646701337.0000000000D1A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3646900740.000000000121E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3647150748.00000000011CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
            Source: MPGPH131.exe, 00000007.00000002.3646701337.0000000000D1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT(
            Source: MPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTzn
            Source: RageMP131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

            System Summary

            barindex
            PE file contains section with special chars
            Source: Ke5ufWcgxp.exeStatic PE information: section name:
            Source: Ke5ufWcgxp.exeStatic PE information: section name: .idata
            Source: Ke5ufWcgxp.exeStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005BC9600_2_005BC960
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005BA9280_2_005BA928
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005B71A00_2_005B71A0
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005CDA860_2_005CDA86
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005C036F0_2_005C036F
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005D8BB00_2_005D8BB0
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_0066FC400_2_0066FC40
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005AF5800_2_005AF580
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_00672FD00_2_00672FD0
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005D47BF0_2_005D47BF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001BA9286_2_001BA928
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001BC9606_2_001BC960
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001B71A06_2_001B71A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001CDA866_2_001CDA86
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001BAAEF6_2_001BAAEF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001C036F6_2_001C036F
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001D8BB06_2_001D8BB0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0026FC406_2_0026FC40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001AF5806_2_001AF580
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001D47BF6_2_001D47BF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00272FD06_2_00272FD0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001BA9287_2_001BA928
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001BC9607_2_001BC960
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001B71A07_2_001B71A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001CDA867_2_001CDA86
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001C036F7_2_001C036F
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001D8BB07_2_001D8BB0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0026FC407_2_0026FC40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001AF5807_2_001AF580
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001D47BF7_2_001D47BF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00272FD07_2_00272FD0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_0073C9608_2_0073C960
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_0073A9288_2_0073A928
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_007371A08_2_007371A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_0074DA868_2_0074DA86
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_0074036F8_2_0074036F
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00758BB08_2_00758BB0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_007EFC408_2_007EFC40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_0072F5808_2_0072F580
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009896808_2_00989680
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_007526108_2_00752610
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_007F2FD08_2_007F2FD0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_007547BF8_2_007547BF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0073C96010_2_0073C960
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0073A92810_2_0073A928
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_007371A010_2_007371A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0074DA8610_2_0074DA86
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0074036F10_2_0074036F
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00758BB010_2_00758BB0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_007EFC4010_2_007EFC40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0072F58010_2_0072F580
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0098968010_2_00989680
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0075261010_2_00752610
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_007F2FD010_2_007F2FD0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_007547BF10_2_007547BF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 001B4380 appears 48 times
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: String function: 00734380 appears 48 times
            Source: Ke5ufWcgxp.exe, 00000000.00000000.2019508227.000000000070A000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs Ke5ufWcgxp.exe
            Source: Ke5ufWcgxp.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs Ke5ufWcgxp.exe
            Source: Ke5ufWcgxp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Ke5ufWcgxp.exeStatic PE information: Section: ZLIB complexity 0.998762545620438
            Source: Ke5ufWcgxp.exeStatic PE information: Section: kwsiocfo ZLIB complexity 0.9946779737285539
            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.998762545620438
            Source: RageMP131.exe.0.drStatic PE information: Section: kwsiocfo ZLIB complexity 0.9946779737285539
            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.998762545620438
            Source: MPGPH131.exe.0.drStatic PE information: Section: kwsiocfo ZLIB complexity 0.9946779737285539
            Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@0/1
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4408:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Ke5ufWcgxp.exe, 00000000.00000003.2027583976.0000000005040000.00000004.00001000.00020000.00000000.sdmp, Ke5ufWcgxp.exe, 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2056577894.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2056606690.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2160020226.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2243205056.0000000004D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: Ke5ufWcgxp.exe, 00000000.00000003.2027583976.0000000005040000.00000004.00001000.00020000.00000000.sdmp, Ke5ufWcgxp.exe, 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2056577894.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2056606690.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2160020226.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2243205056.0000000004D30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: Ke5ufWcgxp.exeReversingLabs: Detection: 44%
            Source: Ke5ufWcgxp.exeVirustotal: Detection: 52%
            Source: Ke5ufWcgxp.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: Ke5ufWcgxp.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeFile read: C:\Users\user\Desktop\Ke5ufWcgxp.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Ke5ufWcgxp.exe "C:\Users\user\Desktop\Ke5ufWcgxp.exe"
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: Ke5ufWcgxp.exeStatic file information: File size 2393600 > 1048576
            Source: Ke5ufWcgxp.exeStatic PE information: Raw size of kwsiocfo is bigger than: 0x100000 < 0x198000

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeUnpacked PE file: 0.2.Ke5ufWcgxp.exe.580000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 6.2.MPGPH131.exe.180000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 7.2.MPGPH131.exe.180000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 8.2.RageMP131.exe.700000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 10.2.RageMP131.exe.700000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kwsiocfo:EW;hhfhiasa:EW;.taggant:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
            Source: Ke5ufWcgxp.exeStatic PE information: real checksum: 0x25769f should be: 0x25118b
            Source: RageMP131.exe.0.drStatic PE information: real checksum: 0x25769f should be: 0x25118b
            Source: MPGPH131.exe.0.drStatic PE information: real checksum: 0x25769f should be: 0x25118b
            Source: Ke5ufWcgxp.exeStatic PE information: section name:
            Source: Ke5ufWcgxp.exeStatic PE information: section name: .idata
            Source: Ke5ufWcgxp.exeStatic PE information: section name:
            Source: Ke5ufWcgxp.exeStatic PE information: section name: kwsiocfo
            Source: Ke5ufWcgxp.exeStatic PE information: section name: hhfhiasa
            Source: Ke5ufWcgxp.exeStatic PE information: section name: .taggant
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: kwsiocfo
            Source: RageMP131.exe.0.drStatic PE information: section name: hhfhiasa
            Source: RageMP131.exe.0.drStatic PE information: section name: .taggant
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: kwsiocfo
            Source: MPGPH131.exe.0.drStatic PE information: section name: hhfhiasa
            Source: MPGPH131.exe.0.drStatic PE information: section name: .taggant
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005B3F59 push ecx; ret 0_2_005B3F6C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001B3F59 push ecx; ret 6_2_001B3F6C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001B3F59 push ecx; ret 7_2_001B3F6C
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00989680 push eax; mov dword ptr [esp], ebp8_2_00989713
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00989680 push 6FD07C94h; mov dword ptr [esp], ebx8_2_009897BE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00989680 push edi; mov dword ptr [esp], 3DB8739Fh8_2_009897EE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00989680 push edi; mov dword ptr [esp], 57FFECEEh8_2_00989874
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00989680 push edx; mov dword ptr [esp], ecx8_2_009898AE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00989680 push edx; mov dword ptr [esp], 00000000h8_2_009898B5
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00733F59 push ecx; ret 8_2_00733F6C
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00989680 push eax; mov dword ptr [esp], ebp10_2_00989713
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00989680 push 6FD07C94h; mov dword ptr [esp], ebx10_2_009897BE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00989680 push edi; mov dword ptr [esp], 3DB8739Fh10_2_009897EE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00989680 push edi; mov dword ptr [esp], 57FFECEEh10_2_00989874
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00989680 push edx; mov dword ptr [esp], ecx10_2_009898AE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00989680 push edx; mov dword ptr [esp], 00000000h10_2_009898B5
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00733F59 push ecx; ret 10_2_00733F6C
            Source: Ke5ufWcgxp.exeStatic PE information: section name: entropy: 7.98581846796198
            Source: Ke5ufWcgxp.exeStatic PE information: section name: kwsiocfo entropy: 7.9553136795218204
            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.98581846796198
            Source: RageMP131.exe.0.drStatic PE information: section name: kwsiocfo entropy: 7.9553136795218204
            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.98581846796198
            Source: MPGPH131.exe.0.drStatic PE information: section name: kwsiocfo entropy: 7.9553136795218204
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior

            Malware Analysis System Evasion

            barindex
            Found stalling execution ending in API Sleep call
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeStalling execution: Execution stalls by calling Sleepgraph_0-15853
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeStalling execution: Execution stalls by calling Sleep
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleepgraph_6-16840
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 7112AE second address: 7112B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8848D9 second address: 8848DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8848DD second address: 8848ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35448276AAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8848ED second address: 884926 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F35449CBE3Bh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F35449CBE46h 0x00000014 jng 00007F35449CBE3Eh 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jng 00007F35449CBE36h 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 884926 second address: 88493F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F35448276B0h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 87BF06 second address: 87BF0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 883881 second address: 88389B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35448276B6h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 88389B second address: 8838A7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8838A7 second address: 8838AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 883A21 second address: 883A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 883A25 second address: 883A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 883A2D second address: 883A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F35449CBE36h 0x0000000a jmp 00007F35449CBE3Fh 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 883A46 second address: 883A6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F35448276B7h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 883A6C second address: 883A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F35449CBE3Dh 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 883ED1 second address: 883ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8841AD second address: 8841B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8841B3 second address: 8841BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F35448276A6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8841BD second address: 8841C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 88837E second address: 88840F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F35448276ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 289DE777h 0x00000011 call 00007F35448276ABh 0x00000016 xor cx, C76Dh 0x0000001b pop edi 0x0000001c push 00000003h 0x0000001e pushad 0x0000001f jbe 00007F35448276AAh 0x00000025 mov cx, C34Bh 0x00000029 popad 0x0000002a push 00000000h 0x0000002c sub dword ptr [ebp+122D199Ch], eax 0x00000032 push 00000003h 0x00000034 mov cx, F0B2h 0x00000038 sub dword ptr [ebp+122D1C25h], ecx 0x0000003e push FC73D8A7h 0x00000043 push esi 0x00000044 js 00007F35448276A8h 0x0000004a pop esi 0x0000004b xor dword ptr [esp], 3C73D8A7h 0x00000052 movsx edi, di 0x00000055 lea ebx, dword ptr [ebp+1244B218h] 0x0000005b xor ecx, dword ptr [ebp+122D39E0h] 0x00000061 xchg eax, ebx 0x00000062 jo 00007F35448276BBh 0x00000068 push edi 0x00000069 jmp 00007F35448276B3h 0x0000006e pop edi 0x0000006f push eax 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 push ecx 0x00000074 pop ecx 0x00000075 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 888468 second address: 8884A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F35449CBE36h 0x0000000a popad 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jno 00007F35449CBE3Ch 0x00000015 push 00000000h 0x00000017 mov edx, dword ptr [ebp+122D2A49h] 0x0000001d mov edi, ecx 0x0000001f push 6789DCB7h 0x00000024 pushad 0x00000025 jns 00007F35449CBE3Ch 0x0000002b push ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 888562 second address: 8885C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jns 00007F35448276ACh 0x00000011 pop esi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 pushad 0x00000018 je 00007F35448276A6h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 jmp 00007F35448276B4h 0x00000026 popad 0x00000027 mov eax, dword ptr [eax] 0x00000029 pushad 0x0000002a jmp 00007F35448276B6h 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8885C2 second address: 8885D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8885D7 second address: 888633 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F35448276A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop eax 0x0000000c mov di, A8FDh 0x00000010 lea ebx, dword ptr [ebp+1244B221h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F35448276A8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 jo 00007F35448276BFh 0x00000038 jmp 00007F35448276B9h 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 888633 second address: 888644 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F35449CBE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 888644 second address: 888648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8738F7 second address: 8738FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A6DAC second address: 8A6DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A6DB0 second address: 8A6DDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F35449CBE40h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A6DDA second address: 8A6DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A70E1 second address: 8A70EB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F35449CBE36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A752B second address: 8A7535 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A7535 second address: 8A7539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A76B4 second address: 8A76C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A76C1 second address: 8A76C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A76C7 second address: 8A76D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A7DD6 second address: 8A7DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A7DDE second address: 8A7DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F35448276AEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 87535A second address: 875373 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F35449CBE36h 0x00000009 jmp 00007F35449CBE3Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A8090 second address: 8A80B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35448276B3h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c jmp 00007F35448276AFh 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A80B9 second address: 8A80D4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F35449CBE3Ch 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A80D4 second address: 8A80D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A8622 second address: 8A862C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F35449CBE36h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A862C second address: 8A8630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A8630 second address: 8A8636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8A8636 second address: 8A8652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F35448276B4h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8ADD44 second address: 8ADD4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F35449CBE36h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8AF2C2 second address: 8AF2EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F35448276AFh 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F35448276B0h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8AF2EC second address: 8AF316 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F35449CBE38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnl 00007F35449CBE3Eh 0x00000014 mov eax, dword ptr [eax] 0x00000016 jc 00007F35449CBE40h 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8AF316 second address: 8AF32A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jp 00007F35448276B8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8AF32A second address: 8AF32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B42E4 second address: 8B42F4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F35448276B2h 0x00000008 jnp 00007F35448276A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B393D second address: 8B3941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B3941 second address: 8B394D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F35448276A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B3AED second address: 8B3AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B41A8 second address: 8B41AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B6233 second address: 8B623C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B623C second address: 8B6259 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 321DD870h 0x0000000e call 00007F35448276A9h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B6259 second address: 8B625D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B625D second address: 8B6263 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B6410 second address: 8B642D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F35449CBE3Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B642D second address: 8B6431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B6431 second address: 8B6437 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B6966 second address: 8B696A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B696A second address: 8B6970 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B6A11 second address: 8B6A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B723A second address: 8B7252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35449CBE44h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B74C9 second address: 8B74CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B7AB2 second address: 8B7AB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B7AB8 second address: 8B7ABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B93C0 second address: 8B93C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B93C4 second address: 8B93C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B93C8 second address: 8B93DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F35449CBE36h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B93DA second address: 8B93E4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F35448276A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B9F63 second address: 8B9F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B9F67 second address: 8B9FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F35448276A8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jne 00007F35448276A9h 0x0000002a mov esi, 41C80BA0h 0x0000002f push 00000000h 0x00000031 sbb esi, 70CD8EB5h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007F35448276A8h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 push eax 0x00000054 jp 00007F35448276B4h 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8BA8D4 second address: 8BA8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8BC2CD second address: 8BC2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8BC2D1 second address: 8BC2D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 876F17 second address: 876F1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 876F1C second address: 876F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8BC8DD second address: 8BC94A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 cld 0x00000008 pushad 0x00000009 movzx ecx, di 0x0000000c sub ecx, dword ptr [ebp+122D3B04h] 0x00000012 popad 0x00000013 push 00000000h 0x00000015 or esi, 18461109h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F35448276A8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov dword ptr [ebp+12463E55h], eax 0x0000003d mov dword ptr [ebp+122D1B87h], edx 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jbe 00007F35448276BCh 0x0000004c jmp 00007F35448276B6h 0x00000051 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8BDF26 second address: 8BDF2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8BE722 second address: 8BE727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8BE727 second address: 8BE731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F35449CBE36h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C0AB0 second address: 8C0AD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B4h 0x00000007 jo 00007F35448276A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C1B48 second address: 8C1B52 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F35449CBE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C1D36 second address: 8C1DCD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F35448276A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007F35448276AEh 0x00000012 nop 0x00000013 push dword ptr fs:[00000000h] 0x0000001a sub ebx, 38999024h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F35448276A8h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 xor edi, 005C43DAh 0x00000047 mov eax, dword ptr [ebp+122D0171h] 0x0000004d push 00000000h 0x0000004f push eax 0x00000050 call 00007F35448276A8h 0x00000055 pop eax 0x00000056 mov dword ptr [esp+04h], eax 0x0000005a add dword ptr [esp+04h], 00000015h 0x00000062 inc eax 0x00000063 push eax 0x00000064 ret 0x00000065 pop eax 0x00000066 ret 0x00000067 mov bx, ax 0x0000006a mov di, 8677h 0x0000006e mov dword ptr [ebp+1246DDB6h], edi 0x00000074 push FFFFFFFFh 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push ebx 0x0000007a jl 00007F35448276A6h 0x00000080 pop ebx 0x00000081 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C2B60 second address: 8C2B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C2B66 second address: 8C2B6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C3CF9 second address: 8C3CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C2B6B second address: 8C2B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F35448276A6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C4ADD second address: 8C4AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C3CFD second address: 8C3D03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C4AE2 second address: 8C4B07 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a ja 00007F35449CBE38h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F35449CBE41h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C3D03 second address: 8C3D08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C3D08 second address: 8C3D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C3D18 second address: 8C3D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C4CB4 second address: 8C4CBE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F35449CBE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C5B1B second address: 8C5B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C5B1F second address: 8C5B33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C5D10 second address: 8C5D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F35448276B6h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C8C59 second address: 8C8CEA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F35449CBE38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F35449CBE38h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 sub dword ptr [ebp+122D1B6Ah], ecx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007F35449CBE38h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 0000001Ch 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 sbb di, B392h 0x0000004c mov ebx, 04F0981Ch 0x00000051 push 00000000h 0x00000053 mov ebx, dword ptr [ebp+122D3A70h] 0x00000059 xchg eax, esi 0x0000005a pushad 0x0000005b jmp 00007F35449CBE44h 0x00000060 jbe 00007F35449CBE3Ch 0x00000066 popad 0x00000067 push eax 0x00000068 push ecx 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C6E85 second address: 8C6E9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C6E9C second address: 8C6EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8C8F13 second address: 8C8F1D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F35448276A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8CAD53 second address: 8CAD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8CAD5F second address: 8CAD65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8CAD65 second address: 8CADE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F35449CBE38h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 stc 0x00000025 mov dword ptr [ebp+1244BD91h], edx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F35449CBE38h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 mov di, si 0x0000004a sbb ebx, 6BA4C17Ah 0x00000050 push 00000000h 0x00000052 movzx edi, ax 0x00000055 xchg eax, esi 0x00000056 jl 00007F35449CBE40h 0x0000005c push eax 0x0000005d jo 00007F35449CBE40h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8CBE1B second address: 8CBE21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8CE41F second address: 8CE424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D0522 second address: 8D055D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D1B87h], ebx 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+1244BD1Ah], edx 0x00000018 push 00000000h 0x0000001a mov ebx, 67011E53h 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F35448276AEh 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D055D second address: 8D0561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8CF891 second address: 8CF89B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F35448276A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D0561 second address: 8D0567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D0567 second address: 8D0585 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F35448276B3h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D137C second address: 8D140A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F35449CBE38h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov ebx, edx 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F35449CBE38h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ebx 0x00000047 call 00007F35449CBE38h 0x0000004c pop ebx 0x0000004d mov dword ptr [esp+04h], ebx 0x00000051 add dword ptr [esp+04h], 0000001Bh 0x00000059 inc ebx 0x0000005a push ebx 0x0000005b ret 0x0000005c pop ebx 0x0000005d ret 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D06A0 second address: 8D06A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D14DA second address: 8D14E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D14E0 second address: 8D14FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F35448276B0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D2331 second address: 8D2361 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F35449CBE41h 0x00000008 jmp 00007F35449CBE3Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jnl 00007F35449CBE45h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D2361 second address: 8D23D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 xor dword ptr [ebp+1245981Fh], eax 0x0000000e push dword ptr fs:[00000000h] 0x00000015 sub ebx, 571FBC13h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov ebx, 3A314EA0h 0x00000027 mov eax, dword ptr [ebp+122D0C55h] 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F35448276A8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov dword ptr [ebp+1244A58Fh], ecx 0x0000004d push FFFFFFFFh 0x0000004f or dword ptr [ebp+1246E004h], ebx 0x00000055 nop 0x00000056 jmp 00007F35448276ACh 0x0000005b push eax 0x0000005c jc 00007F35448276B8h 0x00000062 push eax 0x00000063 push edx 0x00000064 jo 00007F35448276A6h 0x0000006a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 87A3FF second address: 87A405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 87A405 second address: 87A40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 87A40B second address: 87A40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D91EC second address: 8D91F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D91F0 second address: 8D920C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F35449CBE41h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D920C second address: 8D9211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D9211 second address: 8D921B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F35449CBE3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D94E8 second address: 8D950C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F35448276B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8D950C second address: 8D9524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F35449CBE38h 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E024C second address: 8E025C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E0435 second address: 8E043F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F35449CBE36h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E051C second address: 8E0520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E613C second address: 8E6146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F35449CBE36h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E6146 second address: 8E6165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276AAh 0x00000007 jmp 00007F35448276B1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E53FE second address: 8E5404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E5404 second address: 8E5408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E55A8 second address: 8E55AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E59DB second address: 8E59F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35448276B5h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E5CB1 second address: 8E5CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E5CB5 second address: 8E5CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E5CB9 second address: 8E5CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E5CC1 second address: 8E5CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E5CC7 second address: 8E5CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8E5FA6 second address: 8E5FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 871CE8 second address: 871CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 871CEC second address: 871CF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007F35448276A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 871CF8 second address: 871D08 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F35449CBE38h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F232B second address: 8F2344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F2344 second address: 8F234A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F234A second address: 8F234F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F234F second address: 8F2357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B4B1B second address: 8B4B33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F35448276B3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B4B33 second address: 89B626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jng 00007F35449CBE49h 0x0000000e jmp 00007F35449CBE43h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F35449CBE38h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov cx, F53Dh 0x00000032 lea eax, dword ptr [ebp+1247782Fh] 0x00000038 sub dword ptr [ebp+122D36E5h], esi 0x0000003e push eax 0x0000003f jmp 00007F35449CBE42h 0x00000044 mov dword ptr [esp], eax 0x00000047 call dword ptr [ebp+122D1A61h] 0x0000004d jc 00007F35449CBE50h 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B4D31 second address: 8B4D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5081 second address: 8B5087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5087 second address: 8B508B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B508B second address: 8B50AA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F35449CBE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F35449CBE40h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B51CA second address: 8B520C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 js 00007F35448276AEh 0x0000000f jbe 00007F35448276A8h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a pushad 0x0000001b jmp 00007F35448276B6h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F35448276AAh 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5A99 second address: 8B5B1A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F35449CBE38h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov edi, dword ptr [ebp+122D383Ch] 0x00000027 push esi 0x00000028 call 00007F35449CBE44h 0x0000002d pushad 0x0000002e popad 0x0000002f pop edi 0x00000030 pop ecx 0x00000031 push 0000001Eh 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007F35449CBE38h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d call 00007F35449CBE3Ch 0x00000052 mov dword ptr [ebp+122D1819h], esi 0x00000058 pop edi 0x00000059 push eax 0x0000005a push esi 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5DE3 second address: 8B5DE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5DE7 second address: 8B5DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5E90 second address: 8B5E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5E96 second address: 8B5EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 or dword ptr [ebp+122D1885h], eax 0x0000000f and ecx, dword ptr [ebp+122D19E5h] 0x00000015 lea eax, dword ptr [ebp+12477873h] 0x0000001b jng 00007F35449CBE36h 0x00000021 mov dword ptr [ebp+12464392h], ebx 0x00000027 nop 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push edi 0x0000002c pop edi 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5EC3 second address: 8B5EC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5EC7 second address: 8B5ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a jng 00007F35449CBE36h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F16DB second address: 8F16F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F35448276AEh 0x0000000e js 00007F35448276A6h 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F16F4 second address: 8F1705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35449CBE3Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F1A41 second address: 8F1A47 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F7D27 second address: 8F7D42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F7D42 second address: 8F7D47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F67E3 second address: 8F67FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35449CBE47h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F6ABC second address: 8F6AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F6AC1 second address: 8F6AC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F6AC8 second address: 8F6AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F6AD4 second address: 8F6AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F6AD9 second address: 8F6AE4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F6C67 second address: 8F6C75 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F35449CBE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F6C75 second address: 8F6C79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F6C79 second address: 8F6C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F7228 second address: 8F722C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F64FF second address: 8F6517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F35449CBE43h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8F6517 second address: 8F651D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FD875 second address: 8FD885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F35449CBE36h 0x0000000a jns 00007F35449CBE36h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FC79D second address: 8FC7A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F35448276A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FC7A9 second address: 8FC7B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FC7B2 second address: 8FC7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FCBDA second address: 8FCBE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FCBE0 second address: 8FCBE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FD062 second address: 8FD080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35449CBE48h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FD080 second address: 8FD095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F35448276B0h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FF641 second address: 8FF656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F35449CBE3Eh 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FF787 second address: 8FF78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8FF78B second address: 8FF7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F35449CBE41h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9028B3 second address: 9028B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9028B7 second address: 9028BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 902338 second address: 902342 instructions: 0x00000000 rdtsc 0x00000002 js 00007F35448276A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 902342 second address: 90234C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 90234C second address: 902350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 902350 second address: 902356 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 902356 second address: 902372 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F35448276B4h 0x00000008 jmp 00007F35448276AEh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 902372 second address: 902376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9024CF second address: 9024E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35448276B0h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 908E2D second address: 908E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 908E31 second address: 908E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 908E37 second address: 908E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F35449CBE36h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 907838 second address: 90783E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9079B9 second address: 9079D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE42h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9079D4 second address: 9079DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 907C8A second address: 907C96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F35449CBE36h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 907C96 second address: 907C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B5846 second address: 8B58BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edx, dword ptr [ebp+122D199Ch] 0x0000000e mov ebx, dword ptr [ebp+1247786Eh] 0x00000014 jmp 00007F35449CBE49h 0x00000019 mov edi, dword ptr [ebp+122D38E8h] 0x0000001f add eax, ebx 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F35449CBE38h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b mov ecx, dword ptr [ebp+122D1A61h] 0x00000041 nop 0x00000042 jmp 00007F35449CBE41h 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F35449CBE3Ah 0x00000051 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B58BF second address: 8B58C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B58C3 second address: 8B58C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 8B58C9 second address: 8B5914 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F35448276A6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edx, dword ptr [ebp+122D3850h] 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F35448276A8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D2A25h], ebx 0x00000035 mov dword ptr [ebp+122D195Fh], ebx 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 908089 second address: 908097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 908097 second address: 9080A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 90BA9A second address: 90BAA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 90FB5E second address: 90FB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 90FB62 second address: 90FB6C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F35449CBE36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 90FCB9 second address: 90FCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 90FCBD second address: 90FCD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 90FCD0 second address: 90FCD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 910285 second address: 91028A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 912BF1 second address: 912BFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 91A2E9 second address: 91A318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F35449CBE36h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 pushad 0x00000015 je 00007F35449CBE36h 0x0000001b jl 00007F35449CBE36h 0x00000021 jmp 00007F35449CBE3Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9182BA second address: 9182DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F35448276A6h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9182DF second address: 9182FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9182FC second address: 918325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F35448276AEh 0x0000000b push ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F35448276ADh 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 918490 second address: 9184B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F35449CBE36h 0x0000000a jmp 00007F35449CBE46h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9184B0 second address: 9184C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jl 00007F35448276A6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9184C3 second address: 9184F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35449CBE45h 0x00000009 jmp 00007F35449CBE3Eh 0x0000000e popad 0x0000000f pushad 0x00000010 jne 00007F35449CBE36h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9184F4 second address: 9184F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9184F9 second address: 9184FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 918D89 second address: 918D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 91905B second address: 919073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35449CBE3Bh 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F35449CBE36h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919073 second address: 919082 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F35448276A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919082 second address: 9190A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F35449CBE47h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9190A3 second address: 9190A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9190A9 second address: 9190C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jg 00007F35449CBE3Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9190C0 second address: 9190D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35448276B1h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919692 second address: 919697 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919697 second address: 9196A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9196A1 second address: 9196A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9196A7 second address: 9196AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919961 second address: 919975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Ah 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919975 second address: 919979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919979 second address: 91997F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 91997F second address: 919993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F35448276B2h 0x0000000c jnc 00007F35448276A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919C89 second address: 919C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919C8F second address: 919C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919C95 second address: 919CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F35449CBE3Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 919F54 second address: 919F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F35448276B4h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F35448276B1h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 91D37C second address: 91D389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F35449CBE36h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 91D389 second address: 91D38D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 91DEF5 second address: 91DF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F35449CBE3Fh 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 91DF0C second address: 91DF20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276AFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 922BA7 second address: 922BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jp 00007F35449CBE36h 0x0000000f jnp 00007F35449CBE36h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 922BC0 second address: 922BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 92A858 second address: 92A866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35449CBE3Ah 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 92A866 second address: 92A86A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 928F31 second address: 928F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 928F37 second address: 928F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 928F3B second address: 928F3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9291C1 second address: 9291C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9291C7 second address: 9291CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9291CB second address: 9291CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9291CF second address: 9291E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F35449CBE42h 0x0000000c jne 00007F35449CBE36h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 92971C second address: 929727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F35448276A6h 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 929727 second address: 92972F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 92972F second address: 929741 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F35448276A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F35448276ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 92870C second address: 928726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35449CBE40h 0x00000009 je 00007F35449CBE36h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 928726 second address: 92872A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 931A29 second address: 931A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 931B8D second address: 931B9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F35448276A6h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 931B9D second address: 931BB1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jbe 00007F35449CBE36h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 87D8A0 second address: 87D8A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 87D8A5 second address: 87D8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 93EBAB second address: 93EBAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 94341F second address: 943423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 945E1C second address: 945E20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 945E20 second address: 945E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35449CBE41h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jnp 00007F35449CBE36h 0x00000012 jmp 00007F35449CBE48h 0x00000017 pop edi 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 94B45B second address: 94B45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9537DD second address: 9537E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9537E1 second address: 9537E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9537E6 second address: 95381A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F35449CBE42h 0x0000000b jng 00007F35449CBE36h 0x00000011 jno 00007F35449CBE36h 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F35449CBE48h 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 95381A second address: 953834 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F35448276B0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 953834 second address: 953847 instructions: 0x00000000 rdtsc 0x00000002 je 00007F35449CBE36h 0x00000008 jp 00007F35449CBE36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9585FA second address: 958604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 95F801 second address: 95F810 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 95E901 second address: 95E909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 95E909 second address: 95E90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 962E07 second address: 962E0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 975DA5 second address: 975DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 975DA9 second address: 975DC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B3h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 975DC1 second address: 975DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 975DCC second address: 975DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 984DF3 second address: 984DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 984DF9 second address: 984E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 984E00 second address: 984E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B003B second address: 9B0041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B0041 second address: 9B004C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B01A6 second address: 9B01AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B01AA second address: 9B01B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B01B0 second address: 9B01B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B01B9 second address: 9B01C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B0301 second address: 9B0325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F35448276B8h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B0325 second address: 9B0350 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Eh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F35449CBE3Eh 0x00000013 pop ebx 0x00000014 popad 0x00000015 push ecx 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B0350 second address: 9B0359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B0359 second address: 9B0363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F35449CBE36h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B0363 second address: 9B0367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B04BE second address: 9B04C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B04C4 second address: 9B04D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F35448276ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B04D3 second address: 9B04E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F35449CBE3Ch 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B04E9 second address: 9B04EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B04EF second address: 9B0501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F35449CBE36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B0695 second address: 9B069B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B069B second address: 9B06A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F35449CBE36h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B0A67 second address: 9B0A85 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F35448276B8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B54E4 second address: 9B54E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B555F second address: 9B5565 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B5565 second address: 9B556A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 9B70EE second address: 9B70F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 523064E second address: 5230654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5200019 second address: 520001F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 520001F second address: 5200023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5200023 second address: 5200039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F35448276ABh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5200039 second address: 520006F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F35449CBE3Eh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 520006F second address: 5200073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5200073 second address: 5200077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5200077 second address: 520007D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 520007D second address: 5200083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5200083 second address: 5200087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270061 second address: 5270066 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51F0D4B second address: 51F0D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51F0D96 second address: 51F0DBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51F0DBA second address: 51F0DCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51F0DCD second address: 51F0DD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51F0DD3 second address: 51F0DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240C1D second address: 5240C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240C23 second address: 5240C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240C27 second address: 5240C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240C36 second address: 5240C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240C3A second address: 5240C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240C3E second address: 5240C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240C44 second address: 5240C71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx esi, bx 0x0000000f mov di, 78CCh 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F35449CBE3Eh 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270B6C second address: 5270B99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F35448276ADh 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270B99 second address: 5270BE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, D3h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F35449CBE3Fh 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F35449CBE44h 0x00000018 adc ax, 66D8h 0x0000001d jmp 00007F35449CBE3Bh 0x00000022 popfd 0x00000023 mov dh, ch 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270BE6 second address: 5270BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270BEA second address: 5270BF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270BF0 second address: 5270C3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F35448276B5h 0x00000009 and eax, 4CA8E926h 0x0000000f jmp 00007F35448276B1h 0x00000014 popfd 0x00000015 call 00007F35448276B0h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push ecx 0x00000023 pop edi 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270C3E second address: 5270C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5200663 second address: 5200669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5200669 second address: 520066D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 520066D second address: 5200671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260D7C second address: 5260D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260D82 second address: 5260DA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov bl, 33h 0x0000000f mov edx, ecx 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260DA1 second address: 5260DB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260DB0 second address: 5260DC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260DC3 second address: 5260DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260DC9 second address: 5260DCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 527039D second address: 52703BA instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F35449CBE44h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240B7E second address: 5240B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240B82 second address: 5240B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d mov edx, eax 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240B92 second address: 5240B9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 230C074Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270D1B second address: 5270D21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270D21 second address: 5270D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270D25 second address: 5270D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov ecx, 56441AD9h 0x0000000f movzx ecx, bx 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov ax, 6C49h 0x0000001d jmp 00007F35449CBE46h 0x00000022 popad 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5270D59 second address: 5270D86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bl 0x00000005 call 00007F35448276AAh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov di, 6C12h 0x00000015 mov si, bx 0x00000018 popad 0x00000019 pop ebp 0x0000001a pushad 0x0000001b call 00007F35448276ABh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 522080A second address: 522085B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop edx 0x0000000e mov eax, 5915D735h 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007F35449CBE42h 0x0000001a jmp 00007F35449CBE45h 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 522085B second address: 522085F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 522085F second address: 5220863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5220863 second address: 5220869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5220869 second address: 522086F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 522086F second address: 5220873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5220873 second address: 5220877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52808AC second address: 52808B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52808B0 second address: 52808B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52808B6 second address: 52808BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52808BC second address: 52808C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52808C0 second address: 52808C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52808C4 second address: 52808E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F35449CBE3Fh 0x00000011 mov eax, 482A2BCFh 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52808E5 second address: 5280932 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F35448276ABh 0x00000009 sub eax, 2810C4DEh 0x0000000f jmp 00007F35448276B9h 0x00000014 popfd 0x00000015 mov esi, 7CADB3A7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e jmp 00007F35448276ADh 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 mov si, 3469h 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280932 second address: 5280966 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F35449CBE42h 0x0000000c or ecx, 519EEF38h 0x00000012 jmp 00007F35449CBE3Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280966 second address: 528096A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 528096A second address: 5280970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280970 second address: 5280A4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F35448276B0h 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007F35448276B1h 0x00000016 pushfd 0x00000017 jmp 00007F35448276B0h 0x0000001c jmp 00007F35448276B5h 0x00000021 popfd 0x00000022 pop ecx 0x00000023 jmp 00007F35448276B1h 0x00000028 popad 0x00000029 xchg eax, ecx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F35448276B3h 0x00000031 and ecx, 1E6B21CEh 0x00000037 jmp 00007F35448276B9h 0x0000003c popfd 0x0000003d popad 0x0000003e mov eax, dword ptr [76FA65FCh] 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007F35448276B8h 0x0000004a add ax, 1D78h 0x0000004f jmp 00007F35448276ABh 0x00000054 popfd 0x00000055 popad 0x00000056 test eax, eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280A4C second address: 5280A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280A50 second address: 5280A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280A54 second address: 5280A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280A5A second address: 5280A87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F35448276B8h 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007F35B64CA591h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280A87 second address: 5280A9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280A9F second address: 5280AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35448276AEh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280AB1 second address: 5280AC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280AC1 second address: 5280AD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280AD9 second address: 5280B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F35449CBE41h 0x00000009 sbb ax, 24E6h 0x0000000e jmp 00007F35449CBE41h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xor eax, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F35449CBE43h 0x00000023 adc eax, 4289A01Eh 0x00000029 jmp 00007F35449CBE49h 0x0000002e popfd 0x0000002f jmp 00007F35449CBE40h 0x00000034 popad 0x00000035 and ecx, 1Fh 0x00000038 jmp 00007F35449CBE40h 0x0000003d ror eax, cl 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280B6E second address: 5280B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5280B72 second address: 5280B78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240085 second address: 52400A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52400A0 second address: 524017D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F35449CBE3Ch 0x00000012 adc cl, FFFFFF98h 0x00000015 jmp 00007F35449CBE3Bh 0x0000001a popfd 0x0000001b mov cx, 2D4Fh 0x0000001f popad 0x00000020 and esp, FFFFFFF8h 0x00000023 pushad 0x00000024 jmp 00007F35449CBE40h 0x00000029 call 00007F35449CBE42h 0x0000002e pop edx 0x0000002f popad 0x00000030 xchg eax, ecx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F35449CBE3Ah 0x00000038 or cl, 00000058h 0x0000003b jmp 00007F35449CBE3Bh 0x00000040 popfd 0x00000041 mov di, si 0x00000044 popad 0x00000045 push eax 0x00000046 pushad 0x00000047 call 00007F35449CBE3Eh 0x0000004c pushfd 0x0000004d jmp 00007F35449CBE42h 0x00000052 xor esi, 457631E8h 0x00000058 jmp 00007F35449CBE3Bh 0x0000005d popfd 0x0000005e pop eax 0x0000005f popad 0x00000060 xchg eax, ecx 0x00000061 jmp 00007F35449CBE3Fh 0x00000066 xchg eax, ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a mov di, E806h 0x0000006e mov di, 7E92h 0x00000072 popad 0x00000073 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 524017D second address: 52401EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov bh, E5h 0x0000000d mov ah, DBh 0x0000000f popad 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F35448276B5h 0x00000016 mov ebx, dword ptr [ebp+10h] 0x00000019 jmp 00007F35448276AEh 0x0000001e xchg eax, esi 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F35448276AEh 0x00000026 xor esi, 19149B68h 0x0000002c jmp 00007F35448276ABh 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 mov bx, si 0x00000037 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52401EF second address: 5240225 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 13F1D6F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F35449CBE47h 0x00000010 xchg eax, esi 0x00000011 pushad 0x00000012 mov di, si 0x00000015 mov ecx, 35412F37h 0x0000001a popad 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240225 second address: 5240234 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240234 second address: 524027B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F35449CBE45h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F35449CBE3Ch 0x00000014 mov dword ptr [esp], edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F35449CBE47h 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 524027B second address: 5240281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240281 second address: 5240285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240285 second address: 5240289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240289 second address: 52402C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F35449CBE47h 0x0000000f je 00007F35B66AA1A1h 0x00000015 pushad 0x00000016 movzx ecx, dx 0x00000019 mov bh, AEh 0x0000001b popad 0x0000001c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52402C3 second address: 52402D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35448276ABh 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52402D3 second address: 52402FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F35B66AA184h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 call 00007F35449CBE43h 0x00000018 pop ecx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52402FA second address: 52402FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52402FE second address: 5240315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F35449CBE3Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240315 second address: 524034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov edx, dword ptr [esi+44h] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007F35448276B1h 0x00000012 adc si, 6DD6h 0x00000017 jmp 00007F35448276B1h 0x0000001c popfd 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 524034A second address: 52403BA instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F35449CBE3Dh 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f popad 0x00000010 or edx, dword ptr [ebp+0Ch] 0x00000013 jmp 00007F35449CBE3Dh 0x00000018 test edx, 61000000h 0x0000001e jmp 00007F35449CBE3Eh 0x00000023 jne 00007F35B66AA138h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F35449CBE48h 0x00000032 xor si, D0B8h 0x00000037 jmp 00007F35449CBE3Bh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52403BA second address: 524040A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F35448276AFh 0x00000009 or cx, 327Eh 0x0000000e jmp 00007F35448276B9h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test byte ptr [esi+48h], 00000001h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F35448276B3h 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260153 second address: 5260157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260157 second address: 5260181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and esp, FFFFFFF8h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F35448276B9h 0x00000012 pop eax 0x00000013 mov ch, bl 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260181 second address: 5260187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260187 second address: 526018B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 526018B second address: 52601B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F35449CBE3Dh 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52601B6 second address: 526023E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edi, 2CC00260h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov edx, eax 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 call 00007F35448276ACh 0x00000019 pop ecx 0x0000001a popad 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d jmp 00007F35448276B1h 0x00000022 xchg eax, esi 0x00000023 jmp 00007F35448276AEh 0x00000028 push eax 0x00000029 jmp 00007F35448276ABh 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 jmp 00007F35448276ABh 0x00000037 pushfd 0x00000038 jmp 00007F35448276B8h 0x0000003d xor ch, FFFFFF98h 0x00000040 jmp 00007F35448276ABh 0x00000045 popfd 0x00000046 popad 0x00000047 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 526023E second address: 5260294 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F35449CBE3Ch 0x00000013 sub esi, 09895E28h 0x00000019 jmp 00007F35449CBE3Bh 0x0000001e popfd 0x0000001f mov ch, 27h 0x00000021 popad 0x00000022 mov ebx, 00000000h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F35449CBE3Ah 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260294 second address: 5260298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260298 second address: 526029E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 526029E second address: 52602AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35448276ADh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52602AF second address: 5260323 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d jmp 00007F35449CBE3Eh 0x00000012 je 00007F35B6681EEEh 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F35449CBE3Eh 0x0000001f sbb esi, 67EC8548h 0x00000025 jmp 00007F35449CBE3Bh 0x0000002a popfd 0x0000002b push eax 0x0000002c pushad 0x0000002d popad 0x0000002e pop edi 0x0000002f popad 0x00000030 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F35449CBE47h 0x0000003e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260323 second address: 5260373 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b jmp 00007F35448276AEh 0x00000010 je 00007F35B64DD6F9h 0x00000016 jmp 00007F35448276B0h 0x0000001b test byte ptr [76FA6968h], 00000002h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260373 second address: 5260377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260377 second address: 526037D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 526037D second address: 52603A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F35B6681E57h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edx, 704B8EE0h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52603A6 second address: 52603B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35448276ABh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52603B5 second address: 5260474 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e jmp 00007F35449CBE3Eh 0x00000013 xchg eax, ebx 0x00000014 jmp 00007F35449CBE40h 0x00000019 push eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F35449CBE41h 0x00000021 xor al, FFFFFFA6h 0x00000024 jmp 00007F35449CBE41h 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F35449CBE40h 0x00000030 adc esi, 1C3DD848h 0x00000036 jmp 00007F35449CBE3Bh 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e jmp 00007F35449CBE46h 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F35449CBE47h 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260474 second address: 5260479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260479 second address: 526049C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F35449CBE45h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 526049C second address: 52604A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52604A0 second address: 52604A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52604A4 second address: 52604AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52604AA second address: 52604C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F35449CBE3Bh 0x00000008 mov di, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52604C5 second address: 52604C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52604C9 second address: 52604CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52604CF second address: 52604FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, F2h 0x00000005 mov edx, 291E7274h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+14h] 0x00000010 jmp 00007F35448276B3h 0x00000015 push dword ptr [ebp+10h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52604FB second address: 52604FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52604FF second address: 5260505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260542 second address: 5260546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260546 second address: 526055D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 526055D second address: 52605A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007F35449CBE3Eh 0x0000000f pop ebx 0x00000010 pushad 0x00000011 mov si, 118Dh 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 mov esp, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F35449CBE3Bh 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52605A1 second address: 52605B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35448276B4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52605B9 second address: 52605E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F35449CBE48h 0x00000011 mov esi, 2D9C6681h 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5250147 second address: 5250162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52A1BD8 second address: 52A1C06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F35449CBE48h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52A1C06 second address: 52A1C15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52A1C15 second address: 52A1C65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F35449CBE3Fh 0x00000009 sub esi, 0F491D5Eh 0x0000000f jmp 00007F35449CBE49h 0x00000014 popfd 0x00000015 mov ch, 52h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov dl, 2Ch 0x00000020 call 00007F35449CBE40h 0x00000025 pop esi 0x00000026 popad 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5200285 second address: 52002A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35448276B7h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52002A0 second address: 52002D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F35449CBE40h 0x00000010 xor ax, A008h 0x00000015 jmp 00007F35449CBE3Bh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d movzx ecx, bx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52002D1 second address: 52002E6 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 7452F076h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edx, ecx 0x00000012 push ecx 0x00000013 pop edx 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52002E6 second address: 520034C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov dl, ah 0x0000000e mov bx, 3574h 0x00000012 popad 0x00000013 push esp 0x00000014 jmp 00007F35449CBE48h 0x00000019 mov dword ptr [esp], ecx 0x0000001c jmp 00007F35449CBE40h 0x00000021 and dword ptr [ebp-04h], 00000000h 0x00000025 pushad 0x00000026 call 00007F35449CBE3Eh 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 520034C second address: 5200372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov edx, 05557634h 0x0000000a popad 0x0000000b lea eax, dword ptr [ebp-04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F35448276B6h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 520045E second address: 520049E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F35449CBE3Eh 0x00000010 js 00007F35B50F7A64h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F35449CBE47h 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 520049E second address: 52004C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov bh, 9Bh 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0E00 second address: 51E0E1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0E1D second address: 51E0E23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0E23 second address: 51E0E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0E27 second address: 51E0E2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0E2B second address: 51E0E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F35449CBE3Eh 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0E46 second address: 51E0E55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0E55 second address: 51E0E93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 call 00007F35449CBE3Bh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F35449CBE40h 0x0000001a and si, 1978h 0x0000001f jmp 00007F35449CBE3Bh 0x00000024 popfd 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0E93 second address: 51E0E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0E98 second address: 51E0EAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, D0A8h 0x00000007 push ebx 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0EAC second address: 51E0EB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 51E0EB2 second address: 51E0EF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F35449CBE3Bh 0x00000013 jmp 00007F35449CBE43h 0x00000018 popfd 0x00000019 push eax 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5290080 second address: 5290084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5290084 second address: 529008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 529008A second address: 5290090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5290090 second address: 5290094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5290094 second address: 5290098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5290098 second address: 52900AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, di 0x0000000f push edi 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52900AA second address: 52900F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 1DEE9D43h 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F35448276B0h 0x00000017 jmp 00007F35448276B5h 0x0000001c popfd 0x0000001d call 00007F35448276B0h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260EB4 second address: 5260EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260EBA second address: 5260EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260EBE second address: 5260F0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F35449CBE49h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007F35449CBE3Ah 0x0000001b jmp 00007F35449CBE45h 0x00000020 popfd 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260F0E second address: 5260F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5260F12 second address: 5260F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, ax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240DD4 second address: 5240DE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 5240DE3 second address: 5240E49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F35449CBE3Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F35449CBE3Dh 0x0000001a xor ah, 00000076h 0x0000001d jmp 00007F35449CBE41h 0x00000022 popfd 0x00000023 call 00007F35449CBE40h 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0910 second address: 52C0928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F35448276B4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0928 second address: 52C0957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F35449CBE46h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0957 second address: 52C095B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C095B second address: 52C0977 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0977 second address: 52C097D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C097D second address: 52C09CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35449CBE3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F35449CBE3Eh 0x00000011 mov ebp, esp 0x00000013 jmp 00007F35449CBE40h 0x00000018 push dword ptr [ebp+0Ch] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F35449CBE47h 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C09CD second address: 52C0A20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F35448276AFh 0x00000009 sbb cx, 33AEh 0x0000000e jmp 00007F35448276B9h 0x00000013 popfd 0x00000014 mov edi, eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push dword ptr [ebp+08h] 0x0000001c jmp 00007F35448276AAh 0x00000021 push C6AD98B7h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov dx, cx 0x0000002c movzx ecx, dx 0x0000002f popad 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0A20 second address: 52C0A25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0A63 second address: 52C0A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0A67 second address: 52C0A6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0A6D second address: 52C0A8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov di, 2730h 0x00000013 mov di, 865Ch 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0A8A second address: 52C0ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F35449CBE47h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F35449CBE41h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0ABE second address: 52C0AC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52C0AC4 second address: 52C0AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52803CD second address: 52803DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F35448276ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeRDTSC instruction interceptor: First address: 52803DC second address: 52803E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSpecial instruction interceptor: First address: 710B9B instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSpecial instruction interceptor: First address: 939615 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 310B9B instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 539615 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 890B9B instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: AB9615 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_052C0049 rdtsc 0_2_052C0049
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow / User API: threadDelayed 1237Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow / User API: threadDelayed 1260Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow / User API: threadDelayed 519Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow / User API: threadDelayed 776Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeWindow / User API: threadDelayed 1391Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1194Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 488Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1165Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 481Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1316Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1240Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 495Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1269Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1191Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 509Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-16941
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15873
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 2824Thread sleep time: -46023s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 2800Thread sleep count: 1237 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 2800Thread sleep time: -2475237s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 2164Thread sleep count: 1260 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 2164Thread sleep time: -2521260s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 6556Thread sleep count: 519 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 6556Thread sleep time: -52419s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 4460Thread sleep count: 776 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 4460Thread sleep time: -1552776s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 2520Thread sleep count: 1391 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exe TID: 2520Thread sleep time: -2783391s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1480Thread sleep time: -50025s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2408Thread sleep count: 1194 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2408Thread sleep time: -2389194s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5908Thread sleep count: 99 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5908Thread sleep count: 488 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5908Thread sleep time: -49288s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1360Thread sleep count: 1165 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1360Thread sleep time: -2331165s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7204Thread sleep count: 48 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7204Thread sleep time: -96048s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7208Thread sleep count: 45 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7208Thread sleep time: -90045s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1408Thread sleep count: 100 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1408Thread sleep count: 481 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1408Thread sleep time: -48581s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7188Thread sleep count: 1316 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7188Thread sleep time: -2633316s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7408Thread sleep time: -60030s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7392Thread sleep count: 1240 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7392Thread sleep time: -2481240s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7360Thread sleep count: 71 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7360Thread sleep count: 495 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7360Thread sleep time: -49995s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7400Thread sleep count: 1269 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7400Thread sleep time: -2539269s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7752Thread sleep time: -60030s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7732Thread sleep count: 1191 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7732Thread sleep time: -2383191s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7696Thread sleep count: 58 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7696Thread sleep count: 509 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7696Thread sleep time: -51409s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: Ke5ufWcgxp.exe, 00000000.00000002.3646592079.000000000117E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i
            Source: Ke5ufWcgxp.exe, 00000000.00000002.3646592079.0000000001170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&0^?V
            Source: RageMP131.exe, 0000000A.00000002.3647150748.00000000011C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
            Source: RageMP131.exe, 00000008.00000002.3646900740.000000000121E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_CD14D628]9
            Source: RageMP131.exe, 0000000A.00000002.3636609539.00000000005BC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
            Source: RageMP131.exe, 0000000A.00000003.2266336956.0000000001237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Om
            Source: RageMP131.exe, 0000000A.00000002.3647150748.0000000001235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000007.00000002.3646701337.0000000000D3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A
            Source: RageMP131.exe, 0000000A.00000002.3647150748.0000000001235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_CD14D628v
            Source: MPGPH131.exe, 00000007.00000002.3646701337.0000000000D67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
            Source: MPGPH131.exe, 00000007.00000002.3646701337.0000000000D67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}~
            Source: RageMP131.exe, 0000000A.00000002.3647150748.0000000001235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_CD14D628
            Source: RageMP131.exe, 0000000A.00000003.2266336956.0000000001235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RageMP131.exe, 00000008.00000002.3646900740.0000000001286000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000J%
            Source: MPGPH131.exe, 00000007.00000002.3646701337.0000000000D6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
            Source: Ke5ufWcgxp.exe, 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: MPGPH131.exe, 00000007.00000002.3646701337.0000000000D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}u~
            Source: Ke5ufWcgxp.exe, 00000000.00000002.3646592079.00000000011E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3646874202.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3646900740.0000000001286000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3647150748.000000000121C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: MPGPH131.exe, 00000007.00000002.3646701337.0000000000D1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&Vn
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: NTICE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: SICE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_052C0049 rdtsc 0_2_052C0049
            Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: NwPProgram Manager
            Source: Ke5ufWcgxp.exe, 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: oNwPProgram Manager
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeCode function: 0_2_005B361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_005B361D
            Source: C:\Users\user\Desktop\Ke5ufWcgxp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: Process Memory Space: Ke5ufWcgxp.exe PID: 6172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 320, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6152, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7356, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7692, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: Process Memory Space: Ke5ufWcgxp.exe PID: 6172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 320, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6152, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7356, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7692, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		2
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		24
            Virtualization/Sandbox Evasion            		LSASS Memory741
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		2
            Process Injection            		Security Account Manager24
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
            Software Packing            		Cached Domain Credentials214
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1461288 Sample: Ke5ufWcgxp.exe Startdate: 23/06/2024 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected RisePro Stealer 2->40 42 4 other signatures 2->42 7 Ke5ufWcgxp.exe 1 9 2->7         started        12 RageMP131.exe 2 2->12         started        14 MPGPH131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 77.91.77.66, 49705, 49706, 49707 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found stalling execution ending in API Sleep call 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Tries to detect virtualization through RDTSC time measurements 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Multi AV Scanner detection for dropped file 12->52 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->54 56 Machine Learning detection for dropped file 12->56 58 Tries to evade debugger and weak emulator (self modifying code) 14->58 60 Hides threads from debuggers 14->60 62 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->62 64 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->64 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Ke5ufWcgxp.exe45%ReversingLabsWin32.Trojan.RisePro
            Ke5ufWcgxp.exe53%VirustotalBrowse
            Ke5ufWcgxp.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe45%ReversingLabsWin32.Trojan.RisePro
            C:\ProgramData\MPGPH131\MPGPH131.exe53%VirustotalBrowse
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe45%ReversingLabsWin32.Trojan.RisePro
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe53%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ipinfo.io/0%URL Reputationsafe
            https://ipinfo.io/widget/demo/8.46.123.33%Um0%Avira URL Cloudsafe
            https://ipinfo.io/ameSpace/0%Avira URL Cloudsafe
            https://ipinfo.io/widget/demo/8.46.123.330%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORTzn0%Avira URL Cloudsafe
            https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
            https://ipinfo.io/widget/demo/8.46.123.33t0%Avira URL Cloudsafe
            https://ipinfo.io/h0%Avira URL Cloudsafe
            https://www.maxmind.com/en/locate-my-ip-address0%VirustotalBrowse
            https://t.me/RiseProSUPPORT(0%Avira URL Cloudsafe
            http://www.winimage.com/zLibDll1%VirustotalBrowse
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%VirustotalBrowse
            https://ipinfo.io/h0%VirustotalBrowse
            https://t.me/RiseProSUPPORT(1%VirustotalBrowse
            http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
            https://ipinfo.io/d00%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
            https://ipinfo.io/widget/demo/8.46.123.33x0%Avira URL Cloudsafe
            https://ipinfo.io/widget/demo/8.46.123.330c0%Avira URL Cloudsafe
            https://ipinfo.io/l0%Avira URL Cloudsafe
            https://ipinfo.io/Namespace0%Avira URL Cloudsafe
            https://ipinfo.io/l0%VirustotalBrowse
            https://t.me/RiseProSUPPORT0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ipinfo.io/widget/demo/8.46.123.33%UmKe5ufWcgxp.exe, 00000000.00000002.3646592079.00000000011EC000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/RageMP131.exe, 0000000A.00000002.3647150748.000000000120C000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://ipinfo.io/widget/demo/8.46.123.33Ke5ufWcgxp.exe, 00000000.00000002.3646592079.00000000011EC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3646701337.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3646900740.000000000125C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3647150748.00000000011FD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/ameSpace/RageMP131.exe, 00000008.00000002.3646900740.000000000121E000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.maxmind.com/en/locate-my-ip-addressRageMP131.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://t.me/RiseProSUPPORTznMPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllKe5ufWcgxp.exe, 00000000.00000003.2027583976.0000000005040000.00000004.00001000.00020000.00000000.sdmp, Ke5ufWcgxp.exe, 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2056577894.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2056606690.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2160020226.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2243205056.0000000004D30000.00000004.00001000.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/widget/demo/8.46.123.33tRageMP131.exe, 00000008.00000002.3646900740.000000000121E000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/hMPGPH131.exe, 00000007.00000002.3646701337.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://t.me/RiseProSUPPORT(MPGPH131.exe, 00000007.00000002.3646701337.0000000000D1A000.00000004.00000020.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.winimage.com/zLibDllKe5ufWcgxp.exe, 00000000.00000003.2027583976.0000000005040000.00000004.00001000.00020000.00000000.sdmp, Ke5ufWcgxp.exe, 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2056577894.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2056606690.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2160020226.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2243205056.0000000004D30000.00000004.00001000.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/d0MPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://t.me/RiseProSUPPORTKe5ufWcgxp.exe, 00000000.00000002.3646592079.000000000117E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3646701337.0000000000D1A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3646900740.000000000121E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3647150748.00000000011CB000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/widget/demo/8.46.123.33xRageMP131.exe, 00000008.00000002.3646900740.000000000121E000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/lRageMP131.exe, 00000008.00000002.3646900740.0000000001261000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/widget/demo/8.46.123.330cMPGPH131.exe, 00000006.00000002.3646874202.0000000000EAD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/NamespaceRageMP131.exe, 0000000A.00000002.3647150748.00000000011F4000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            77.91.77.66
            		unknownRussian Federation
            		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1461288
            Start date and time:2024-06-23 16:14:09 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 9m 12s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Ke5ufWcgxp.exe
            renamed because original name is a hash value
            Original Sample Name:85b0f825ec9f8661f2b1237a0e33ad06.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@11/5@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:15:28API Interceptor1443520x Sleep call for process: Ke5ufWcgxp.exe modified
            10:15:31API Interceptor2448212x Sleep call for process: MPGPH131.exe modified
            10:15:41API Interceptor1801187x Sleep call for process: RageMP131.exe modified
            16:15:00Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
            16:15:00Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
            16:15:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
            16:15:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            77.91.77.66BqqQh4Jr7L.exeGet hashmaliciousRisePro StealerBrowse
              file.exeGet hashmaliciousRisePro StealerBrowse
                file.exeGet hashmaliciousRisePro StealerBrowse
                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                    7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                      PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                        YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                          AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                            setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                              D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUyWny5Jds8b.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                • 77.91.77.81
                                file.exeGet hashmaliciousLummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                • 77.91.77.81
                                BqqQh4Jr7L.exeGet hashmaliciousRisePro StealerBrowse
                                • 77.91.77.66
                                file.exeGet hashmaliciousRisePro StealerBrowse
                                • 77.91.77.66
                                setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                • 77.91.77.81
                                setup.exeGet hashmaliciousAmadeyBrowse
                                • 77.91.77.81
                                It5068xROy.dllGet hashmaliciousRedLineBrowse
                                • 77.91.77.6
                                file.exeGet hashmaliciousRisePro StealerBrowse
                                • 77.91.77.66
                                plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                • 77.91.77.66
                                7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                • 77.91.77.66

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\MPGPH131\MPGPH131.exe

                                Download File
                                Process:C:\Users\user\Desktop\Ke5ufWcgxp.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2393600
                                Entropy (8bit):7.966388365043691
                                Encrypted:false
                                SSDEEP:49152:RVQGeQ3baj4j62r4XenE+svt3aaJzeuNh4zHhSeb78G5oEz:TmdU+2r4X+Mt3hey4tSs78GT
                                MD5:85B0F825EC9F8661F2B1237A0E33AD06
                                SHA1:16A3542ADA51249BE3B3A2939B79447B817B7A02
                                SHA-256:9AE617395AD5440F6774902B04F331A59282737D0F3C897D9F21AB73C19B691E
                                SHA-512:E3C720D343F8D51FC008B951663669615BFEB22513705532D0C63D64662028DB6561B6AD302BB71AE6D9C7BF876B9FB33665F09AE877D821ED60642BB7E22A80
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 45%
                                • Antivirus: Virustotal, Detection: 53%, Browse
                                Reputation:low
                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|........]...........@...........................]......v%...@.................................^...r.......8.....................]...............................]..............................6..@................... . ............................@....rsrc...8...........................@....idata ............................@... .P+.........................@...kwsiocfo..... D.....................@...hhfhiasa......]......`$.............@....taggant.0....].."...d$.............@...........................................................................................................................................................................................

                                C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\Ke5ufWcgxp.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                Download File
                                Process:C:\Users\user\Desktop\Ke5ufWcgxp.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2393600
                                Entropy (8bit):7.966388365043691
                                Encrypted:false
                                SSDEEP:49152:RVQGeQ3baj4j62r4XenE+svt3aaJzeuNh4zHhSeb78G5oEz:TmdU+2r4X+Mt3hey4tSs78GT
                                MD5:85B0F825EC9F8661F2B1237A0E33AD06
                                SHA1:16A3542ADA51249BE3B3A2939B79447B817B7A02
                                SHA-256:9AE617395AD5440F6774902B04F331A59282737D0F3C897D9F21AB73C19B691E
                                SHA-512:E3C720D343F8D51FC008B951663669615BFEB22513705532D0C63D64662028DB6561B6AD302BB71AE6D9C7BF876B9FB33665F09AE877D821ED60642BB7E22A80
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 45%
                                • Antivirus: Virustotal, Detection: 53%, Browse
                                Reputation:low
                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|........]...........@...........................]......v%...@.................................^...r.......8.....................]...............................]..............................6..@................... . ............................@....rsrc...8...........................@....idata ............................@... .P+.........................@...kwsiocfo..... D.....................@...hhfhiasa......]......`$.............@....taggant.0....].."...d$.............@...........................................................................................................................................................................................

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\Ke5ufWcgxp.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                Download File
                                Process:C:\Users\user\Desktop\Ke5ufWcgxp.exe
                                File Type:ASCII text, with no line terminators
                                Category:modified
                                Size (bytes):13
                                Entropy (8bit):2.8731406795131336
                                Encrypted:false
                                SSDEEP:3:L4UcZn:6Zn
                                MD5:86186CC248F7A1B35E4872A0AAFD6A71
                                SHA1:BB2B96946CF82BCBBB856BC26F829DBCACDA29FE
                                SHA-256:BBFF526100D847AB4D6675AF4CD489E946E3887B9AAF94F7DF51C9D1AC8D5748
                                SHA-512:D59CE3F53986105A372B983BF3237E936FA3B85E0EB3AF6029711C93F23C83A378AA5732ACF5FE485E72F749F18062A7D65D9F695FF0025AD39C0DA591A21B7A
                                Malicious:false
                                Reputation:low
                                Preview:1719155728960

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.966388365043691
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:Ke5ufWcgxp.exe
                                File size:2'393'600 bytes
                                MD5:85b0f825ec9f8661f2b1237a0e33ad06
                                SHA1:16a3542ada51249be3b3a2939b79447b817b7a02
                                SHA256:9ae617395ad5440f6774902b04f331a59282737d0f3c897d9f21ab73c19b691e
                                SHA512:e3c720d343f8d51fc008b951663669615bfeb22513705532d0c63d64662028db6561b6ad302bb71ae6d9c7bf876b9fb33665f09ae877d821ed60642bb7e22a80
                                SSDEEP:49152:RVQGeQ3baj4j62r4XenE+svt3aaJzeuNh4zHhSeb78G5oEz:TmdU+2r4X+Mt3hey4tSs78GT
                                TLSH:E4B533157FF632D4E0A4A2B1891F06E19C333F29805B5738FA5D368A0DD6A34EEE5835
                                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                File Icon

                                Icon Hash:8596a1a0a1a1b171

                                Static PE Info

                                General

                                Entrypoint:0x9db000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x664C6914 [Tue May 21 09:27:48 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007F35447D769Ah
                                pcmpgtb mm4, qword ptr [eax+eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                jmp 00007F35447D9695h
                                add byte ptr [edx+ecx], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                pop ds
                                add byte ptr [eax+000000FEh], ah
                                add byte ptr [edx], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], cl
                                or al, byte ptr [eax]
                                add byte ptr [edx], cl
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add al, 0Ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x18c05e0x72.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000x1638.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d9e0c0x10kwsiocfo
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x5d9dbc0x18kwsiocfo
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x1890000xab4005471edd808084016e0c0c3a96d435481False0.998762545620438data7.98581846796198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x18a0000x16380x1800fe6f3fdb9e7e97cba92d8ce4e4fcc95bFalse0.7220052083333334data6.54017046361188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x18c0000x10000x2000e14477ce436cc9ebd87f17a92173639False0.1640625data1.180504109820196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x18d0000x2b50000x20004106eec78bb2c4e1e59132fa62f213funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                kwsiocfo0x4420000x1980000x198000c945eb9894dc34a72b47bb6c4df6080dFalse0.9946779737285539data7.9553136795218204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                hhfhiasa0x5da0000x10000x4002e220f818bac0bf8641c0720b7e1fee9False0.7646484375data6.131629474123768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x5db0000x30000x22004b95b5d779876c4e79c6ebd6d1317d62False0.06939338235294118DOS executable (COM)0.7729148449928186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x18a4400x1060PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.8838263358778626
                                RT_GROUP_ICON0x18b4a00x14dataRussianRussia1.05
                                RT_VERSION0x18a1300x310dataRussianRussia0.45408163265306123
                                RT_MANIFEST0x18b4b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                RussianRussia
                                EnglishUnited States

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                06/23/24-16:17:36.899727TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970758709192.168.2.577.91.77.66
                                06/23/24-16:17:38.200223TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4971658709192.168.2.577.91.77.66
                                06/23/24-16:17:04.473158TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094971677.91.77.66192.168.2.5
                                06/23/24-16:15:23.534284TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094971677.91.77.66192.168.2.5
                                06/23/24-16:17:36.899737TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970658709192.168.2.577.91.77.66
                                06/23/24-16:17:37.415514TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970858709192.168.2.577.91.77.66
                                06/23/24-16:15:00.772679TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4970558709192.168.2.577.91.77.66
                                06/23/24-16:17:01.678127TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970677.91.77.66192.168.2.5
                                06/23/24-16:17:36.603047TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970558709192.168.2.577.91.77.66
                                06/23/24-16:17:02.960524TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970877.91.77.66192.168.2.5
                                06/23/24-16:15:15.298112TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970877.91.77.66192.168.2.5
                                06/23/24-16:17:01.182074TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970577.91.77.66192.168.2.5
                                06/23/24-16:17:01.624141TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970777.91.77.66192.168.2.5
                                06/23/24-16:15:01.352624TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970577.91.77.66192.168.2.5
                                06/23/24-16:15:05.509073TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970777.91.77.66192.168.2.5
                                06/23/24-16:15:05.517411TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970677.91.77.66192.168.2.5

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jun 23, 2024 16:15:00.748106956 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:00.753428936 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:00.753511906 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:00.772679090 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:00.777529001 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:01.352623940 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:01.398731947 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:04.492782116 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:04.497533083 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:04.892509937 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:04.893577099 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:04.897715092 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:04.897778034 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:04.898437023 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:04.898494005 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:04.921189070 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:04.923012972 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:04.926070929 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:04.927823067 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:05.509073019 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:05.517410994 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:05.554936886 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:05.570545912 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:08.649018049 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:08.649173975 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:08.654016972 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:08.654051065 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:14.693591118 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:14.698492050 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:14.698575974 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:14.726803064 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:14.731648922 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:15.298111916 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:15.351821899 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:18.414664984 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:18.419529915 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:22.899780035 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:22.904768944 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:22.904843092 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:22.938586950 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:22.943538904 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:23.534284115 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:23.586234093 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:26.649014950 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:26.654118061 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:35.793039083 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:35.798006058 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:36.852849960 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:36.857702971 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:39.992818117 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:39.997832060 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:42.055290937 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:42.060045958 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:43.117942095 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:43.123101950 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:45.180358887 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:45.185194016 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:46.258421898 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:46.258450031 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:46.263315916 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:46.263355970 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:46.586687088 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:46.591458082 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:48.305342913 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:48.310271025 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:49.398998022 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:49.399185896 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:49.404014111 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:49.404052019 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:51.445935965 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:51.450807095 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:52.524106026 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:52.524243116 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:52.529158115 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:52.529212952 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:52.852283001 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:52.857127905 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:54.571398020 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:54.576260090 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:54.836695910 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:54.841589928 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:55.649090052 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:55.649126053 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:55.654762030 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:55.654803038 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:57.711618900 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:57.716592073 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:58.789843082 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:58.789874077 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:58.795109987 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:58.795149088 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:15:59.103468895 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:15:59.109081984 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:00.852336884 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:00.857300997 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:01.102185965 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:01.107177019 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:01.930392027 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:01.930522919 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:01.935590029 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:01.935623884 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:02.242877007 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:02.248553038 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:03.993062973 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:03.998423100 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:05.060386896 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:05.060482025 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:05.065538883 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:05.065577984 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:05.383685112 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:05.388719082 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:07.120527029 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:07.125572920 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:07.383697033 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:07.388619900 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:08.196985960 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:08.197451115 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:08.201963902 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:08.202394962 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:08.508800983 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:08.513849020 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:10.245803118 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:10.250811100 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:10.508917093 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:10.513806105 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:11.321288109 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:11.321615934 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:11.326246023 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:11.326461077 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:11.634299994 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:11.639533043 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:13.368529081 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:13.373518944 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:13.651774883 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:13.656913042 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:14.446743011 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:14.446835041 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:14.451601982 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:14.451641083 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:14.759444952 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:14.764445066 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:16.493645906 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:16.498543978 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:16.786015034 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:16.791073084 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:17.587579966 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:17.587702990 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:17.592609882 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:17.592644930 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:17.899918079 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:17.905082941 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:19.634159088 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:19.642519951 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:19.899951935 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:19.905098915 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:20.728045940 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:20.728092909 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:20.733037949 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:20.733089924 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:21.025070906 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:21.029999971 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:22.759814024 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:22.764719009 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:23.040527105 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:23.045547962 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:23.852930069 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:23.852991104 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:23.857914925 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:23.857956886 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:24.166465998 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:24.171442986 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:25.884187937 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:25.889208078 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:26.165612936 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:26.170536995 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:26.993793964 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:26.993947029 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:26.998702049 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:26.998867035 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:27.290539980 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:27.295613050 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:29.025126934 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:29.030101061 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:29.305968046 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:29.310914040 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:30.134454012 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:30.134578943 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:30.139396906 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:30.139431000 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:30.415668964 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:30.420783043 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:32.165705919 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:32.170706034 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:32.434623003 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:32.439606905 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:33.260803938 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:33.261399031 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:33.265824080 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:33.266225100 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:33.555856943 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:33.560841084 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:35.306394100 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:35.311278105 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:35.556020975 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:35.562953949 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:36.384679079 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:36.384774923 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:36.389691114 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:36.389724970 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:36.700115919 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:36.705250978 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:38.435704947 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:38.696996927 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:38.729630947 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:38.785433054 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:38.785465002 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:38.785492897 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:39.509407997 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:39.509438038 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:39.514311075 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:39.514345884 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:39.853178024 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:39.859842062 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:41.556361914 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:41.561897039 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:41.840039968 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:41.845510960 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:42.634723902 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:42.634840965 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:42.639741898 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:42.639802933 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:42.978274107 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:42.983673096 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:44.696954966 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:44.701893091 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:44.979337931 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:44.984230995 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:45.759572029 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:45.759622097 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:45.767039061 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:45.767070055 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:46.118885040 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:46.127645969 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:47.822216034 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:47.828449011 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:48.106271029 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:48.111160040 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:48.884411097 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:48.884455919 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:48.889281034 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:48.889316082 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:49.244415998 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:49.249475002 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:50.946997881 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:50.951920033 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:51.243423939 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:51.248331070 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:52.024702072 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:52.024820089 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:52.029670954 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:52.029808044 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:52.384109020 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:52.389101982 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:54.071989059 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:54.076936007 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:54.368807077 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:54.373717070 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:55.150108099 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:55.150171041 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:55.155253887 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:55.155298948 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:55.509643078 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:55.514527082 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:57.197226048 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:57.202851057 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:57.493757010 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:57.498759031 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:58.290757895 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:58.290848970 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:58.301069021 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:58.301103115 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:16:58.649985075 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:16:58.654778004 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:00.321820021 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:00.326894999 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:00.619477987 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:00.624349117 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:01.182074070 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:01.263520956 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:01.416069031 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:01.416332006 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:01.421035051 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:01.421170950 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:01.624140978 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:01.678127050 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:01.707834959 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:01.727313995 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:01.779037952 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:01.784097910 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:02.960524082 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:03.055392981 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:03.759295940 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:03.764142990 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:04.321490049 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:04.326383114 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:04.473157883 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:04.618144035 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:04.759196043 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:04.764316082 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:04.805890083 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:04.810888052 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:06.087085962 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:06.092135906 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:07.446686029 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:07.451488018 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:07.602880955 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:07.607736111 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:07.884073019 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:07.889008999 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:07.931184053 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:07.936176062 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:09.227953911 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:09.232753038 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:10.571676970 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:10.576628923 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:10.727906942 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:10.734484911 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:11.024832010 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:11.056786060 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:11.090905905 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:11.090922117 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:12.368434906 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:12.373476028 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:13.696799040 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:13.701697111 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:13.868547916 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:13.873678923 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:14.165453911 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:14.170295954 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:14.196512938 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:14.201790094 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:15.509206057 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:15.514532089 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:16.412205935 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:16.555418968 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:16.619469881 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:16.631758928 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:16.679426908 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:16.727344990 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:16.993388891 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:16.999217033 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:17.225663900 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:17.352304935 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:17.904524088 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:18.118129969 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:19.524858952 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:19.529942036 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:19.743829966 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:19.743932962 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:19.750685930 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:19.750699997 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:20.337388992 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:20.342210054 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:21.040319920 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:21.045144081 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:22.649782896 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:22.654711962 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:22.884012938 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:22.884128094 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:22.889072895 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:22.889108896 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:23.462291002 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:23.467356920 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:24.165394068 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:24.170355082 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:25.774669886 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:25.781359911 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:26.009110928 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:26.009135962 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:26.014050007 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:26.014069080 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:26.587275982 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:26.592211008 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:27.290546894 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:27.295478106 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:28.918216944 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:28.923396111 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:29.149872065 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:29.149961948 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:29.154798031 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:29.154815912 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:29.712178946 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:29.717150927 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:30.348942041 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:30.436187983 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:30.444555998 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:30.556180954 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:30.626257896 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:30.645334959 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:30.730366945 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:30.748198986 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:31.161633968 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:31.255724907 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:31.918330908 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:32.134318113 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:33.478053093 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:33.483206034 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:33.759269953 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:33.759315014 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:33.764142036 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:33.764190912 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:34.291204929 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:34.296230078 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:35.056797028 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:35.061722994 CEST587094971677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:36.603046894 CEST4970558709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:36.608021021 CEST587094970577.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:36.899727106 CEST4970758709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:36.899736881 CEST4970658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:36.904803038 CEST587094970677.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:36.904839039 CEST587094970777.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:37.415513992 CEST4970858709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:37.421209097 CEST587094970877.91.77.66192.168.2.5
                                Jun 23, 2024 16:17:38.200222969 CEST4971658709192.168.2.577.91.77.66
                                Jun 23, 2024 16:17:38.205562115 CEST587094971677.91.77.66192.168.2.5

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:10:14:57
                                Start date:23/06/2024
                                Path:C:\Users\user\Desktop\Ke5ufWcgxp.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Ke5ufWcgxp.exe"
                                Imagebase:0x580000
                                File size:2'393'600 bytes
                                MD5 hash:85B0F825EC9F8661F2B1237A0E33AD06
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:2
                                Start time:10:14:59
                                Start date:23/06/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Imagebase:0x9a0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:10:15:00
                                Start date:23/06/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:10:15:00
                                Start date:23/06/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                Imagebase:0x9a0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:10:15:00
                                Start date:23/06/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:10:15:00
                                Start date:23/06/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0x180000
                                File size:2'393'600 bytes
                                MD5 hash:85B0F825EC9F8661F2B1237A0E33AD06
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 45%, ReversingLabs
                                • Detection: 53%, Virustotal, Browse
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:7
                                Start time:10:15:00
                                Start date:23/06/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0x180000
                                File size:2'393'600 bytes
                                MD5 hash:85B0F825EC9F8661F2B1237A0E33AD06
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:8
                                Start time:10:15:10
                                Start date:23/06/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0x700000
                                File size:2'393'600 bytes
                                MD5 hash:85B0F825EC9F8661F2B1237A0E33AD06
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 45%, ReversingLabs
                                • Detection: 53%, Virustotal, Browse
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:10
                                Start time:10:15:19
                                Start date:23/06/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0x700000
                                File size:2'393'600 bytes
                                MD5 hash:85B0F825EC9F8661F2B1237A0E33AD06
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.8%
                                  Dynamic/Decrypted Code Coverage:1%
                                  Signature Coverage:2.5%
                                  Total number of Nodes:1831
                                  Total number of Limit Nodes:25
                                  execution_graph 17755 52c02a8 17756 52c024a GetCurrentHwProfileW 17755->17756 17758 52c0291 17755->17758 17756->17758 17952 52c0037 17953 52c0029 17952->17953 17955 52c0041 GetCurrentHwProfileW 17952->17955 17953->17955 17958 52c0049 17953->17958 17957 52c0291 17955->17957 17959 52c004a GetCurrentHwProfileW 17958->17959 17961 52c0291 17959->17961 18007 52c0072 18008 52c0091 GetCurrentHwProfileW 18007->18008 18010 52c0291 18008->18010 15849 647b00 15850 647ecc 15849->15850 15864 647b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 15849->15864 15851 647b87 setsockopt recv 15851->15864 15853 647eb7 Sleep 15853->15850 15853->15864 15854 647e15 recv 15856 647eaf Sleep 15854->15856 15856->15853 15858 647c2d recv 15859 647c4e recv 15858->15859 15858->15864 15859->15864 15860 647ee1 15958 5b8c70 15860->15958 15863 598dc0 2 API calls 15866 647cd6 setsockopt recv 15863->15866 15864->15850 15864->15851 15864->15853 15864->15854 15864->15856 15864->15860 15864->15863 15864->15866 15869 648590 WSAStartup 15864->15869 15875 598dc0 15864->15875 15884 5963b0 15864->15884 15889 647ef0 15864->15889 15945 5b3069 15864->15945 15948 589280 15864->15948 15866->15864 15870 6485c8 15869->15870 15871 648686 15869->15871 15870->15871 15872 648654 socket 15870->15872 15871->15864 15872->15871 15873 64866a connect 15872->15873 15873->15871 15874 64867c closesocket 15873->15874 15874->15871 15874->15872 15877 598de2 std::locale::_Setgloballocale 15875->15877 15878 598e11 15875->15878 15876 598ef8 15877->15858 15878->15876 15961 5832d0 15878->15961 15880 598e66 std::locale::_Locimp::_Locimp std::locale::_Setgloballocale 15881 598ecb std::locale::_Locimp::_Locimp std::locale::_Setgloballocale 15880->15881 15975 582fe0 15880->15975 15881->15858 15883 598eb8 15883->15858 15886 5963d8 15884->15886 15885 5963e7 15885->15864 15886->15885 15887 5832d0 std::_Throw_Cpp_error 2 API calls 15886->15887 15888 59642a std::locale::_Locimp::_Locimp 15887->15888 15888->15864 15890 647f6c 15889->15890 15891 647f3e 15889->15891 15893 647f74 15890->15893 15894 647f8e 15890->15894 15892 582cf0 std::_Throw_Cpp_error 2 API calls 15891->15892 15897 647f50 15892->15897 16167 596290 15893->16167 15895 647f96 15894->15895 15896 647fb0 15894->15896 15899 596290 2 API calls 15895->15899 15900 647fd5 15896->15900 15901 647fb8 15896->15901 15902 589280 3 API calls 15897->15902 15927 647f64 15899->15927 15903 647fdd 15900->15903 15904 647ffb 15900->15904 15905 596290 2 API calls 15901->15905 15901->15927 15902->15927 16171 5c12b7 15903->16171 15907 6482c0 15904->15907 15908 64801b 15904->15908 15904->15927 15905->15927 15910 6482c8 15907->15910 15911 64831b 15907->15911 16130 585400 15908->16130 16200 59b430 15910->16200 15913 648376 15911->15913 15914 648323 15911->15914 15915 6483d1 15913->15915 15916 64837e 15913->15916 15917 59b430 3 API calls 15914->15917 15919 64842c 15915->15919 15920 6483d9 15915->15920 15918 59b430 3 API calls 15916->15918 15917->15927 15918->15927 15923 648484 15919->15923 15924 648434 15919->15924 15922 59b430 3 API calls 15920->15922 15922->15927 15923->15927 16207 5d8b00 15923->16207 15925 59b430 3 API calls 15924->15925 15925->15927 15927->15864 15929 648040 15929->15927 15930 64810b 15929->15930 16140 582cf0 15929->16140 16144 59ace0 15929->16144 16147 582d30 15930->16147 15934 648140 15935 6481e5 15934->15935 15936 6481b2 15934->15936 16164 5b9820 15935->16164 15937 5963b0 std::_Throw_Cpp_error 2 API calls 15936->15937 15939 6481ce 15937->15939 16177 64f280 15939->16177 17751 5b361d 15945->17751 15949 5963b0 std::_Throw_Cpp_error 2 API calls 15948->15949 15950 5892d4 15949->15950 15951 598dc0 2 API calls 15950->15951 15952 589523 std::locale::_Locimp::_Locimp 15950->15952 15951->15952 15953 5896e2 std::ios_base::_Ios_base_dtor 15952->15953 15955 5896b6 WSASend 15952->15955 15954 58975d std::ios_base::_Ios_base_dtor 15953->15954 15956 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 15953->15956 15954->15864 15955->15952 15955->15953 15957 58979c 15956->15957 15957->15864 15959 5b8bac ___std_exception_copy RtlAllocateHeap 15958->15959 15960 5b8c7f __Getctype 15959->15960 15962 5832e2 15961->15962 15963 583306 15961->15963 15964 5832e9 15962->15964 15965 58331f 15962->15965 15966 583318 15963->15966 15968 5b3672 std::_Facet_Register 2 API calls 15963->15968 15980 5b3672 15964->15980 15988 582b50 15965->15988 15966->15880 15971 583310 15968->15971 15970 5832ef 15972 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 15970->15972 15973 5832f8 15970->15973 15971->15880 15974 583329 15972->15974 15973->15880 15976 583007 15975->15976 15977 583017 std::ios_base::_Ios_base_dtor 15975->15977 15976->15977 15978 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 15976->15978 15977->15883 15979 583036 15978->15979 15983 5b3677 std::_Facet_Register 15980->15983 15982 5b3691 15982->15970 15983->15982 15985 582b50 Concurrency::cancel_current_task 15983->15985 15992 5c23ec 15983->15992 15984 5b369d 15984->15984 15985->15984 15998 5b4b15 15985->15998 15989 582b5e Concurrency::cancel_current_task 15988->15989 15990 5b4b15 ___std_exception_copy 2 API calls 15989->15990 15991 582bac 15990->15991 15991->15970 15997 5cb094 __Getctype std::_Facet_Register 15992->15997 15993 5cb0d2 16006 5c16ff 15993->16006 15995 5cb0bd RtlAllocateHeap 15996 5cb0d0 15995->15996 15995->15997 15996->15983 15997->15993 15997->15995 15999 5b4b22 15998->15999 16005 582bac 15998->16005 15999->15999 16000 5c23ec ___std_exception_copy 2 API calls 15999->16000 15999->16005 16001 5b4b3f 16000->16001 16002 5b4b4f 16001->16002 16068 5c99a5 16001->16068 16077 5c1c96 16002->16077 16005->15970 16009 5c9f93 16006->16009 16010 5c9f9c __Getctype 16009->16010 16018 5c1704 16010->16018 16020 5ca65a 16010->16020 16012 5c9fe0 __Getctype 16013 5c9fe8 __Getctype 16012->16013 16014 5ca020 16012->16014 16024 5cb01a 16013->16024 16028 5c9c70 16014->16028 16018->15996 16019 5cb01a ___std_exception_copy RtlAllocateHeap 16019->16018 16023 5ca667 __Getctype std::_Facet_Register 16020->16023 16021 5ca692 RtlAllocateHeap 16022 5ca6a5 __floor_pentium4 16021->16022 16021->16023 16022->16012 16023->16021 16023->16022 16025 5cb025 ___std_exception_copy 16024->16025 16027 5cb04f 16024->16027 16026 5c16ff __floor_pentium4 RtlAllocateHeap 16025->16026 16025->16027 16026->16027 16027->16018 16029 5c9cde __Getctype 16028->16029 16032 5c9c16 16029->16032 16031 5c9d07 16031->16019 16033 5c9c22 std::_Lockit::_Lockit std::locale::_Setgloballocale 16032->16033 16036 5c9df7 16033->16036 16035 5c9c44 __Getctype 16035->16031 16037 5c9e2d __Getctype 16036->16037 16038 5c9e06 __Getctype 16036->16038 16037->16035 16038->16037 16040 5d2146 16038->16040 16042 5d21c6 16040->16042 16043 5d215c 16040->16043 16041 5d22b7 __Getctype RtlAllocateHeap 16049 5d2222 16041->16049 16044 5cb01a ___std_exception_copy RtlAllocateHeap 16042->16044 16067 5d2214 16042->16067 16043->16042 16048 5cb01a ___std_exception_copy RtlAllocateHeap 16043->16048 16050 5d218f 16043->16050 16045 5d21e8 16044->16045 16046 5cb01a ___std_exception_copy RtlAllocateHeap 16045->16046 16051 5d21fb 16046->16051 16047 5cb01a ___std_exception_copy RtlAllocateHeap 16054 5d21bb 16047->16054 16056 5d2184 16048->16056 16055 5d2282 16049->16055 16064 5cb01a RtlAllocateHeap ___std_exception_copy 16049->16064 16052 5cb01a ___std_exception_copy RtlAllocateHeap 16050->16052 16066 5d21b1 16050->16066 16053 5cb01a ___std_exception_copy RtlAllocateHeap 16051->16053 16057 5d21a6 16052->16057 16058 5d2209 16053->16058 16059 5cb01a ___std_exception_copy RtlAllocateHeap 16054->16059 16060 5cb01a ___std_exception_copy RtlAllocateHeap 16055->16060 16061 5d144a __Getctype RtlAllocateHeap 16056->16061 16062 5d18a9 __Getctype RtlAllocateHeap 16057->16062 16063 5cb01a ___std_exception_copy RtlAllocateHeap 16058->16063 16059->16042 16065 5d2288 16060->16065 16061->16050 16062->16066 16063->16067 16064->16049 16065->16037 16066->16047 16067->16041 16069 5c99c1 16068->16069 16070 5c99b3 16068->16070 16071 5c16ff __floor_pentium4 RtlAllocateHeap 16069->16071 16070->16069 16074 5c99d9 16070->16074 16076 5c99c9 16071->16076 16073 5c99d3 16073->16002 16074->16073 16075 5c16ff __floor_pentium4 RtlAllocateHeap 16074->16075 16075->16076 16080 5b8c60 16076->16080 16078 5cb01a ___std_exception_copy RtlAllocateHeap 16077->16078 16079 5c1cae 16078->16079 16079->16005 16083 5b8bac 16080->16083 16084 5b8bbe ___std_exception_copy 16083->16084 16089 5b8be3 16084->16089 16086 5b8bd6 16096 5b899c 16086->16096 16090 5b8bf3 16089->16090 16093 5b8bfa ___std_exception_copy __Getctype 16089->16093 16102 5b8a01 16090->16102 16092 5b8c08 16092->16086 16093->16092 16094 5b8bac ___std_exception_copy RtlAllocateHeap 16093->16094 16095 5b8c6c 16094->16095 16095->16086 16097 5b89a8 16096->16097 16099 5b89bf 16097->16099 16117 5b8a47 16097->16117 16100 5b89d2 16099->16100 16101 5b8a47 ___std_exception_copy RtlAllocateHeap 16099->16101 16100->16073 16101->16100 16103 5b8a10 16102->16103 16106 5ca044 16103->16106 16107 5ca057 __Getctype 16106->16107 16108 5ca65a __Getctype RtlAllocateHeap 16107->16108 16109 5b8a32 16107->16109 16110 5ca087 __Getctype 16108->16110 16109->16093 16111 5ca08f __Getctype 16110->16111 16112 5ca0c3 16110->16112 16113 5cb01a ___std_exception_copy RtlAllocateHeap 16111->16113 16114 5c9c70 __Getctype RtlAllocateHeap 16112->16114 16113->16109 16115 5ca0ce 16114->16115 16116 5cb01a ___std_exception_copy RtlAllocateHeap 16115->16116 16116->16109 16118 5b8a5a 16117->16118 16119 5b8a51 16117->16119 16118->16099 16120 5b8a01 ___std_exception_copy RtlAllocateHeap 16119->16120 16121 5b8a56 16120->16121 16121->16118 16124 5c41c6 16121->16124 16123 5b8a63 16125 5c41cb std::locale::_Setgloballocale 16124->16125 16126 5c41d6 std::locale::_Setgloballocale 16125->16126 16127 5cf665 std::locale::_Setgloballocale RtlAllocateHeap 16125->16127 16128 5c36e2 std::locale::_Setgloballocale RtlAllocateHeap 16126->16128 16127->16126 16129 5c4209 __Getctype std::locale::_Setgloballocale 16128->16129 16129->16123 16212 5b2b99 16130->16212 16133 585410 16134 585419 16133->16134 16136 5b2534 std::_Throw_Cpp_error 3 API calls 16133->16136 16134->15929 16137 585430 16136->16137 16221 5b953c 16137->16221 16141 582d13 16140->16141 16141->16141 16142 583040 std::_Throw_Cpp_error 2 API calls 16141->16142 16143 582d25 16142->16143 16143->15929 16145 59ad10 16144->16145 16145->16145 16538 59fbf0 16145->16538 16148 583040 std::_Throw_Cpp_error 2 API calls 16147->16148 16149 582d55 16148->16149 16150 6562c0 16149->16150 16151 656358 16150->16151 16156 656361 std::locale::_Setgloballocale 16150->16156 16547 59e4b0 16151->16547 16154 656553 16158 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16154->16158 16159 656580 std::ios_base::_Ios_base_dtor 16154->16159 16156->16154 16162 65654f 16156->16162 16570 674760 16156->16570 16581 5a4160 16156->16581 16160 6565ce 16158->16160 16159->15934 16161 5b3069 __Xtime_get_ticks GetSystemTimePreciseAsFileTime 16160->16161 16163 6565d6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16161->16163 16162->16154 16649 596130 16162->16649 16163->15934 16736 5b975e 16164->16736 16166 5b9832 16166->15927 16188 5c1628 16166->16188 16168 59629d 16167->16168 16169 5962b1 16167->16169 16170 596130 2 API calls 16168->16170 16169->15927 16170->16169 16172 5c12ca ___std_exception_copy 16171->16172 16760 5bd6a5 16172->16760 16174 5c12e4 16175 5b899c ___std_exception_copy RtlAllocateHeap 16174->16175 16176 5c12f1 16175->16176 16176->15927 16178 64f2f6 std::locale::_Setgloballocale 16177->16178 16919 59ab20 16178->16919 16181 598f00 std::_Throw_Cpp_error 2 API calls 16182 64f47f 16181->16182 16924 583440 16182->16924 16184 64f58b std::ios_base::_Ios_base_dtor 16184->15927 16186 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16187 64f5ce 16186->16187 16187->15927 16189 5c163b ___std_exception_copy 16188->16189 17165 5c140a 16189->17165 16191 5c1650 16192 5b899c ___std_exception_copy RtlAllocateHeap 16191->16192 16193 5c165d 16192->16193 16194 5bd0a8 16193->16194 16195 5bd0bb ___std_exception_copy 16194->16195 17266 5bcf83 16195->17266 16197 5bd0c7 16198 5b899c ___std_exception_copy RtlAllocateHeap 16197->16198 16199 5bd0d3 16198->16199 16199->15927 17336 597ef0 16200->17336 16202 59b48d 17353 5a2100 16202->17353 16206 59b503 16206->15927 17720 5d8bb0 16207->17720 16209 5d8b31 std::locale::_Locimp::_Locimp 16210 583040 std::_Throw_Cpp_error 2 API calls 16209->16210 16211 5d8b7c 16210->16211 16211->15927 16227 5b2bc8 16212->16227 16214 585409 16214->16133 16215 5b2534 16214->16215 16216 5b254a std::_Throw_Cpp_error 16215->16216 16234 5b24e7 16216->16234 16218 5b255a __EH_prolog3 std::_Throw_Cpp_error Concurrency::cancel_current_task 16240 599cb0 16218->16240 16220 5b25c7 std::_Throw_Cpp_error 16220->16133 16222 5b954f ___std_exception_copy 16221->16222 16522 5b93db 16222->16522 16224 5b955e 16225 5b899c ___std_exception_copy RtlAllocateHeap 16224->16225 16226 585450 16225->16226 16226->15929 16230 5b2be2 16227->16230 16228 5b2bf2 _ValidateLocalCookies 16228->16214 16230->16228 16231 5b302b 16230->16231 16232 5b3069 __Xtime_get_ticks GetSystemTimePreciseAsFileTime 16231->16232 16233 5b3036 __aulldiv __aullrem 16232->16233 16233->16230 16235 5b24f3 __EH_prolog3_GS 16234->16235 16236 582cf0 std::_Throw_Cpp_error 2 API calls 16235->16236 16237 5b2507 16236->16237 16251 5836e0 16237->16251 16239 5b251c std::_Throw_Cpp_error 16239->16218 16278 584900 16240->16278 16242 599d26 16243 5b3672 std::_Facet_Register 2 API calls 16242->16243 16244 599d2d 16243->16244 16283 5b2729 16244->16283 16246 599d39 16291 59a060 16246->16291 16248 599d76 16249 599dc7 std::_Throw_Cpp_error 16248->16249 16250 584900 std::_Throw_Cpp_error 2 API calls 16248->16250 16249->16220 16250->16249 16252 5963b0 std::_Throw_Cpp_error 2 API calls 16251->16252 16253 583731 16252->16253 16254 58375a 16253->16254 16265 598f00 16253->16265 16256 598f00 std::_Throw_Cpp_error 2 API calls 16254->16256 16257 58378a 16256->16257 16258 5b4b15 ___std_exception_copy 2 API calls 16257->16258 16259 58381e 16258->16259 16260 58385f std::ios_base::_Ios_base_dtor 16259->16260 16261 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16259->16261 16260->16239 16262 5838b0 16261->16262 16274 5b4b78 16262->16274 16264 5838f5 std::ios_base::_Ios_base_dtor 16264->16239 16266 598f22 std::locale::_Locimp::_Locimp 16265->16266 16267 598f4f 16265->16267 16266->16254 16268 5832d0 std::_Throw_Cpp_error 2 API calls 16267->16268 16269 59902f std::ios_base::_Ios_base_dtor 16267->16269 16270 598fa4 std::locale::_Locimp::_Locimp 16268->16270 16269->16254 16271 599002 std::locale::_Locimp::_Locimp 16270->16271 16272 582fe0 std::_Throw_Cpp_error RtlAllocateHeap 16270->16272 16271->16254 16273 598fef 16272->16273 16273->16254 16275 5b4b85 16274->16275 16277 5b4b8c 16274->16277 16276 5c1c96 ___std_exception_copy RtlAllocateHeap 16275->16276 16276->16277 16277->16264 16279 584922 16278->16279 16280 58491a std::_Throw_Cpp_error Concurrency::cancel_current_task 16278->16280 16279->16242 16303 5847f0 16280->16303 16282 584968 std::ios_base::_Ios_base_dtor Concurrency::cancel_current_task 16282->16242 16284 5b2735 __EH_prolog3 std::_Lockit::_Lockit 16283->16284 16287 5b2771 std::_Throw_Cpp_error std::_Lockit::~_Lockit 16284->16287 16321 5b288c 16284->16321 16286 5b2753 16327 5b28af 16286->16327 16287->16246 16292 59a0a2 std::_Throw_Cpp_error std::_Lockit::~_Lockit std::_Lockit::_Lockit 16291->16292 16293 5b3672 std::_Facet_Register 2 API calls 16292->16293 16302 59a144 std::_Lockit::~_Lockit 16292->16302 16294 59a152 16293->16294 16392 584040 16294->16392 16300 59a1f1 16427 5b26f7 16300->16427 16302->16248 16304 584851 16303->16304 16304->16304 16315 583040 16304->16315 16306 584865 16307 5836e0 std::_Throw_Cpp_error 2 API calls 16306->16307 16309 58487b 16307->16309 16308 5848a5 std::ios_base::_Ios_base_dtor 16308->16282 16309->16308 16310 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16309->16310 16312 5848f7 std::_Throw_Cpp_error Concurrency::cancel_current_task 16310->16312 16311 584922 16311->16282 16312->16311 16313 5847f0 std::_Throw_Cpp_error 2 API calls 16312->16313 16314 584968 std::ios_base::_Ios_base_dtor Concurrency::cancel_current_task 16313->16314 16314->16282 16317 5830c8 16315->16317 16318 583052 16315->16318 16316 583057 std::locale::_Locimp::_Locimp 16316->16306 16317->16306 16318->16316 16319 5832d0 std::_Throw_Cpp_error 2 API calls 16318->16319 16320 5830a3 std::locale::_Locimp::_Locimp 16319->16320 16320->16306 16322 5b3672 std::_Facet_Register 2 API calls 16321->16322 16324 5b2897 16322->16324 16323 5b28ab 16323->16286 16324->16323 16337 5b2611 16324->16337 16328 5b28bb 16327->16328 16329 5b275b 16327->16329 16340 5b333a 16328->16340 16331 595a60 16329->16331 16332 595ab3 std::locale::_Locimp::_Locimp 16331->16332 16333 595a86 16331->16333 16332->16287 16334 595a90 16333->16334 16335 5c1c96 ___std_exception_copy RtlAllocateHeap 16333->16335 16334->16332 16336 5c23ec ___std_exception_copy 2 API calls 16334->16336 16335->16334 16336->16332 16338 595a60 std::locale::_Locimp::_Locimp 2 API calls 16337->16338 16339 5b264b 16338->16339 16339->16286 16341 5b334a std::locale::_Setgloballocale 16340->16341 16341->16329 16344 5c41d6 std::locale::_Setgloballocale 16341->16344 16346 5cf665 16341->16346 16367 5c36e2 16344->16367 16345 5c4209 __Getctype std::locale::_Setgloballocale 16345->16329 16347 5cf671 std::locale::_Setgloballocale 16346->16347 16348 5c9f93 std::locale::_Setgloballocale RtlAllocateHeap 16347->16348 16349 5cf6c1 16347->16349 16352 5cf6a2 std::locale::_Setgloballocale 16347->16352 16354 5cf6d3 std::_Lockit::_Lockit std::locale::_Setgloballocale 16347->16354 16348->16352 16350 5c16ff __floor_pentium4 RtlAllocateHeap 16349->16350 16351 5cf6c6 16350->16351 16353 5b8c60 ___std_exception_copy RtlAllocateHeap 16351->16353 16352->16349 16352->16354 16355 5cf6ab 16352->16355 16353->16355 16356 5cf843 std::_Lockit::~_Lockit 16354->16356 16358 5cf746 16354->16358 16364 5cf774 std::locale::_Setgloballocale 16354->16364 16355->16344 16357 5c36e2 std::locale::_Setgloballocale RtlAllocateHeap 16356->16357 16359 5cf856 16357->16359 16358->16364 16370 5c9e42 16358->16370 16361 5c9e42 __Getctype RtlAllocateHeap 16365 5cf7c9 16361->16365 16363 5c9e42 __Getctype RtlAllocateHeap 16363->16364 16364->16355 16364->16361 16364->16365 16365->16355 16366 5c9e42 __Getctype RtlAllocateHeap 16365->16366 16366->16355 16384 5c3552 16367->16384 16369 5c36f3 16369->16345 16371 5c9e4b __Getctype 16370->16371 16372 5ca65a __Getctype RtlAllocateHeap 16371->16372 16374 5c9e62 16371->16374 16376 5c9e8f __Getctype 16372->16376 16373 5c9e97 __Getctype 16380 5cb01a ___std_exception_copy RtlAllocateHeap 16373->16380 16375 5c9ef2 16374->16375 16377 5c41c6 __Getctype RtlAllocateHeap 16374->16377 16375->16363 16376->16373 16378 5c9ecf 16376->16378 16379 5c9efc 16377->16379 16381 5c9c70 __Getctype RtlAllocateHeap 16378->16381 16380->16374 16382 5c9eda 16381->16382 16383 5cb01a ___std_exception_copy RtlAllocateHeap 16382->16383 16383->16374 16385 5c357f std::locale::_Setgloballocale 16384->16385 16388 5c33e3 16385->16388 16387 5c35c8 std::locale::_Setgloballocale 16387->16369 16389 5c33ef std::_Lockit::_Lockit std::locale::_Setgloballocale 16388->16389 16390 5c346a std::locale::_Setgloballocale RtlAllocateHeap 16389->16390 16391 5c3406 std::locale::_Setgloballocale 16390->16391 16391->16387 16393 584066 std::_Lockit::_Lockit 16392->16393 16394 5840c2 16393->16394 16395 5840e6 16393->16395 16430 5b2827 16394->16430 16439 5b1d4a 16395->16439 16398 5840f0 16400 5b2cf4 16471 5c3cf8 16400->16471 16402 5b2cfd __Getctype 16403 5b2d17 16402->16403 16404 5b2d35 16402->16404 16476 5c454e 16403->16476 16406 5c454e __Getctype RtlAllocateHeap 16404->16406 16407 5b2d1e 16406->16407 16481 5c3d42 16407->16481 16410 59a1ca 16412 584100 16410->16412 16518 5b2872 16412->16518 16415 584140 16417 5c1c96 ___std_exception_copy RtlAllocateHeap 16415->16417 16419 58415b 16415->16419 16416 5c1c96 ___std_exception_copy RtlAllocateHeap 16416->16415 16417->16419 16418 584176 16421 584191 16418->16421 16422 5c1c96 ___std_exception_copy RtlAllocateHeap 16418->16422 16419->16418 16420 5c1c96 ___std_exception_copy RtlAllocateHeap 16419->16420 16420->16418 16423 5841ac 16421->16423 16425 5c1c96 ___std_exception_copy RtlAllocateHeap 16421->16425 16422->16421 16424 5841c7 std::_Lockit::~_Lockit 16423->16424 16426 5c1c96 ___std_exception_copy RtlAllocateHeap 16423->16426 16424->16300 16425->16423 16426->16424 16428 5b3672 std::_Facet_Register 2 API calls 16427->16428 16429 5b2702 16428->16429 16429->16302 16442 5c4516 16430->16442 16433 595a60 std::locale::_Locimp::_Locimp 2 API calls 16434 5b284b 16433->16434 16435 5b285b 16434->16435 16436 5c4516 std::_Locinfo::_Locinfo_dtor 2 API calls 16434->16436 16437 595a60 std::locale::_Locimp::_Locimp 2 API calls 16435->16437 16436->16435 16438 5840c9 16437->16438 16438->16400 16468 583540 16439->16468 16441 5b1d5b Concurrency::cancel_current_task 16441->16398 16443 5c4523 std::_Lockit::_Lockit 16442->16443 16446 5c42c1 16443->16446 16445 5b2833 16445->16433 16447 5c42cd std::_Lockit::_Lockit std::locale::_Setgloballocale 16446->16447 16450 5c431c 16447->16450 16449 5c42e8 std::_Locinfo::_Locinfo_dtor 16449->16445 16451 5c447b std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16450->16451 16452 5c4337 16451->16452 16453 5c9e42 __Getctype RtlAllocateHeap 16452->16453 16459 5c4370 __Getctype 16452->16459 16454 5c4344 16453->16454 16455 5c3379 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16454->16455 16456 5c4369 16455->16456 16457 5cb094 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16456->16457 16456->16459 16458 5c4395 16457->16458 16458->16459 16460 5c3379 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16458->16460 16459->16449 16461 5c43b1 16460->16461 16462 5c43b8 16461->16462 16463 5c43d3 16461->16463 16462->16459 16464 5cb01a ___std_exception_copy RtlAllocateHeap 16462->16464 16465 5cb01a ___std_exception_copy RtlAllocateHeap 16463->16465 16466 5c43fe 16463->16466 16464->16459 16465->16466 16466->16459 16467 5cb01a ___std_exception_copy RtlAllocateHeap 16466->16467 16467->16459 16469 5b4b15 ___std_exception_copy 2 API calls 16468->16469 16470 583585 16469->16470 16470->16441 16472 5c9e42 __Getctype RtlAllocateHeap 16471->16472 16473 5c3d03 16472->16473 16492 5ca12d 16473->16492 16477 5c9e42 __Getctype RtlAllocateHeap 16476->16477 16478 5c4559 16477->16478 16479 5ca12d __Getctype RtlAllocateHeap 16478->16479 16480 5c4569 16479->16480 16480->16407 16482 5c9e42 __Getctype RtlAllocateHeap 16481->16482 16483 5c3d4d 16482->16483 16484 5ca12d __Getctype RtlAllocateHeap 16483->16484 16485 5b2d46 16484->16485 16485->16410 16486 5c4572 16485->16486 16487 5c45b3 __Getctype 16486->16487 16488 5c457f 16486->16488 16487->16410 16489 5c23ec ___std_exception_copy 2 API calls 16488->16489 16490 5c45a2 16489->16490 16490->16487 16509 5ce2f4 16490->16509 16493 5c3d13 16492->16493 16494 5ca140 16492->16494 16493->16402 16494->16493 16496 5d2392 16494->16496 16497 5d239e std::locale::_Setgloballocale 16496->16497 16498 5c9e42 __Getctype RtlAllocateHeap 16497->16498 16499 5d23a7 std::_Lockit::_Lockit 16498->16499 16502 5d23ed 16499->16502 16505 5d2413 16499->16505 16501 5d23d6 __Getctype 16501->16502 16503 5c41c6 __Getctype RtlAllocateHeap 16501->16503 16502->16493 16504 5d2412 16503->16504 16506 5d2421 __Getctype 16505->16506 16508 5d242e 16505->16508 16507 5d2146 __Getctype RtlAllocateHeap 16506->16507 16506->16508 16507->16508 16508->16501 16510 5ce310 16509->16510 16511 5ce302 16509->16511 16512 5c16ff __floor_pentium4 RtlAllocateHeap 16510->16512 16511->16510 16516 5ce32a 16511->16516 16513 5ce31a 16512->16513 16515 5b8c60 ___std_exception_copy RtlAllocateHeap 16513->16515 16514 5ce324 16514->16487 16515->16514 16516->16514 16517 5c16ff __floor_pentium4 RtlAllocateHeap 16516->16517 16517->16513 16519 5b287e 16518->16519 16521 58412c 16518->16521 16520 5c4516 std::_Locinfo::_Locinfo_dtor 2 API calls 16519->16520 16520->16521 16521->16415 16521->16416 16523 5b93e7 std::locale::_Setgloballocale 16522->16523 16524 5b93f0 16523->16524 16526 5b9414 16523->16526 16525 5b8be3 ___std_exception_copy RtlAllocateHeap 16524->16525 16530 5b9409 16525->16530 16528 5b9432 16526->16528 16531 5ca1e9 16526->16531 16529 5b8be3 ___std_exception_copy RtlAllocateHeap 16528->16529 16528->16530 16529->16530 16530->16224 16532 5ca20a 16531->16532 16533 5ca1f5 16531->16533 16532->16528 16534 5c16ff __floor_pentium4 RtlAllocateHeap 16533->16534 16535 5ca1fa 16534->16535 16536 5b8c60 ___std_exception_copy RtlAllocateHeap 16535->16536 16537 5ca205 16536->16537 16537->16528 16540 59fc8d 16538->16540 16542 59fc12 std::locale::_Locimp::_Locimp 16538->16542 16539 59fd5e 16540->16539 16541 5832d0 std::_Throw_Cpp_error 2 API calls 16540->16541 16543 59fce1 std::locale::_Locimp::_Locimp 16541->16543 16544 59fd3a std::locale::_Locimp::_Locimp 16543->16544 16545 582fe0 std::_Throw_Cpp_error RtlAllocateHeap 16543->16545 16546 59fd27 16545->16546 16548 59e528 16547->16548 16549 59e4c2 16547->16549 16660 583330 16548->16660 16550 59e4f9 16549->16550 16551 59e4ca 16549->16551 16555 59e516 16550->16555 16558 5b3672 std::_Facet_Register 2 API calls 16550->16558 16553 59e52d 16551->16553 16554 59e4d1 16551->16554 16556 582b50 Concurrency::cancel_current_task 2 API calls 16553->16556 16557 5b3672 std::_Facet_Register 2 API calls 16554->16557 16555->16156 16559 59e4d7 16556->16559 16557->16559 16560 59e503 16558->16560 16561 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16559->16561 16562 59e4e0 16559->16562 16560->16156 16563 59e537 16561->16563 16562->16156 16663 596ad0 16563->16663 16565 59e574 16566 584900 std::_Throw_Cpp_error 2 API calls 16565->16566 16567 59e5fb 16566->16567 16568 59e613 16567->16568 16667 599b60 16567->16667 16568->16156 16571 674767 16570->16571 16572 67476c 16570->16572 16571->16156 16573 5c23ec ___std_exception_copy 2 API calls 16572->16573 16579 6747af 16572->16579 16573->16579 16574 6747c2 16574->16156 16575 674877 16575->16156 16576 5c1c96 ___std_exception_copy RtlAllocateHeap 16577 674867 16576->16577 16577->16156 16578 674821 16578->16575 16578->16576 16579->16574 16579->16578 16580 5c1c96 ___std_exception_copy RtlAllocateHeap 16579->16580 16580->16578 16582 5a4288 16581->16582 16583 5a4195 16581->16583 16584 583330 2 API calls 16582->16584 16586 5a41b1 16583->16586 16587 5a4202 16583->16587 16588 5a41f2 16583->16588 16585 5a428d 16584->16585 16589 582b50 Concurrency::cancel_current_task 2 API calls 16585->16589 16590 5b3672 std::_Facet_Register 2 API calls 16586->16590 16592 5b3672 std::_Facet_Register 2 API calls 16587->16592 16598 5a41cf std::locale::_Locimp::_Locimp std::locale::_Setgloballocale 16587->16598 16588->16585 16588->16586 16591 5a4292 16589->16591 16593 5a41c4 16590->16593 16594 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16591->16594 16592->16598 16593->16591 16593->16598 16595 5a4297 16594->16595 16596 5a42fa 16595->16596 16597 5a43e9 16595->16597 16707 5a6ff0 16596->16707 16599 583330 2 API calls 16597->16599 16702 5a77d0 16598->16702 16600 5a43ee 16599->16600 16602 5a445a 16600->16602 16603 5a4549 16600->16603 16607 5a6ff0 2 API calls 16602->16607 16605 583330 2 API calls 16603->16605 16616 5a454e 16605->16616 16606 5a425e 16606->16156 16610 5a4496 16607->16610 16608 5a470b 16609 583330 2 API calls 16608->16609 16613 5a46af 16609->16613 16615 5963b0 std::_Throw_Cpp_error 2 API calls 16610->16615 16611 5a4706 16612 582b50 Concurrency::cancel_current_task 2 API calls 16611->16612 16612->16608 16619 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16613->16619 16639 5a46d1 std::ios_base::_Ios_base_dtor 16613->16639 16614 5a4336 16715 5a7830 16614->16715 16628 5a44c4 16615->16628 16616->16608 16616->16611 16617 5a45ee 16616->16617 16618 5a4615 16616->16618 16617->16611 16620 5a45f9 16617->16620 16625 5b3672 std::_Facet_Register 2 API calls 16618->16625 16631 5a45ff 16618->16631 16621 5a4715 16619->16621 16622 5b3672 std::_Facet_Register 2 API calls 16620->16622 16727 59d010 16621->16727 16622->16631 16625->16631 16626 5a43b0 16626->16156 16630 5a7830 RtlAllocateHeap 16628->16630 16632 5a4510 16630->16632 16631->16613 16631->16639 16720 5b1f9c 16631->16720 16632->16156 16633 5a4798 16635 582b50 Concurrency::cancel_current_task 2 API calls 16633->16635 16634 5a472f Concurrency::cancel_current_task 16634->16633 16636 5a475b 16634->16636 16637 5a477f 16634->16637 16640 5a4768 16635->16640 16636->16633 16641 5a4762 16636->16641 16638 5a4791 16637->16638 16642 5b3672 std::_Facet_Register 2 API calls 16637->16642 16638->16156 16639->16156 16644 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16640->16644 16648 5a4771 16640->16648 16645 5b3672 std::_Facet_Register 2 API calls 16641->16645 16646 5a4789 16642->16646 16647 5a47a2 16644->16647 16645->16640 16646->16156 16648->16156 16650 596174 16649->16650 16652 596143 std::locale::_Locimp::_Locimp 16649->16652 16651 596180 16650->16651 16654 596200 16650->16654 16653 5832d0 std::_Throw_Cpp_error 2 API calls 16651->16653 16652->16154 16657 5961bf std::locale::_Locimp::_Locimp 16653->16657 16654->16654 16655 598f00 std::_Throw_Cpp_error 2 API calls 16654->16655 16656 596232 16655->16656 16656->16154 16658 582fe0 std::_Throw_Cpp_error RtlAllocateHeap 16657->16658 16659 5961ed 16657->16659 16658->16659 16659->16154 16671 5b1cea 16660->16671 16664 596b02 16663->16664 16666 596b1d 16664->16666 16691 5950e0 16664->16691 16666->16565 16668 599bbb 16667->16668 16669 599b96 16667->16669 16668->16568 16669->16668 16699 5988a0 16669->16699 16678 5b1a9f 16671->16678 16673 5b1cfb Concurrency::cancel_current_task 16681 5b1af4 16673->16681 16675 5b1d1b Concurrency::cancel_current_task 16684 5b1b37 16675->16684 16677 5b1d3b Concurrency::cancel_current_task 16688 5834e0 16678->16688 16682 5834e0 std::invalid_argument::invalid_argument 2 API calls 16681->16682 16683 5b1b06 16682->16683 16683->16675 16685 5b1b4b std::regex_error::regex_error 16684->16685 16686 5834e0 std::invalid_argument::invalid_argument 2 API calls 16685->16686 16687 5b1b54 16686->16687 16687->16677 16689 5b4b15 ___std_exception_copy 2 API calls 16688->16689 16690 583522 16689->16690 16690->16673 16692 595117 16691->16692 16697 5951b5 16691->16697 16693 596ad0 2 API calls 16692->16693 16695 595120 16693->16695 16694 59519d 16696 599b60 2 API calls 16694->16696 16694->16697 16695->16694 16698 584900 std::_Throw_Cpp_error 2 API calls 16695->16698 16696->16697 16697->16666 16698->16694 16700 584900 std::_Throw_Cpp_error 2 API calls 16699->16700 16701 5988bf 16700->16701 16701->16668 16703 5a77f9 std::ios_base::_Ios_base_dtor 16702->16703 16704 5a77dc 16702->16704 16703->16606 16704->16703 16705 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16704->16705 16706 5a7824 16705->16706 16708 5a703c 16707->16708 16709 5a6ff9 16707->16709 16708->16708 16709->16708 16711 5b3672 std::_Facet_Register 2 API calls 16709->16711 16713 5a7013 16709->16713 16710 5b3672 std::_Facet_Register 2 API calls 16712 5a7035 16710->16712 16711->16713 16712->16614 16713->16710 16714 5a701c 16713->16714 16714->16614 16716 5a7882 std::ios_base::_Ios_base_dtor 16715->16716 16717 5a783d 16715->16717 16716->16626 16717->16716 16718 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16717->16718 16719 5a78b6 16718->16719 16721 5b1fb2 16720->16721 16722 5b1fa5 16720->16722 16721->16631 16722->16721 16723 5c41c6 __Getctype RtlAllocateHeap 16722->16723 16724 5b1fbb 16723->16724 16725 5b1f9c RtlAllocateHeap 16724->16725 16726 5b1fca 16725->16726 16726->16631 16728 59d01a 16727->16728 16729 59d02e 16727->16729 16728->16729 16730 5b1f9c RtlAllocateHeap 16728->16730 16731 599910 16729->16731 16730->16728 16732 599938 std::ios_base::_Ios_base_dtor 16731->16732 16733 599928 16731->16733 16732->16634 16733->16732 16734 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16733->16734 16735 59994d 16734->16735 16739 5b976a std::locale::_Setgloballocale 16736->16739 16737 5b9771 16738 5c16ff __floor_pentium4 RtlAllocateHeap 16737->16738 16740 5b9776 16738->16740 16739->16737 16741 5b9791 16739->16741 16742 5b8c60 ___std_exception_copy RtlAllocateHeap 16740->16742 16743 5b97a3 16741->16743 16744 5b9796 16741->16744 16749 5b9781 16742->16749 16750 5ca8ef 16743->16750 16745 5c16ff __floor_pentium4 RtlAllocateHeap 16744->16745 16745->16749 16747 5b97ac 16748 5c16ff __floor_pentium4 RtlAllocateHeap 16747->16748 16747->16749 16748->16749 16749->16166 16751 5ca8fb std::_Lockit::_Lockit std::locale::_Setgloballocale 16750->16751 16754 5ca993 16751->16754 16753 5ca916 16753->16747 16755 5ca9b6 16754->16755 16756 5ca65a __Getctype RtlAllocateHeap 16755->16756 16759 5ca9fc std::locale::_Setgloballocale 16755->16759 16757 5caa17 16756->16757 16758 5cb01a ___std_exception_copy RtlAllocateHeap 16757->16758 16758->16759 16759->16753 16774 5bce79 16760->16774 16762 5bd6ff 16768 5bd723 16762->16768 16781 5be1d0 16762->16781 16763 5bd6cc 16765 5b8be3 ___std_exception_copy RtlAllocateHeap 16763->16765 16764 5bd6b7 16764->16762 16764->16763 16773 5bd6e7 std::_Locinfo::_Locinfo_dtor 16764->16773 16765->16773 16769 5bd747 16768->16769 16788 5bce94 16768->16788 16770 5bd7cf 16769->16770 16795 5bce22 16769->16795 16771 5bce22 RtlAllocateHeap 16770->16771 16771->16773 16773->16174 16775 5bce7e 16774->16775 16776 5bce91 16774->16776 16777 5c16ff __floor_pentium4 RtlAllocateHeap 16775->16777 16776->16764 16778 5bce83 16777->16778 16779 5b8c60 ___std_exception_copy RtlAllocateHeap 16778->16779 16780 5bce8e 16779->16780 16780->16764 16782 5b8a47 ___std_exception_copy RtlAllocateHeap 16781->16782 16783 5be1e0 16782->16783 16801 5ca15a 16783->16801 16789 5bcea0 16788->16789 16793 5bceb6 16788->16793 16790 5c454e __Getctype RtlAllocateHeap 16789->16790 16791 5bceab std::_Locinfo::_Locinfo_dtor 16790->16791 16791->16768 16792 5bcec6 16792->16768 16793->16792 16903 5c9a39 16793->16903 16796 5bce33 16795->16796 16797 5bce47 16795->16797 16796->16797 16798 5c16ff __floor_pentium4 RtlAllocateHeap 16796->16798 16797->16770 16799 5bce3c 16798->16799 16800 5b8c60 ___std_exception_copy RtlAllocateHeap 16799->16800 16800->16797 16802 5be1fd 16801->16802 16803 5ca171 16801->16803 16805 5ca1b8 16802->16805 16803->16802 16804 5d2392 __Getctype RtlAllocateHeap 16803->16804 16804->16802 16806 5ca1cf 16805->16806 16808 5be20a 16805->16808 16806->16808 16809 5d06bd 16806->16809 16808->16768 16810 5c9e42 __Getctype RtlAllocateHeap 16809->16810 16811 5d06c2 16810->16811 16814 5d05d5 16811->16814 16813 5d06cd 16813->16808 16817 5d05e1 std::_Lockit::_Lockit std::locale::_Setgloballocale 16814->16817 16815 5d05fb std::_Locinfo::_Locinfo_dtor 16816 5d0602 16815->16816 16818 5c41c6 __Getctype RtlAllocateHeap 16815->16818 16816->16813 16817->16815 16822 5cb01a ___std_exception_copy RtlAllocateHeap 16817->16822 16819 5d0674 16818->16819 16820 5d06b0 16819->16820 16825 5c9efd 16819->16825 16820->16813 16822->16815 16826 5c9f08 __Getctype 16825->16826 16827 5c9f14 16826->16827 16829 5ca65a __Getctype RtlAllocateHeap 16826->16829 16828 5c9f19 16827->16828 16830 5c41c6 __Getctype RtlAllocateHeap 16827->16830 16839 5d0480 16828->16839 16832 5c9f38 __Getctype 16829->16832 16831 5c9f92 16830->16831 16833 5c9f74 16832->16833 16834 5c9f40 __Getctype 16832->16834 16835 5c9c70 __Getctype RtlAllocateHeap 16833->16835 16836 5cb01a ___std_exception_copy RtlAllocateHeap 16834->16836 16837 5c9f7f 16835->16837 16836->16827 16838 5cb01a ___std_exception_copy RtlAllocateHeap 16837->16838 16838->16828 16840 5d05d5 std::_Locinfo::_Locinfo_dtor 2 API calls 16839->16840 16841 5d04aa 16840->16841 16862 5d0207 16841->16862 16846 5d04dc 16848 5cb01a ___std_exception_copy RtlAllocateHeap 16846->16848 16847 5d04ea 16871 5d06d0 16847->16871 16850 5d04c3 16848->16850 16850->16820 16851 5d0517 16852 5d0522 16851->16852 16858 5d053d std::_Locinfo::_Locinfo_dtor 16851->16858 16853 5c16ff __floor_pentium4 RtlAllocateHeap 16852->16853 16854 5d0527 16853->16854 16857 5cb01a ___std_exception_copy RtlAllocateHeap 16854->16857 16855 5d0569 16856 5d05b2 16855->16856 16876 5d00f9 16855->16876 16861 5cb01a ___std_exception_copy RtlAllocateHeap 16856->16861 16857->16850 16858->16855 16859 5cb01a ___std_exception_copy RtlAllocateHeap 16858->16859 16859->16855 16861->16850 16880 5b95ae 16862->16880 16865 5cb094 16866 5cb0d2 16865->16866 16867 5cb0a2 __Getctype std::_Facet_Register 16865->16867 16868 5c16ff __floor_pentium4 RtlAllocateHeap 16866->16868 16867->16866 16869 5cb0bd RtlAllocateHeap 16867->16869 16870 5cb0d0 16868->16870 16869->16867 16869->16870 16870->16846 16870->16847 16872 5d0207 std::_Locinfo::_Locinfo_dtor 2 API calls 16871->16872 16875 5d06f0 std::_Locinfo::_Locinfo_dtor std::locale::_Setgloballocale 16872->16875 16873 5d07f5 std::_Locinfo::_Locinfo_dtor _ValidateLocalCookies 16873->16851 16875->16873 16888 5d02db 16875->16888 16877 5d0105 std::_Lockit::_Lockit std::locale::_Setgloballocale 16876->16877 16896 5d0146 16877->16896 16879 5d011c std::_Locinfo::_Locinfo_dtor 16879->16856 16881 5b95cc 16880->16881 16887 5b95c5 16880->16887 16882 5c9e42 __Getctype RtlAllocateHeap 16881->16882 16881->16887 16883 5b95ed 16882->16883 16884 5ca12d __Getctype RtlAllocateHeap 16883->16884 16885 5b9603 16884->16885 16886 5ca18b std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16885->16886 16886->16887 16887->16850 16887->16865 16889 5d0303 16888->16889 16895 5d03cc _ValidateLocalCookies 16888->16895 16890 5cf44d std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16889->16890 16889->16895 16891 5d0383 16890->16891 16892 5ca8a6 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16891->16892 16893 5d03a4 16892->16893 16894 5ca8a6 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16893->16894 16894->16895 16895->16873 16897 5bceeb std::_Locinfo::_Locinfo_dtor RtlAllocateHeap 16896->16897 16898 5d0168 16897->16898 16899 5bceeb std::_Locinfo::_Locinfo_dtor RtlAllocateHeap 16898->16899 16900 5d0187 16899->16900 16901 5cb01a ___std_exception_copy RtlAllocateHeap 16900->16901 16902 5d01ae 16900->16902 16901->16902 16902->16879 16904 5b95ae std::_Locinfo::_Locinfo_dtor 2 API calls 16903->16904 16905 5c9a56 16904->16905 16907 5c9a66 _ValidateLocalCookies 16905->16907 16908 5cf44d 16905->16908 16907->16792 16909 5b95ae std::_Locinfo::_Locinfo_dtor 2 API calls 16908->16909 16910 5cf46d std::_Locinfo::_Locinfo_dtor 16909->16910 16911 5cb094 std::_Locinfo::_Locinfo_dtor 2 API calls 16910->16911 16912 5cf529 _ValidateLocalCookies 16910->16912 16914 5cf4bf std::_Locinfo::_Locinfo_dtor std::locale::_Setgloballocale 16910->16914 16911->16914 16912->16907 16915 5b3275 16914->16915 16916 5b327f 16915->16916 16918 5b3290 16915->16918 16917 5c1c96 ___std_exception_copy RtlAllocateHeap 16916->16917 16916->16918 16917->16918 16918->16912 16920 59ab55 16919->16920 16921 59aba3 16920->16921 16928 59e8a0 16920->16928 16923 59ab83 16923->16181 16925 583459 16924->16925 16932 5c0dd7 16925->16932 16929 59e8ce 16928->16929 16931 59e8f8 std::locale::_Locimp::_Locimp 16928->16931 16930 5832d0 std::_Throw_Cpp_error 2 API calls 16929->16930 16930->16931 16931->16923 16933 5c0deb ___std_exception_copy 16932->16933 16938 5be565 16933->16938 16935 5c0e06 16936 5b899c ___std_exception_copy RtlAllocateHeap 16935->16936 16937 583467 16936->16937 16937->16184 16937->16186 16939 5be591 16938->16939 16940 5be5b4 16938->16940 16941 5b8be3 ___std_exception_copy RtlAllocateHeap 16939->16941 16940->16939 16943 5be5bc 16940->16943 16942 5be5a9 _ValidateLocalCookies 16941->16942 16942->16935 16947 5bfaa7 16943->16947 16965 5c0b0d 16947->16965 16950 5bfacc 16951 5b8be3 ___std_exception_copy RtlAllocateHeap 16950->16951 16952 5be63d 16951->16952 16962 5bf28d 16952->16962 16955 5be1d0 std::_Locinfo::_Locinfo_dtor 2 API calls 16957 5bfaf4 std::_Locinfo::_Locinfo_dtor 16955->16957 16957->16952 16957->16955 16958 5bfbd0 16957->16958 16969 5bf49b 16957->16969 16972 5bfed4 16957->16972 17004 5c036f 16957->17004 16959 5b8be3 ___std_exception_copy RtlAllocateHeap 16958->16959 16960 5bfbea 16959->16960 16961 5b8be3 ___std_exception_copy RtlAllocateHeap 16960->16961 16961->16952 16963 5cb01a ___std_exception_copy RtlAllocateHeap 16962->16963 16964 5bf29d 16963->16964 16964->16942 16966 5bfac1 16965->16966 16967 5c0b18 16965->16967 16966->16950 16966->16952 16966->16957 16968 5b8be3 ___std_exception_copy RtlAllocateHeap 16967->16968 16968->16966 17031 5be842 16969->17031 16971 5bf4d6 16971->16957 16973 5bfedb 16972->16973 16974 5bfef2 16972->16974 16976 5c03f4 16973->16976 16977 5c0394 16973->16977 16998 5bff31 16973->16998 16975 5b8be3 ___std_exception_copy RtlAllocateHeap 16974->16975 16974->16998 16978 5bff26 16975->16978 16979 5c042d 16976->16979 16980 5c03f9 16976->16980 16981 5c041a 16977->16981 16982 5c039a 16977->16982 16978->16957 16983 5c044a 16979->16983 16987 5c0432 16979->16987 16984 5c0426 16980->16984 16990 5c03fb 16980->16990 17066 5bebfc 16981->17066 16991 5c039f 16982->16991 16993 5c03eb 16982->16993 17077 5c0a4d 16983->17077 17073 5c0a30 16984->17073 16987->16981 16987->16993 17002 5c03c5 16987->17002 16989 5c03ae 17003 5c0453 _ValidateLocalCookies 16989->17003 17041 5c0785 16989->17041 16990->16989 16996 5c040a 16990->16996 16991->16989 16994 5c03d8 16991->16994 16991->17002 16993->17003 17055 5bed89 16993->17055 16994->17003 17051 5c0916 16994->17051 16996->16981 16999 5c040e 16996->16999 16998->16957 16999->17003 17062 5c09ab 16999->17062 17002->17003 17080 5cc5ba 17002->17080 17003->16957 17005 5c03f4 17004->17005 17006 5c0394 17004->17006 17007 5c042d 17005->17007 17008 5c03f9 17005->17008 17009 5c041a 17006->17009 17010 5c039a 17006->17010 17011 5c044a 17007->17011 17012 5c0432 17007->17012 17013 5c03fb 17008->17013 17014 5c0426 17008->17014 17016 5bebfc 2 API calls 17009->17016 17020 5c039f 17010->17020 17021 5c03eb 17010->17021 17015 5c0a4d 2 API calls 17011->17015 17012->17009 17012->17021 17029 5c03c5 17012->17029 17018 5c03ae 17013->17018 17024 5c040a 17013->17024 17017 5c0a30 2 API calls 17014->17017 17015->17029 17016->17029 17017->17029 17019 5c0785 2 API calls 17018->17019 17027 5c0453 _ValidateLocalCookies 17018->17027 17019->17029 17020->17018 17022 5c03d8 17020->17022 17020->17029 17023 5bed89 2 API calls 17021->17023 17021->17027 17026 5c0916 2 API calls 17022->17026 17022->17027 17023->17029 17024->17009 17025 5c040e 17024->17025 17025->17027 17028 5c09ab RtlAllocateHeap 17025->17028 17026->17029 17027->16957 17028->17029 17029->17027 17030 5cc5ba 2 API calls 17029->17030 17030->17029 17032 5bce79 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap 17031->17032 17034 5be854 17032->17034 17033 5be869 17035 5b8be3 ___std_exception_copy RtlAllocateHeap 17033->17035 17034->17033 17036 5be89c 17034->17036 17040 5be884 std::_Locinfo::_Locinfo_dtor 17034->17040 17035->17040 17037 5be933 17036->17037 17039 5bce22 RtlAllocateHeap 17036->17039 17038 5bce22 RtlAllocateHeap 17037->17038 17038->17040 17039->17037 17040->16971 17042 5c079f 17041->17042 17086 5be790 17042->17086 17044 5c07de 17097 5cc439 17044->17097 17047 5be1d0 std::_Locinfo::_Locinfo_dtor 2 API calls 17048 5c0895 17047->17048 17049 5be1d0 std::_Locinfo::_Locinfo_dtor 2 API calls 17048->17049 17050 5c08c8 17048->17050 17049->17050 17050->17002 17050->17050 17052 5c0931 17051->17052 17053 5c0967 17052->17053 17054 5cc5ba 2 API calls 17052->17054 17053->17002 17054->17053 17056 5bed9e 17055->17056 17057 5bedc0 17056->17057 17059 5bede7 17056->17059 17058 5b8be3 ___std_exception_copy RtlAllocateHeap 17057->17058 17061 5beddd 17058->17061 17060 5be790 2 API calls 17059->17060 17059->17061 17060->17061 17061->17002 17065 5c09c1 17062->17065 17063 5b8be3 ___std_exception_copy RtlAllocateHeap 17064 5c09e2 17063->17064 17064->17002 17065->17063 17065->17064 17067 5bec11 17066->17067 17068 5bec33 17067->17068 17070 5bec5a 17067->17070 17069 5b8be3 ___std_exception_copy RtlAllocateHeap 17068->17069 17071 5bec50 17069->17071 17070->17071 17072 5be790 2 API calls 17070->17072 17071->17002 17072->17071 17074 5c0a3c 17073->17074 17158 5bea6f 17074->17158 17076 5c0a4c 17076->17002 17078 5bed89 2 API calls 17077->17078 17079 5c0a62 17078->17079 17079->17002 17081 5cc5cf 17080->17081 17082 5be1d0 std::_Locinfo::_Locinfo_dtor 2 API calls 17081->17082 17084 5cc5d3 std::_Locinfo::_Locinfo_dtor std::locale::_Setgloballocale 17081->17084 17085 5cc5fc std::_Locinfo::_Locinfo_dtor std::locale::_Setgloballocale 17081->17085 17082->17085 17083 5b8be3 ___std_exception_copy RtlAllocateHeap 17083->17084 17084->17002 17085->17083 17085->17084 17087 5be7b7 17086->17087 17094 5be7a5 17086->17094 17088 5cb094 std::_Locinfo::_Locinfo_dtor 2 API calls 17087->17088 17087->17094 17089 5be7db 17088->17089 17090 5be7ee 17089->17090 17091 5be7e3 17089->17091 17116 5bf2a7 17090->17116 17092 5cb01a ___std_exception_copy RtlAllocateHeap 17091->17092 17092->17094 17094->17044 17096 5cb01a ___std_exception_copy RtlAllocateHeap 17096->17094 17098 5cc46e 17097->17098 17099 5cc44a 17097->17099 17098->17099 17101 5cc4a1 17098->17101 17100 5b8be3 ___std_exception_copy RtlAllocateHeap 17099->17100 17111 5c0871 17100->17111 17102 5cc4da 17101->17102 17103 5cc509 17101->17103 17119 5cc2dd 17102->17119 17104 5cc532 17103->17104 17105 5cc537 17103->17105 17108 5cc55f 17104->17108 17109 5cc599 17104->17109 17124 5cbb66 17105->17124 17112 5cc57f 17108->17112 17113 5cc564 17108->17113 17151 5cbe93 17109->17151 17111->17047 17111->17048 17144 5cc08a 17112->17144 17134 5cc20e 17113->17134 17117 5cb01a ___std_exception_copy RtlAllocateHeap 17116->17117 17118 5be7f9 17117->17118 17118->17096 17120 5cc2f3 17119->17120 17121 5cc2fe 17119->17121 17120->17111 17122 5c99a5 ___std_exception_copy RtlAllocateHeap 17121->17122 17123 5cc359 __Getctype 17122->17123 17123->17111 17125 5cbb79 17124->17125 17126 5cbb88 17125->17126 17127 5cbbaa 17125->17127 17128 5b8be3 ___std_exception_copy RtlAllocateHeap 17126->17128 17129 5cbbbf 17127->17129 17131 5cbc12 17127->17131 17133 5cbba0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::locale::_Setgloballocale __allrem _strrchr 17128->17133 17130 5cbe93 RtlAllocateHeap RtlAllocateHeap 17129->17130 17130->17133 17132 5be1d0 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 17131->17132 17131->17133 17132->17133 17133->17111 17135 5d47bf RtlAllocateHeap 17134->17135 17136 5cc23e 17135->17136 17137 5d46c5 RtlAllocateHeap 17136->17137 17138 5cc27c 17137->17138 17139 5cc283 17138->17139 17140 5cc2bc 17138->17140 17142 5cc295 17138->17142 17139->17111 17141 5cbf37 RtlAllocateHeap RtlAllocateHeap 17140->17141 17141->17139 17143 5cc120 RtlAllocateHeap RtlAllocateHeap 17142->17143 17143->17139 17145 5d47bf RtlAllocateHeap 17144->17145 17146 5cc0b9 17145->17146 17147 5d46c5 RtlAllocateHeap 17146->17147 17148 5cc0fa 17147->17148 17149 5cc101 17148->17149 17150 5cc120 RtlAllocateHeap RtlAllocateHeap 17148->17150 17149->17111 17150->17149 17152 5d47bf RtlAllocateHeap 17151->17152 17153 5cbebd 17152->17153 17154 5d46c5 RtlAllocateHeap 17153->17154 17155 5cbf0b 17154->17155 17156 5cbf12 17155->17156 17157 5cbf37 RtlAllocateHeap RtlAllocateHeap 17155->17157 17156->17111 17157->17156 17159 5bea84 17158->17159 17160 5beacd 17159->17160 17161 5beaa6 17159->17161 17163 5beac3 17160->17163 17164 5be790 2 API calls 17160->17164 17162 5b8be3 ___std_exception_copy RtlAllocateHeap 17161->17162 17162->17163 17163->17076 17164->17163 17166 5c1418 17165->17166 17172 5c1440 17165->17172 17167 5c1425 17166->17167 17168 5c1447 17166->17168 17166->17172 17170 5b8be3 ___std_exception_copy RtlAllocateHeap 17167->17170 17173 5c1363 17168->17173 17170->17172 17171 5c147f 17171->16191 17172->16191 17174 5c136f std::locale::_Setgloballocale 17173->17174 17177 5c13be 17174->17177 17176 5c138a 17176->17171 17184 5cc8aa 17177->17184 17204 5cc86c 17184->17204 17186 5c13d6 17191 5c1481 17186->17191 17187 5cc8bb 17187->17186 17188 5cb094 std::_Locinfo::_Locinfo_dtor 2 API calls 17187->17188 17189 5cc914 17188->17189 17190 5cb01a ___std_exception_copy RtlAllocateHeap 17189->17190 17190->17186 17192 5c1493 17191->17192 17195 5c13f4 17191->17195 17193 5c14a1 17192->17193 17192->17195 17198 5c14d7 std::locale::_Locimp::_Locimp 17192->17198 17194 5b8be3 ___std_exception_copy RtlAllocateHeap 17193->17194 17194->17195 17200 5cc955 17195->17200 17197 5ca1e9 RtlAllocateHeap 17197->17198 17198->17195 17198->17197 17220 5b9a91 17198->17220 17226 5c9678 17198->17226 17201 5cc960 17200->17201 17203 5c1400 17200->17203 17202 5b9a91 4 API calls 17201->17202 17201->17203 17202->17203 17203->17176 17205 5cc878 17204->17205 17206 5cc8a2 17205->17206 17207 5ca1e9 RtlAllocateHeap 17205->17207 17206->17187 17208 5cc893 17207->17208 17211 5d3be3 17208->17211 17210 5cc899 17210->17187 17212 5d3bfd 17211->17212 17213 5d3bf0 17211->17213 17215 5d3c09 17212->17215 17216 5c16ff __floor_pentium4 RtlAllocateHeap 17212->17216 17214 5c16ff __floor_pentium4 RtlAllocateHeap 17213->17214 17217 5d3bf5 17214->17217 17215->17210 17218 5d3c2a 17216->17218 17217->17210 17219 5b8c60 ___std_exception_copy RtlAllocateHeap 17218->17219 17219->17217 17221 5b9aaa 17220->17221 17222 5b9ad1 17220->17222 17221->17222 17223 5ca1e9 RtlAllocateHeap 17221->17223 17222->17198 17224 5b9ac6 17223->17224 17225 5c9678 4 API calls 17224->17225 17225->17222 17227 5c9684 std::locale::_Setgloballocale 17226->17227 17228 5c96c5 17227->17228 17230 5c968c 17227->17230 17231 5c970b 17227->17231 17229 5b8be3 ___std_exception_copy RtlAllocateHeap 17228->17229 17229->17230 17230->17198 17231->17230 17233 5c9789 17231->17233 17234 5c97b1 17233->17234 17246 5c97d4 17233->17246 17235 5c97b5 17234->17235 17237 5c9810 17234->17237 17236 5b8be3 ___std_exception_copy RtlAllocateHeap 17235->17236 17236->17246 17238 5c982e 17237->17238 17252 5c263d 17237->17252 17247 5c92ce 17238->17247 17242 5c988d 17244 5c98f6 WriteFile 17242->17244 17242->17246 17243 5c9846 17243->17246 17255 5c8e9f 17243->17255 17244->17246 17246->17230 17248 5d3be3 RtlAllocateHeap 17247->17248 17250 5c92e0 17248->17250 17249 5c930e 17249->17242 17249->17243 17250->17249 17251 5be1d0 std::_Locinfo::_Locinfo_dtor 2 API calls 17250->17251 17251->17249 17261 5c251c 17252->17261 17254 5c2656 17254->17238 17256 5c8f07 17255->17256 17257 5be1d0 std::_Locinfo::_Locinfo_dtor 2 API calls 17256->17257 17260 5c8f18 std::_Locinfo::_Locinfo_dtor std::locale::_Locimp::_Locimp 17256->17260 17257->17260 17258 5cc724 RtlAllocateHeap RtlAllocateHeap 17258->17260 17259 5c91ce _ValidateLocalCookies 17259->17246 17259->17259 17260->17258 17260->17259 17262 5ce940 RtlAllocateHeap 17261->17262 17263 5c252e 17262->17263 17264 5c254a SetFilePointerEx 17263->17264 17265 5c2536 17263->17265 17264->17265 17265->17254 17267 5bcf8f std::locale::_Setgloballocale 17266->17267 17268 5bcf99 17267->17268 17271 5bcfbc 17267->17271 17269 5b8be3 ___std_exception_copy RtlAllocateHeap 17268->17269 17270 5bcfb4 17269->17270 17270->16197 17271->17270 17273 5bd01a 17271->17273 17274 5bd04a 17273->17274 17275 5bd027 17273->17275 17277 5bd042 17274->17277 17278 5b9a91 4 API calls 17274->17278 17276 5b8be3 ___std_exception_copy RtlAllocateHeap 17275->17276 17276->17277 17277->17270 17279 5bd062 17278->17279 17287 5cb054 17279->17287 17282 5ca1e9 RtlAllocateHeap 17283 5bd076 17282->17283 17291 5c8d2c 17283->17291 17286 5cb01a ___std_exception_copy RtlAllocateHeap 17286->17277 17288 5cb06b 17287->17288 17289 5bd06a 17287->17289 17288->17289 17290 5cb01a ___std_exception_copy RtlAllocateHeap 17288->17290 17289->17282 17290->17289 17292 5c8d55 17291->17292 17293 5bd07d 17291->17293 17294 5c8da4 17292->17294 17296 5c8d7c 17292->17296 17293->17277 17293->17286 17295 5b8be3 ___std_exception_copy RtlAllocateHeap 17294->17295 17295->17293 17298 5c8c9b 17296->17298 17299 5c8ca7 std::locale::_Setgloballocale 17298->17299 17301 5c8ce6 17299->17301 17302 5c8dff 17299->17302 17301->17293 17314 5ce940 17302->17314 17304 5c8e0f 17306 5ce940 RtlAllocateHeap 17304->17306 17312 5c8e15 17304->17312 17313 5c8e47 17304->17313 17309 5c8e3e 17306->17309 17307 5ce940 RtlAllocateHeap 17310 5c8e53 FindCloseChangeNotification 17307->17310 17308 5c8e6d 17308->17301 17311 5ce940 RtlAllocateHeap 17309->17311 17310->17312 17311->17313 17327 5ce8af 17312->17327 17313->17307 17313->17312 17315 5ce94d 17314->17315 17317 5ce962 17314->17317 17333 5c16ec 17315->17333 17318 5c16ec RtlAllocateHeap 17317->17318 17320 5ce987 17317->17320 17321 5ce992 17318->17321 17320->17304 17324 5c16ff __floor_pentium4 RtlAllocateHeap 17321->17324 17322 5c16ff __floor_pentium4 RtlAllocateHeap 17323 5ce95a 17322->17323 17323->17304 17325 5ce99a 17324->17325 17326 5b8c60 ___std_exception_copy RtlAllocateHeap 17325->17326 17326->17323 17328 5ce8be 17327->17328 17329 5c16ff __floor_pentium4 RtlAllocateHeap 17328->17329 17332 5ce8e8 17328->17332 17330 5ce92a 17329->17330 17331 5c16ec RtlAllocateHeap 17330->17331 17331->17332 17332->17308 17334 5c9f93 std::locale::_Setgloballocale RtlAllocateHeap 17333->17334 17335 5c16f1 17334->17335 17335->17322 17337 597f1d 17336->17337 17338 598034 17336->17338 17339 597fcb 17337->17339 17340 597f2b 17337->17340 17341 597f7c 17337->17341 17342 597f83 17337->17342 17343 597f24 17337->17343 17348 582cf0 std::_Throw_Cpp_error 2 API calls 17338->17348 17351 597f29 17338->17351 17339->16202 17347 5b3672 std::_Facet_Register 2 API calls 17340->17347 17416 59cf80 17341->17416 17345 5b3672 std::_Facet_Register 2 API calls 17342->17345 17411 59c3a0 17343->17411 17345->17351 17347->17351 17349 59804f 17348->17349 17421 587f90 17349->17421 17351->16202 17352 598062 Concurrency::cancel_current_task 17354 5a215f 17353->17354 17478 5c133b 17354->17478 17358 59b4f0 17359 59db10 17358->17359 17360 59de3d 17359->17360 17361 59db56 17359->17361 17363 59fd70 2 API calls 17360->17363 17530 59ebb0 17361->17530 17365 59de87 17363->17365 17364 59dba4 17367 59fd70 2 API calls 17364->17367 17366 59eda0 3 API calls 17365->17366 17368 59df4f std::ios_base::_Ios_base_dtor 17365->17368 17369 59dee2 17366->17369 17370 59dbc1 17367->17370 17371 597ef0 2 API calls 17368->17371 17372 59dfc7 17368->17372 17395 59e0a1 Concurrency::cancel_current_task 17368->17395 17374 5875c0 2 API calls 17369->17374 17410 59dcc3 std::ios_base::_Ios_base_dtor 17370->17410 17536 59eda0 17370->17536 17371->17372 17373 59de38 std::ios_base::_Ios_base_dtor 17372->17373 17381 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17372->17381 17373->16206 17378 59df06 17374->17378 17376 59dcec 17380 597ef0 2 API calls 17376->17380 17377 59dd82 17384 597ef0 2 API calls 17377->17384 17392 59dd9f 17377->17392 17382 59f440 3 API calls 17378->17382 17379 59dc1c 17583 5875c0 17379->17583 17407 59dd01 17380->17407 17385 59e06f 17381->17385 17393 59df1f 17382->17393 17384->17392 17632 5990b0 17385->17632 17386 59e093 17391 5990b0 2 API calls 17386->17391 17387 59dc40 17613 59f440 17387->17613 17389 59e07d Concurrency::cancel_current_task 17400 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17389->17400 17391->17395 17396 5935b0 RtlAllocateHeap 17392->17396 17393->17386 17397 587a20 RtlAllocateHeap 17393->17397 17394 59dc56 17394->17385 17398 59dc6b 17394->17398 17402 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17395->17402 17399 59dd6c 17396->17399 17397->17368 17622 587a20 17398->17622 17401 5935b0 RtlAllocateHeap 17399->17401 17400->17386 17404 59de26 17401->17404 17406 59e0b7 17402->17406 17408 5935b0 RtlAllocateHeap 17404->17408 17627 5935b0 17407->17627 17408->17373 17409 59dc86 17409->17389 17409->17410 17410->17376 17410->17377 17412 5b3672 std::_Facet_Register 2 API calls 17411->17412 17413 59c3c3 17412->17413 17414 5b3672 std::_Facet_Register 2 API calls 17413->17414 17415 59c3ec 17414->17415 17415->17351 17417 5b3672 std::_Facet_Register 2 API calls 17416->17417 17418 59cfb7 17417->17418 17419 583040 std::_Throw_Cpp_error 2 API calls 17418->17419 17420 59cfee 17419->17420 17420->17351 17432 587350 17421->17432 17423 588029 17450 59ad80 17423->17450 17425 58803d 17426 588076 std::ios_base::_Ios_base_dtor 17425->17426 17428 5880df 17425->17428 17454 5872b0 17426->17454 17430 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17428->17430 17429 5880aa 17429->17352 17431 5880e4 17430->17431 17431->17352 17457 584d70 17432->17457 17441 598f00 std::_Throw_Cpp_error 2 API calls 17442 5873e6 17441->17442 17443 587476 std::ios_base::_Ios_base_dtor 17442->17443 17444 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17442->17444 17443->17423 17445 5874c4 17444->17445 17446 5b4b78 ___std_exception_destroy RtlAllocateHeap 17445->17446 17447 587511 17446->17447 17448 5b4b78 ___std_exception_destroy RtlAllocateHeap 17447->17448 17449 587527 std::ios_base::_Ios_base_dtor 17448->17449 17449->17423 17451 59adb4 17450->17451 17452 598f00 std::_Throw_Cpp_error 2 API calls 17451->17452 17453 59adbf 17452->17453 17453->17425 17455 5b4b15 ___std_exception_copy 2 API calls 17454->17455 17456 58731a 17455->17456 17456->17429 17459 584da6 17457->17459 17458 584dd8 17461 59ac50 17458->17461 17459->17458 17460 583040 std::_Throw_Cpp_error 2 API calls 17459->17460 17460->17458 17463 59ac81 17461->17463 17462 59acd3 17463->17462 17464 59e8a0 2 API calls 17463->17464 17465 5873af 17464->17465 17466 59abb0 17465->17466 17467 59abe1 17466->17467 17467->17467 17468 598f00 std::_Throw_Cpp_error 2 API calls 17467->17468 17469 5873c2 17468->17469 17470 59ae20 17469->17470 17473 59e710 17470->17473 17472 5873d1 17472->17441 17474 59e753 17473->17474 17475 5832d0 std::_Throw_Cpp_error 2 API calls 17474->17475 17476 59e758 std::locale::_Locimp::_Locimp 17474->17476 17477 59e843 std::locale::_Locimp::_Locimp 17475->17477 17476->17472 17477->17472 17479 5c9e42 __Getctype RtlAllocateHeap 17478->17479 17480 5c1346 17479->17480 17481 5ca12d __Getctype RtlAllocateHeap 17480->17481 17482 5a225f 17481->17482 17483 59fd70 17482->17483 17486 59fd84 17483->17486 17487 59fde4 17483->17487 17485 59ff6c 17485->17358 17490 59fdc2 17486->17490 17497 5a9e20 17486->17497 17492 59fe74 17487->17492 17519 5a01e0 17487->17519 17490->17487 17491 5a9e20 2 API calls 17490->17491 17494 59fe58 17490->17494 17491->17494 17492->17358 17493 59fecc 17493->17485 17496 5a9e20 2 API calls 17493->17496 17523 5a08f0 17493->17523 17494->17492 17515 5a1430 17494->17515 17496->17493 17498 5a9e62 17497->17498 17499 5a9f76 17497->17499 17500 5a9e7c 17498->17500 17502 5a9eca 17498->17502 17503 5a9eba 17498->17503 17501 583330 2 API calls 17499->17501 17505 5b3672 std::_Facet_Register 2 API calls 17500->17505 17504 5a9f7b 17501->17504 17508 5b3672 std::_Facet_Register 2 API calls 17502->17508 17512 5a9e9a std::locale::_Locimp::_Locimp 17502->17512 17503->17500 17503->17504 17506 582b50 Concurrency::cancel_current_task 2 API calls 17504->17506 17507 5a9e8f 17505->17507 17509 5a9f80 17506->17509 17507->17509 17507->17512 17508->17512 17510 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17509->17510 17511 5a9f85 17510->17511 17513 5a77d0 RtlAllocateHeap 17512->17513 17514 5a9f47 17513->17514 17514->17490 17516 5a1443 17515->17516 17517 5a1471 17516->17517 17518 5a9e20 2 API calls 17516->17518 17517->17487 17518->17517 17520 5a01f0 17519->17520 17521 5a9e20 2 API calls 17520->17521 17522 5a0260 17520->17522 17521->17520 17522->17493 17524 5a1430 2 API calls 17523->17524 17527 5a08fc 17524->17527 17525 5a9e20 RtlAllocateHeap RtlAllocateHeap 17529 5a0995 17525->17529 17526 5a090a 17526->17493 17527->17526 17528 5a9e20 2 API calls 17527->17528 17527->17529 17528->17527 17529->17525 17529->17526 17531 59ec6d 17530->17531 17532 597ef0 2 API calls 17531->17532 17533 59ec8d 17532->17533 17635 5a16c0 17533->17635 17535 59ecdf 17535->17364 17537 59ee46 17536->17537 17560 59ef1f std::ios_base::_Ios_base_dtor 17536->17560 17538 59f425 17537->17538 17541 59e8a0 2 API calls 17537->17541 17543 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17538->17543 17539 598f00 std::_Throw_Cpp_error 2 API calls 17540 59ef5b 17539->17540 17542 59ef6a 17540->17542 17550 59f191 17540->17550 17544 59ee79 17541->17544 17545 59f440 3 API calls 17542->17545 17548 59f42f 17543->17548 17546 598f00 std::_Throw_Cpp_error 2 API calls 17544->17546 17547 59ef79 17545->17547 17549 59ee93 17546->17549 17555 583040 std::_Throw_Cpp_error 2 API calls 17547->17555 17551 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17548->17551 17552 598f00 std::_Throw_Cpp_error 2 API calls 17549->17552 17550->17550 17556 583040 std::_Throw_Cpp_error 2 API calls 17550->17556 17553 59f434 17551->17553 17554 59eee3 17552->17554 17557 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17553->17557 17554->17538 17554->17560 17558 59efba 17555->17558 17559 59f1c9 17556->17559 17582 59f375 std::ios_base::_Ios_base_dtor 17557->17582 17561 598f00 std::_Throw_Cpp_error 2 API calls 17558->17561 17562 59fbf0 2 API calls 17559->17562 17560->17539 17564 59efcd 17561->17564 17565 59f1e0 17562->17565 17563 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17566 59f43e 17563->17566 17567 59e710 2 API calls 17564->17567 17568 598f00 std::_Throw_Cpp_error 2 API calls 17565->17568 17569 59f019 17567->17569 17572 59f22f std::ios_base::_Ios_base_dtor 17568->17572 17570 598f00 std::_Throw_Cpp_error 2 API calls 17569->17570 17571 59f032 17570->17571 17573 598f00 std::_Throw_Cpp_error 2 API calls 17571->17573 17572->17553 17574 59f161 std::ios_base::_Ios_base_dtor 17572->17574 17576 59f081 std::ios_base::_Ios_base_dtor 17573->17576 17574->17574 17575 583040 std::_Throw_Cpp_error 2 API calls 17574->17575 17581 59f3f2 std::ios_base::_Ios_base_dtor 17574->17581 17577 59f30c 17575->17577 17576->17548 17576->17574 17578 59fbf0 2 API calls 17577->17578 17579 59f323 17578->17579 17580 598f00 std::_Throw_Cpp_error 2 API calls 17579->17580 17580->17582 17581->17379 17582->17563 17582->17581 17704 584e30 17583->17704 17586 584e30 2 API calls 17587 58762b 17586->17587 17588 59ace0 2 API calls 17587->17588 17589 587640 17588->17589 17590 59abb0 2 API calls 17589->17590 17591 587656 17590->17591 17592 59e710 2 API calls 17591->17592 17594 58766d std::ios_base::_Ios_base_dtor 17592->17594 17593 587a09 17595 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17593->17595 17594->17593 17596 58770a std::ios_base::_Ios_base_dtor 17594->17596 17597 587a0e 17595->17597 17600 587350 2 API calls 17596->17600 17598 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17597->17598 17599 587a13 17598->17599 17601 5877a4 17600->17601 17602 598f00 std::_Throw_Cpp_error 2 API calls 17601->17602 17603 5877b9 17602->17603 17604 59e710 2 API calls 17603->17604 17605 58780c 17604->17605 17606 598f00 std::_Throw_Cpp_error 2 API calls 17605->17606 17607 587828 17606->17607 17608 59ad80 2 API calls 17607->17608 17610 587879 std::ios_base::_Ios_base_dtor 17608->17610 17609 587975 std::ios_base::_Ios_base_dtor 17611 5872b0 2 API calls 17609->17611 17610->17597 17610->17609 17612 5879ca 17611->17612 17612->17387 17614 59f630 17613->17614 17620 59f4c9 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 17613->17620 17614->17394 17616 59f647 17617 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17616->17617 17621 59f651 17617->17621 17618 598f00 std::_Throw_Cpp_error 2 API calls 17618->17620 17619 5832d0 std::_Throw_Cpp_error 2 API calls 17619->17620 17620->17614 17620->17616 17620->17618 17620->17619 17708 5834a0 17620->17708 17621->17394 17623 5b4b78 ___std_exception_destroy RtlAllocateHeap 17622->17623 17624 587a61 17623->17624 17625 5b4b78 ___std_exception_destroy RtlAllocateHeap 17624->17625 17626 587a77 17625->17626 17626->17409 17628 5935d1 17627->17628 17629 5935f1 std::ios_base::_Ios_base_dtor 17627->17629 17628->17629 17630 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17628->17630 17629->17399 17631 593625 17630->17631 17631->17399 17715 596590 17632->17715 17638 5a17d0 17635->17638 17637 5a16da std::locale::_Setgloballocale 17637->17535 17639 5a1809 17638->17639 17645 5a1838 17638->17645 17640 5a1923 17639->17640 17643 5a181b 17639->17643 17655 5a1990 17640->17655 17643->17645 17646 5a9f90 17643->17646 17645->17637 17647 5a9fc2 17646->17647 17648 5aa0a3 17646->17648 17665 5ad190 17647->17665 17649 583330 2 API calls 17648->17649 17653 5aa000 std::locale::_Locimp::_Locimp 17649->17653 17651 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17652 5aa0ad 17651->17652 17653->17651 17654 5aa05f std::ios_base::_Ios_base_dtor 17653->17654 17654->17645 17656 5b1cea 2 API calls 17655->17656 17658 5a199a 17656->17658 17657 5a1928 17658->17657 17659 582cf0 std::_Throw_Cpp_error 2 API calls 17658->17659 17660 5a1a03 17659->17660 17661 59ace0 2 API calls 17660->17661 17662 5a1a18 17661->17662 17673 587cf0 17662->17673 17664 5a1a2d Concurrency::cancel_current_task 17666 5ad1d9 17665->17666 17667 5ad199 17665->17667 17666->17666 17667->17666 17669 5b3672 std::_Facet_Register 2 API calls 17667->17669 17671 5ad1b0 17667->17671 17668 5b3672 std::_Facet_Register 2 API calls 17670 5ad1d2 17668->17670 17669->17671 17670->17653 17671->17668 17672 5ad1b9 17671->17672 17672->17653 17674 587350 2 API calls 17673->17674 17675 587d80 17674->17675 17676 59ad80 2 API calls 17675->17676 17677 587d94 17676->17677 17678 587dcd std::ios_base::_Ios_base_dtor 17677->17678 17681 587e33 17677->17681 17679 5872b0 2 API calls 17678->17679 17680 587dfd 17679->17680 17680->17664 17682 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17681->17682 17683 587e38 17682->17683 17684 587350 2 API calls 17683->17684 17685 587ece 17684->17685 17686 59ad80 2 API calls 17685->17686 17687 587ee2 17686->17687 17688 587f1b std::ios_base::_Ios_base_dtor 17687->17688 17690 587f81 17687->17690 17689 5872b0 2 API calls 17688->17689 17691 587f4b 17689->17691 17692 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17690->17692 17691->17664 17693 587f86 17692->17693 17694 587350 2 API calls 17693->17694 17695 588029 17694->17695 17696 59ad80 2 API calls 17695->17696 17697 58803d 17696->17697 17698 588076 std::ios_base::_Ios_base_dtor 17697->17698 17700 5880df 17697->17700 17699 5872b0 2 API calls 17698->17699 17701 5880aa 17699->17701 17702 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17700->17702 17701->17664 17703 5880e4 17702->17703 17703->17664 17706 584e66 17704->17706 17705 584ea8 17705->17586 17706->17705 17707 583040 std::_Throw_Cpp_error 2 API calls 17706->17707 17707->17705 17711 583380 17708->17711 17712 583399 17711->17712 17713 5c0dd7 2 API calls 17712->17713 17714 5833a7 17713->17714 17714->17620 17716 5b4b15 ___std_exception_copy 2 API calls 17715->17716 17717 5965ce 17716->17717 17718 5b4b15 ___std_exception_copy 2 API calls 17717->17718 17719 596601 17718->17719 17719->17389 17721 5d8e17 17720->17721 17725 5d8c08 17720->17725 17721->16209 17723 5d8d38 std::locale::_Setgloballocale 17723->17721 17724 583130 2 API calls 17723->17724 17724->17723 17725->17723 17727 5b87b0 17725->17727 17736 583130 17725->17736 17728 5b87e3 17727->17728 17733 5b87c7 17727->17733 17729 5c9e42 __Getctype RtlAllocateHeap 17728->17729 17730 5b87e8 17729->17730 17731 5ca12d __Getctype RtlAllocateHeap 17730->17731 17732 5b87f8 17731->17732 17732->17733 17734 5c9a39 2 API calls 17732->17734 17733->17725 17735 5b882a 17734->17735 17735->17725 17737 58316f 17736->17737 17738 5832b3 17736->17738 17740 583189 17737->17740 17742 5831d7 17737->17742 17743 5831c7 17737->17743 17739 583330 2 API calls 17738->17739 17741 5832b8 17739->17741 17745 5b3672 std::_Facet_Register 2 API calls 17740->17745 17744 582b50 Concurrency::cancel_current_task 2 API calls 17741->17744 17746 5b3672 std::_Facet_Register 2 API calls 17742->17746 17749 58319c std::locale::_Locimp::_Locimp 17742->17749 17743->17740 17743->17741 17744->17749 17745->17749 17746->17749 17747 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17748 5832c2 17747->17748 17749->17747 17750 58326b std::ios_base::_Ios_base_dtor 17749->17750 17750->17725 17752 5b3077 17751->17752 17753 5b364d GetSystemTimePreciseAsFileTime 17751->17753 17752->15864 17753->17752 18273 5a47b0 18274 5a48ed 18273->18274 18275 5a47ed 18273->18275 18276 583330 2 API calls 18274->18276 18280 5a4a30 2 API calls 18275->18280 18277 5a48f2 18276->18277 18278 5a493d 18277->18278 18279 5a4a23 18277->18279 18283 5a4a30 2 API calls 18278->18283 18281 583330 2 API calls 18279->18281 18284 5a4827 18280->18284 18282 5a4a28 18281->18282 18285 5a4977 18283->18285 18287 59e1e0 RtlAllocateHeap 18284->18287 18292 593d50 18285->18292 18288 5a48b4 18287->18288 18289 5a499f 18290 59e1e0 RtlAllocateHeap 18289->18290 18291 5a49ea 18290->18291 18293 593df7 std::locale::_Locimp::_Locimp 18292->18293 18294 593d8f 18292->18294 18293->18289 18294->18293 18295 593e69 18294->18295 18296 593f7d 18294->18296 18297 593f1e 18294->18297 18298 593d96 18294->18298 18300 5b3672 std::_Facet_Register 2 API calls 18295->18300 18302 5b3672 std::_Facet_Register 2 API calls 18296->18302 18364 597e80 18297->18364 18301 5b3672 std::_Facet_Register 2 API calls 18298->18301 18303 593e73 18300->18303 18304 593da0 18301->18304 18305 593f8a 18302->18305 18303->18293 18325 5abf30 18303->18325 18306 5b3672 std::_Facet_Register 2 API calls 18304->18306 18305->18293 18309 59408e 18305->18309 18310 593fd3 18305->18310 18308 593dd2 18306->18308 18352 5af460 18308->18352 18312 583330 2 API calls 18309->18312 18313 593fdb 18310->18313 18314 594004 18310->18314 18316 594093 18312->18316 18313->18316 18317 593fe6 18313->18317 18315 5b3672 std::_Facet_Register 2 API calls 18314->18315 18315->18293 18319 582b50 Concurrency::cancel_current_task 2 API calls 18316->18319 18320 5b3672 std::_Facet_Register 2 API calls 18317->18320 18318 593eb1 18318->18293 18322 593d50 6 API calls 18318->18322 18321 593fec 18319->18321 18320->18321 18321->18293 18323 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18321->18323 18322->18318 18324 59409d 18323->18324 18326 5abfab 18325->18326 18327 5abf42 18325->18327 18328 583330 2 API calls 18326->18328 18329 5abf7c 18327->18329 18330 5abf4d 18327->18330 18332 5abfb0 18328->18332 18331 5abf99 18329->18331 18334 5b3672 std::_Facet_Register 2 API calls 18329->18334 18330->18332 18333 5abf54 18330->18333 18331->18318 18335 582b50 Concurrency::cancel_current_task 2 API calls 18332->18335 18336 5b3672 std::_Facet_Register 2 API calls 18333->18336 18337 5abf86 18334->18337 18338 5abf5a 18335->18338 18336->18338 18337->18318 18339 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18338->18339 18340 5abf63 18338->18340 18341 5abfba 18339->18341 18340->18318 18342 5ac00c 18341->18342 18343 5ac077 18341->18343 18347 5ac013 std::locale::_Locimp::_Locimp 18341->18347 18369 59fab0 18342->18369 18344 583330 2 API calls 18343->18344 18346 5ac07c 18344->18346 18348 5b3672 std::_Facet_Register 2 API calls 18346->18348 18347->18318 18349 5ac0ae 18348->18349 18350 583040 std::_Throw_Cpp_error 2 API calls 18349->18350 18351 5ac0f2 18350->18351 18351->18318 18353 5af498 18352->18353 18363 5af53f 18352->18363 18354 5b3672 std::_Facet_Register 2 API calls 18353->18354 18355 5af4ba 18354->18355 18356 5963b0 std::_Throw_Cpp_error 2 API calls 18355->18356 18357 5af4d0 18356->18357 18358 593d50 6 API calls 18357->18358 18359 5af4e0 18358->18359 18360 5af460 6 API calls 18359->18360 18361 5af531 18360->18361 18362 5af460 6 API calls 18361->18362 18362->18363 18363->18293 18365 5b3672 std::_Facet_Register 2 API calls 18364->18365 18366 597ea6 18365->18366 18367 5963b0 std::_Throw_Cpp_error 2 API calls 18366->18367 18368 597ec5 18367->18368 18368->18293 18370 59fb2b 18369->18370 18371 59fac2 18369->18371 18374 582b50 Concurrency::cancel_current_task 2 API calls 18370->18374 18372 59facd 18371->18372 18373 59fafc 18371->18373 18372->18370 18376 59fad4 18372->18376 18377 59fb19 18373->18377 18380 5b3672 std::_Facet_Register 2 API calls 18373->18380 18375 59fada 18374->18375 18378 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18375->18378 18383 59fae3 18375->18383 18379 5b3672 std::_Facet_Register 2 API calls 18376->18379 18377->18347 18384 59fb35 18378->18384 18379->18375 18381 59fb06 18380->18381 18381->18347 18382 59fb5b std::locale::_Setgloballocale 18382->18347 18383->18347 18384->18382 18387 5a9c70 18384->18387 18386 59fb7f 18386->18347 18388 5a9dc4 18387->18388 18390 5a9ca2 18387->18390 18389 583330 2 API calls 18388->18389 18402 5a9d04 std::locale::_Locimp::_Locimp 18389->18402 18391 5a9dbf 18390->18391 18395 5a9d1d 18390->18395 18396 5a9cf3 18390->18396 18392 582b50 Concurrency::cancel_current_task 2 API calls 18391->18392 18392->18388 18393 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18394 5a9dce 18393->18394 18404 599950 18394->18404 18401 5b3672 std::_Facet_Register 2 API calls 18395->18401 18395->18402 18396->18391 18398 5a9cfe 18396->18398 18400 5b3672 std::_Facet_Register 2 API calls 18398->18400 18399 5a9dd9 Concurrency::cancel_current_task 18400->18402 18401->18402 18402->18393 18403 5a9d8f std::ios_base::_Ios_base_dtor 18402->18403 18403->18386 18405 599968 18404->18405 18406 599978 std::ios_base::_Ios_base_dtor 18404->18406 18405->18406 18407 5b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18405->18407 18406->18399 18408 59998d 18407->18408 18409 599a4f 18408->18409 18416 5b2b74 18408->18416 18409->18399 18415 599a04 18415->18399 18417 5b2af7 18416->18417 18419 5999cc 18417->18419 18438 5b9815 18417->18438 18419->18409 18424 5983b0 18419->18424 18420 5b2b43 18420->18419 18452 5bd5f6 18420->18452 18423 5bd0a8 5 API calls 18423->18419 18425 59843c 18424->18425 18426 598463 18424->18426 18478 5c120a 18425->18478 18428 59c430 18426->18428 18430 59c45f std::_Throw_Cpp_error std::_Lockit::~_Lockit std::_Lockit::_Lockit 18428->18430 18429 59c4f8 std::_Lockit::~_Lockit 18429->18415 18430->18429 18431 5b3672 std::_Facet_Register 2 API calls 18430->18431 18432 59c506 18431->18432 18433 584040 std::_Throw_Cpp_error 3 API calls 18432->18433 18434 59c536 18433->18434 18435 584100 std::_Throw_Cpp_error 2 API calls 18434->18435 18436 59c592 18435->18436 18437 5b26f7 std::_Facet_Register 2 API calls 18436->18437 18437->18429 18440 5b975e std::locale::_Setgloballocale 18438->18440 18439 5b9771 18441 5c16ff __floor_pentium4 RtlAllocateHeap 18439->18441 18440->18439 18443 5b9791 18440->18443 18442 5b9776 18441->18442 18444 5b8c60 ___std_exception_copy RtlAllocateHeap 18442->18444 18445 5b97a3 18443->18445 18446 5b9796 18443->18446 18451 5b9781 18444->18451 18448 5ca8ef RtlAllocateHeap 18445->18448 18447 5c16ff __floor_pentium4 RtlAllocateHeap 18446->18447 18447->18451 18449 5b97ac 18448->18449 18450 5c16ff __floor_pentium4 RtlAllocateHeap 18449->18450 18449->18451 18450->18451 18451->18420 18453 5bd609 ___std_exception_copy 18452->18453 18458 5bd34d 18453->18458 18455 5bd61e 18456 5b899c ___std_exception_copy RtlAllocateHeap 18455->18456 18457 5b2b5e 18456->18457 18457->18419 18457->18423 18460 5bd359 std::locale::_Setgloballocale 18458->18460 18459 5bd35f 18461 5b8be3 ___std_exception_copy RtlAllocateHeap 18459->18461 18460->18459 18462 5bd3a2 18460->18462 18464 5bd37a 18461->18464 18465 5bd4d0 18462->18465 18464->18455 18466 5bd4e3 18465->18466 18467 5bd4f6 18465->18467 18466->18464 18474 5bd3f7 18467->18474 18469 5bd519 18470 5b9a91 4 API calls 18469->18470 18473 5bd5a7 18469->18473 18471 5bd547 18470->18471 18472 5c263d 2 API calls 18471->18472 18472->18473 18473->18464 18475 5bd408 18474->18475 18477 5bd460 18474->18477 18476 5c25fd SetFilePointerEx RtlAllocateHeap 18475->18476 18475->18477 18476->18477 18477->18469 18479 5c1216 18478->18479 18482 5c122b 18478->18482 18480 5c16ff __floor_pentium4 RtlAllocateHeap 18479->18480 18481 5c121b 18480->18481 18483 5b8c60 ___std_exception_copy RtlAllocateHeap 18481->18483 18482->18426 18484 5c1226 18483->18484 18484->18426 17989 52c0000 17990 52c0040 17989->17990 17991 52c0049 GetCurrentHwProfileW 17990->17991 17992 52c0041 GetCurrentHwProfileW 17991->17992 17994 52c0291 17992->17994

                                  Executed Functions

                                  Function 00589280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 78 589280-5892dd call 5963b0 81 589413-589521 call 582df0 call 66a420 78->81 82 5892e3-5892e9 78->82 98 589523-589535 81->98 99 589537-58953f call 598dc0 81->99 84 5892f0-589313 82->84 86 589324-589331 84->86 87 589315-58931f 84->87 90 589342-58934f 86->90 91 589333-58933d 86->91 89 589403-589406 87->89 95 589409-58940d 89->95 92 589360-58936d 90->92 93 589351-58935b 90->93 91->89 96 58937e-58938b 92->96 97 58936f-589379 92->97 93->89 95->81 95->84 100 589399-5893a6 96->100 101 58938d-589397 96->101 97->89 102 589544-589597 call 66a420 * 2 98->102 99->102 104 5893a8-5893b2 100->104 105 5893b4-5893c1 100->105 101->89 115 589599-5895c8 call 66a420 call 5b5270 102->115 116 5895cb-5895e1 call 66a420 102->116 104->89 107 5893cf-5893dc 105->107 108 5893c3-5893cd 105->108 110 5893ea-5893f4 107->110 111 5893de-5893e8 107->111 108->89 110->95 114 5893f6-5893ff 110->114 111->89 114->89 115->116 122 5896e2 116->122 123 5895e7-5895ed 116->123 126 5896e6-5896f0 122->126 125 5895f0-5896ce WSASend 123->125 144 58975f-589763 125->144 145 5896d4-5896dc 125->145 127 58971e-58973d 126->127 128 5896f2-5896fe 126->128 129 58976f-589796 127->129 130 58973f-58974b 127->130 132 589700-58970e 128->132 133 589714-58971b call 5b38f3 128->133 136 58974d-58975b 130->136 137 589765-58976c call 5b38f3 130->137 132->133 134 589797-5897fe call 5b8c70 call 582df0 * 2 132->134 133->127 136->134 139 58975d 136->139 137->129 139->137 144->126 145->122 145->125
                                  APIs
                                  • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,006CD15C,00000000,76A923A0,-00709880), ref: 005896C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: Send
                                  • String ID: Ws2_32.dll
                                  • API String ID: 121738739-3093949381
                                  • Opcode ID: 705bb3c057c617e361f66346830b6c958ce386060fab07b78a55b5db2e1a47c9
                                  • Instruction ID: 84d6b944c86de66a33516cf31112bea06247a1eca36f20b723f0eb4b95f2d05d
                                  • Opcode Fuzzy Hash: 705bb3c057c617e361f66346830b6c958ce386060fab07b78a55b5db2e1a47c9
                                  • Instruction Fuzzy Hash: A402BC70D04298DEDF25DFA4C8907ADBFB0FF55304F284289E8857B686D7741986CB92
                                  Function 052C0049 Relevance: 1.8, APIs: 1, Instructions: 318COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 230 52c0049-52c026c 259 52c027a-52c0281 GetCurrentHwProfileW 230->259 260 52c0291-52c05c4 call 52c0389 259->260
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 078c6dea32cea5c190c40b26fef740a7cc04738b00d5f48d55bb3ac22c4d6b8e
                                  • Instruction ID: 1723d5718f221abd4e44f1a051e882103147ea4efce448dfcc41977483140c4b
                                  • Opcode Fuzzy Hash: 078c6dea32cea5c190c40b26fef740a7cc04738b00d5f48d55bb3ac22c4d6b8e
                                  • Instruction Fuzzy Hash: 78518EEB17C111FEA116C5866B58AFE6E2FEED673073086AEB407D6603E2D44A495031
                                  Function 00647B00 Relevance: 16.8, APIs: 11, Instructions: 284networksleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • setsockopt.WS2_32(00000428,0000FFFF,00001006,?,00000008), ref: 00647BA7
                                  • recv.WS2_32(?,00000004,00000002), ref: 00647BC1
                                  • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00647C43
                                  • recv.WS2_32(00000000,0000000C,00000008), ref: 00647C64
                                  • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00647D00
                                    • Part of subcall function 00648590: WSAStartup.WS2_32 ref: 006485BB
                                    • Part of subcall function 00648590: socket.WS2_32(?,?,?,?,?,?,00709328,?,?), ref: 0064865E
                                    • Part of subcall function 00648590: connect.WS2_32(00000000,006D9BFC,?,?,?,?,00709328,?,?), ref: 00648672
                                    • Part of subcall function 00648590: closesocket.WS2_32(00000000), ref: 0064867D
                                  • recv.WS2_32(00000000,?,00000008), ref: 00647D1B
                                  • recv.WS2_32(?,00000004,00000008), ref: 00647E23
                                  • __Xtime_get_ticks.LIBCPMT ref: 00647E2A
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00647E38
                                  • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00647EB1
                                  • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00647EB9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
                                  • String ID:
                                  • API String ID: 301102601-0
                                  • Opcode ID: 32c02504779385be311d958d794d6a05fb1e2fcfe5596dbac2edd6bea07c8943
                                  • Instruction ID: fca40866e11e79f0fd0be67fb8c4311228d3a15b2bdacd5da3361a7910ce82cb
                                  • Opcode Fuzzy Hash: 32c02504779385be311d958d794d6a05fb1e2fcfe5596dbac2edd6bea07c8943
                                  • Instruction Fuzzy Hash: 5CB19DB1D04349DFEB10DBA4CC89BAEBBB6BF45300F204259E554AB2D2D7746D84CB91
                                  Function 00648590 Relevance: 6.1, APIs: 4, Instructions: 99networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 57 648590-6485c2 WSAStartup 58 648696-64869f 57->58 59 6485c8-6485f2 call 66a420 * 2 57->59 64 6485f4-6485f8 59->64 65 6485fe-648644 59->65 64->58 64->65 67 648646-64864c 65->67 68 648690 65->68 69 6486a4-6486ae 67->69 70 64864e 67->70 68->58 69->68 74 6486b0-6486b8 69->74 71 648654-648668 socket 70->71 71->68 73 64866a-64867a connect 71->73 75 6486a0 73->75 76 64867c-648684 closesocket 73->76 75->69 76->71 77 648686-64868a 76->77 77->68
                                  APIs
                                  • WSAStartup.WS2_32 ref: 006485BB
                                  • socket.WS2_32(?,?,?,?,?,?,00709328,?,?), ref: 0064865E
                                  • connect.WS2_32(00000000,006D9BFC,?,?,?,?,00709328,?,?), ref: 00648672
                                  • closesocket.WS2_32(00000000), ref: 0064867D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 58001ca3d99f732ae77c8115151dbd50e5810d78f3bf3185173585a588f11ee9
                                  • Instruction ID: 46af861ab35d57bda57526e6ae76cb6f7d877f5e84a8fbbb2faff28647ed334e
                                  • Opcode Fuzzy Hash: 58001ca3d99f732ae77c8115151dbd50e5810d78f3bf3185173585a588f11ee9
                                  • Instruction Fuzzy Hash: 7131E7729053019FD7609F288C85A6FB7E6FFC5334F025F19FAA8932E0E77098148696
                                  Function 052C0037 Relevance: 1.8, APIs: 1, Instructions: 349COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 151 52c0037-52c003d 152 52c003f 151->152 153 52c0049 151->153 154 52c0029 152->154 155 52c0040-52c0047 call 52c0049 152->155 156 52c004a 153->156 157 52c002b 154->157 158 52c0085-52c0087 154->158 155->153 160 52c004c-52c0080 156->160 157->155 158->160 162 52c0089-52c008a 158->162 165 52c0091-52c026c 160->165 162->156 163 52c008c-52c008e 162->163 163->165 190 52c027a-52c0281 GetCurrentHwProfileW 165->190 191 52c0291-52c05c4 call 52c0389 190->191
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fba0db42e5e8588ecf5e2fbc36106cc426294d94620d863a91cb351c20913900
                                  • Instruction ID: 29e88cfdede27bbf3f7bdd075447803026fe8e44141061a78eff751c7a2ef808
                                  • Opcode Fuzzy Hash: fba0db42e5e8588ecf5e2fbc36106cc426294d94620d863a91cb351c20913900
                                  • Instruction Fuzzy Hash: 3571AFEB17C151EEA112C1866B5CAFE6E2FEED673073186EEF40BD6603E2C44A495031
                                  Function 052C0072 Relevance: 1.8, APIs: 1, Instructions: 316COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 299 52c0072-52c026c 323 52c027a-52c0281 GetCurrentHwProfileW 299->323 324 52c0291-52c05c4 call 52c0389 323->324
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 51f62e6d92ac42d4f4eb7ca5094c8de210570650a074ee959940c86c3be6bdf4
                                  • Instruction ID: 68112a3b73ae53ec4a1eea7970e4171cf13631e7997b2f5262098655327e8554
                                  • Opcode Fuzzy Hash: 51f62e6d92ac42d4f4eb7ca5094c8de210570650a074ee959940c86c3be6bdf4
                                  • Instruction Fuzzy Hash: FF519EEB17C110FEA116C5866B58AFE6E2FEAD673073086EEF807D6603E2D54A495031
                                  Function 052C00B4 Relevance: 1.8, APIs: 1, Instructions: 306COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 363 52c00b4-52c00d0 364 52c00b1-52c00b3 363->364 365 52c00d2-52c026c 363->365 364->363 387 52c027a-52c0281 GetCurrentHwProfileW 365->387 388 52c0291-52c05c4 call 52c0389 387->388
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6ba35abf770b93480ec1b91d13fc93ed8a4eb6b953f728deb34f4a141e338ca
                                  • Instruction ID: 7896b1ba876c5e616486dd5dedb896802306316586a3f34160373328d40ab231
                                  • Opcode Fuzzy Hash: d6ba35abf770b93480ec1b91d13fc93ed8a4eb6b953f728deb34f4a141e338ca
                                  • Instruction Fuzzy Hash: 965190AB17C151EEA516C5962B6CAFF5E2FEED673073086EEF407C6603D2C44A495031
                                  Function 052C0144 Relevance: 1.8, APIs: 1, Instructions: 287COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 427 52c0144-52c026c 443 52c027a-52c0281 GetCurrentHwProfileW 427->443 444 52c0291-52c05c4 call 52c0389 443->444
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: a473831491abb8fa92208940c4c7bc6a684ba2c49ae9589f0e61dcb253cfc0a7
                                  • Instruction ID: 9e51690d713cdee7c4430730880365c1b86afa8591d2cde2265280d796ffee4a
                                  • Opcode Fuzzy Hash: a473831491abb8fa92208940c4c7bc6a684ba2c49ae9589f0e61dcb253cfc0a7
                                  • Instruction Fuzzy Hash: 30518CEB17C211FEA516C5866B5CAFE5E2FEAD673073086EEF807D6603E2C44A495031
                                  Function 052C00EA Relevance: 1.8, APIs: 1, Instructions: 285COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 483 52c00ea-52c026c 502 52c027a-52c0281 GetCurrentHwProfileW 483->502 503 52c0291-52c05c4 call 52c0389 502->503
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 519f9b86975ab9ddac866fdfd6bf040e169683655e124c8f59fa85cc59f21e0c
                                  • Instruction ID: 5a30ea04a6fe6494de577dcfcba5770ee5e69c7271921a4d413f563ab4517ac4
                                  • Opcode Fuzzy Hash: 519f9b86975ab9ddac866fdfd6bf040e169683655e124c8f59fa85cc59f21e0c
                                  • Instruction Fuzzy Hash: 65518EEB17C211FEA116C5826B5CAFE6E2FEAD673073086AEF407D6203D3C44A494131
                                  Function 052C0128 Relevance: 1.8, APIs: 1, Instructions: 270COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 542 52c0128-52c0130 543 52c017e-52c0181 542->543 544 52c0132 542->544 545 52c011c-52c011d 543->545 546 52c0183-52c0185 543->546 547 52c0133-52c0171 544->547 545->547 548 52c0187-52c026c 546->548 547->548 563 52c027a-52c0281 GetCurrentHwProfileW 548->563 564 52c0291-52c05c4 call 52c0389 563->564
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 676935969decc642a1ac244da75e803326b0592c50f8de37bf8d328ed09a2f16
                                  • Instruction ID: 1af7d19233980279bfce9b966600ffc1cce3656acbd224582e3b5d686ef1eb19
                                  • Opcode Fuzzy Hash: 676935969decc642a1ac244da75e803326b0592c50f8de37bf8d328ed09a2f16
                                  • Instruction Fuzzy Hash: AF517CEB17C115EEA516C5862B5CAFE5E2FEED673073086EEB80BD6603D2C44B894031
                                  Function 052C0194 Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 603 52c0194-52c01a0 604 52c0165-52c018b 603->604 605 52c01a2-52c026c 603->605 604->605 617 52c027a-52c0281 GetCurrentHwProfileW 605->617 618 52c0291-52c05c4 call 52c0389 617->618
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e7a7931152837f784d844aae45c6739806d5c58d19c580dc8691816c63a3cb83
                                  • Instruction ID: 7fda17f1d6ab6082f89c514fc7c5c8755f80adcf4a0643fd5546cd95ee7309f7
                                  • Opcode Fuzzy Hash: e7a7931152837f784d844aae45c6739806d5c58d19c580dc8691816c63a3cb83
                                  • Instruction Fuzzy Hash: E2519CEB17C211FEA516C5862B5CAFE5E2FEAD673073086EEF807D6203D2C44A894031
                                  Function 052C0176 Relevance: 1.8, APIs: 1, Instructions: 254COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 657 52c0176-52c0181 659 52c011c-52c0171 657->659 660 52c0183-52c0185 657->660 661 52c0187-52c026c 659->661 660->661 677 52c027a-52c0281 GetCurrentHwProfileW 661->677 678 52c0291-52c05c4 call 52c0389 677->678
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 936b5d9331de5ce83a44e312ae04e1ab63548ff5bc12de29f2540c10dbc164b7
                                  • Instruction ID: 34a5072cd9b88fbb61139d1ed0b6d14fc86913a42a902ddcba47a0b334572f6b
                                  • Opcode Fuzzy Hash: 936b5d9331de5ce83a44e312ae04e1ab63548ff5bc12de29f2540c10dbc164b7
                                  • Instruction Fuzzy Hash: 67517BEB17C211EEA516C5862B5CAFF5E2FEAD673073086EEF807D6603E2C44A494131
                                  Function 052C015D Relevance: 1.8, APIs: 1, Instructions: 253COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 717 52c015d-52c026c 731 52c027a-52c0281 GetCurrentHwProfileW 717->731 732 52c0291-52c05c4 call 52c0389 731->732
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: be402686a8109675bdcd2c1a5406f0d24b8dc850e8b4ad6d0055cf58231f7583
                                  • Instruction ID: 3d0608b980d90fc5a7de053b50f29e04375333d49eb036ed54fe91226865ab01
                                  • Opcode Fuzzy Hash: be402686a8109675bdcd2c1a5406f0d24b8dc850e8b4ad6d0055cf58231f7583
                                  • Instruction Fuzzy Hash: 65516DEB17C115FEA516C5862B5CAFE5E2FEAD673073086EEB807D6203D2C44A495031
                                  Function 052C0164 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 771 52c0164-52c026c 785 52c027a-52c0281 GetCurrentHwProfileW 771->785 786 52c0291-52c05c4 call 52c0389 785->786
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: cf74d4e3e0e934be0e5f0c046ee98ab4998098870b2eea94c563999bf9ef4000
                                  • Instruction ID: 1d1247caa4cd6ec138e0ec45ae89b5664d695e54d41e8191692140d2476be821
                                  • Opcode Fuzzy Hash: cf74d4e3e0e934be0e5f0c046ee98ab4998098870b2eea94c563999bf9ef4000
                                  • Instruction Fuzzy Hash: B5516BEB17C215FEA516C5862B5CAFE5E2FEAD677073086EEB807D6203D6C44A894031
                                  Function 052C01AA Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 825 52c01aa-52c01bb 826 52c01bd-52c01e7 825->826 827 52c01e8-52c026c 825->827 826->827 836 52c027a-52c0281 GetCurrentHwProfileW 827->836 837 52c0291-52c05c4 call 52c0389 836->837
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 81b69b3f249f334cd81217c385c113ef8b65a4126553ae0b6ab0f0b7f375b00f
                                  • Instruction ID: af313be15fe702eab5c5ebaf7f6ff64576846d5a3987cc37a06bee24b8743eaf
                                  • Opcode Fuzzy Hash: 81b69b3f249f334cd81217c385c113ef8b65a4126553ae0b6ab0f0b7f375b00f
                                  • Instruction Fuzzy Hash: 59417CEB17C110FEA556C5822B5CAFE6E2FEAD673073086EEB807D6603D2C54B494131
                                  Function 052C01D8 Relevance: 1.7, APIs: 1, Instructions: 244COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: bf5996259809577a8da877b84f0645012aa0a7a0e7633dd784dbc5262a19462e
                                  • Instruction ID: 63510c2e38ea57ae8d68109512be4908b258f33a568ca2d316cb36297f509b5f
                                  • Opcode Fuzzy Hash: bf5996259809577a8da877b84f0645012aa0a7a0e7633dd784dbc5262a19462e
                                  • Instruction Fuzzy Hash: 3D417EE717C221FEA116C1962A6CAFF5E2FEAD673073086EEB807D6603D3C54A495031
                                  Function 052C021D Relevance: 1.7, APIs: 1, Instructions: 233COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 7cf12b44a0f608738bc0e7c801c9ac63dec94b0bd8a54ef08bfb4cedaab78559
                                  • Instruction ID: dd10fc443eea666d0d90b9ffcd584fb8a3a38cd682dd8ed10f1b479c67a77d9b
                                  • Opcode Fuzzy Hash: 7cf12b44a0f608738bc0e7c801c9ac63dec94b0bd8a54ef08bfb4cedaab78559
                                  • Instruction Fuzzy Hash: 1241A1EB13C111EEA616C6966A1CAFE5F2FEED673073086EEF407D6203D6C44A494132
                                  Function 052C0201 Relevance: 1.7, APIs: 1, Instructions: 225COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 57bf39d8b396f07a0eafef4723403d34cd0c6fd08deae8e0b77b292e0ce6bcca
                                  • Instruction ID: 393a516804e7dda10cfe18eaa92b78102340b07f11a7cab9f4101df2d8506f6d
                                  • Opcode Fuzzy Hash: 57bf39d8b396f07a0eafef4723403d34cd0c6fd08deae8e0b77b292e0ce6bcca
                                  • Instruction Fuzzy Hash: B8417DEB17C114FEA516C5822B5CAFF5E2FEAD673073086AEF807D6203E2C40A495131
                                  Function 052C0231 Relevance: 1.7, APIs: 1, Instructions: 214COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 5ab1f7039846cccca876964fb12748b6a4b9da86b450bfbbee7236a9ab0821ba
                                  • Instruction ID: 47aba66a2055d01f470241ebec9b9ec0b3c318a3da075ea6c867d7a9c3005f60
                                  • Opcode Fuzzy Hash: 5ab1f7039846cccca876964fb12748b6a4b9da86b450bfbbee7236a9ab0821ba
                                  • Instruction Fuzzy Hash: DA417FEB17C110EEA516C2966B5DAFF5E2FEAD677073086EEF807D6203D2D40A494131
                                  Function 052C02A8 Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 199ae7877530b2a91d0cc488046254887713da042c7d44b11591f90c51382a1a
                                  • Instruction ID: 032c16381cdae208c63bab9fb2180c2bec75ae404ec69565b014d0e6fbcca6e2
                                  • Opcode Fuzzy Hash: 199ae7877530b2a91d0cc488046254887713da042c7d44b11591f90c51382a1a
                                  • Instruction Fuzzy Hash: 19416DAB17C210EEA516C2962B5CAFE5E2FEAD677073086EEF807D6603D2C44B495131
                                  Function 052C0252 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d9cee2bbb55405322c5be2bb8a1dab27d2e79d1764585aa33586666abad4bdc0
                                  • Instruction ID: 8d85efe08ce7bbb682d3ce758c1fc6b7bc451c6b9d7da3d53cb75982fe922738
                                  • Opcode Fuzzy Hash: d9cee2bbb55405322c5be2bb8a1dab27d2e79d1764585aa33586666abad4bdc0
                                  • Instruction Fuzzy Hash: 2F4190A717C210EEA512C6966A5CAFE6F2FEAD673073086EEF407D6203D2D40A494132
                                  Function 052C0271 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 052C027C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3656648467.00000000052C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_52c0000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 9d129ec38a8d7708035402925f9bd3e002b81b803f452347e178a304093684fe
                                  • Instruction ID: 94e6162fb9e05b0ff926363be9dd32c7a38a080180a9192a733057443e36447e
                                  • Opcode Fuzzy Hash: 9d129ec38a8d7708035402925f9bd3e002b81b803f452347e178a304093684fe
                                  • Instruction Fuzzy Hash: 3C418EEB13C224EEA556C1862B5CAFF5E2FEAD673073086EEB807D6203D6C50B494131
                                  Function 005C9789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005C990E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 469ee91106bc7601de719d370aa5e150b29dda1e262869b287fe7d59cd18ca8e
                                  • Instruction ID: 2b3006ad0169ce2611462dfa82b3b160966a2ebd2fae19483175863c3de98ac4
                                  • Opcode Fuzzy Hash: 469ee91106bc7601de719d370aa5e150b29dda1e262869b287fe7d59cd18ca8e
                                  • Instruction Fuzzy Hash: 6561917290411AAEDF119FE8C888FEEBFB9BF4A304F14054DE904A7246D736D951CBA1
                                  Function 005C8DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,005C8CE6,00000000,?,006FA178,0000000C,005C8DA2,?,?,?), ref: 005C8E55
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 8c4e6344aeaaa11202f7fd2853b9d4e88ab3c6f301e38bd0c2bc9526a930fb12
                                  • Instruction ID: 7486d7fcaf79efa5f899ad13b4d7cb0266d436f913b195571f42b9f159f585b3
                                  • Opcode Fuzzy Hash: 8c4e6344aeaaa11202f7fd2853b9d4e88ab3c6f301e38bd0c2bc9526a930fb12
                                  • Instruction Fuzzy Hash: 24112B336051145DDA6522F5584AF7E2F4DABC3738F29065DF9188B1C3DF719CC18265
                                  Function 005C251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,005C2626,?,?,?,?,?), ref: 005C2558
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 14d775ccf9365a175e86268c0173eb2b7ea18c7c015ef6e62a1458c0f93571d5
                                  • Instruction ID: 646a7a774c1481b9968d69a838b8eeba094f2843e15a2128f28288a0f1dba767
                                  • Opcode Fuzzy Hash: 14d775ccf9365a175e86268c0173eb2b7ea18c7c015ef6e62a1458c0f93571d5
                                  • Instruction Fuzzy Hash: A401D632610515AFCF199F99DC55E9E7F69EB85330F24024CF8109B2E1EA71ED918B90
                                  Function 005832D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0058331F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction ID: 8357e3fc5127b7bd2bdb7be42ed1961fbb43cdab9ca9d2b740bfd4dd3b3a8b87
                                  • Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction Fuzzy Hash: CEF0B4721001059BDB147F64D4195E9BFE8FF64362750097AFC8DE7212EF26EA40C790
                                  Function 005CA65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000001,?,005C9FE0,00000001,00000364,00000001,00000006,000000FF,?,005B4B3F,?,?,76A923A0,?), ref: 005CA69B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: a15c79ba39cf1d3dada70b3a75e218c0111c6336ff5f680c2549d8f076afaf9f
                                  • Instruction ID: 0cf9d709aa2d8f387de30b3afd17bf43afd0851b408c426f4a79321c0abee4a1
                                  • Opcode Fuzzy Hash: a15c79ba39cf1d3dada70b3a75e218c0111c6336ff5f680c2549d8f076afaf9f
                                  • Instruction Fuzzy Hash: CEF0B4329115296E9B225AF29C05F6A7F59BF817B4F2D811DE804EB080CA20DC8085E6
                                  Function 005CB094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00000001,?,?,005B4B3F,?,?,76A923A0,?,?,00583522,?,?), ref: 005CB0C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 86c26695d84a816306d6ed81de709755d20e2ffb7b612e7186101b32296515b7
                                  • Instruction ID: 64649c1a90d547c9266734015c1c3858db1f61dd6a99a8b28b2ef82f8318d79a
                                  • Opcode Fuzzy Hash: 86c26695d84a816306d6ed81de709755d20e2ffb7b612e7186101b32296515b7
                                  • Instruction Fuzzy Hash: 20E0E5361016215EFA2126F59C0EF5B7E48BF813A0F150258EC20B20C1DB64CC1081A5

                                  Non-executed Functions

                                  Function 005D47BF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                  • API String ID: 4168288129-2761157908
                                  • Opcode ID: 35e1ec0cb6eb822cca7e57ca60293c7af9ff44f854269893050401b6579c35db
                                  • Instruction ID: c7810f8b0d080080c3ab4ae2d36cdf7533d85c1448e15dfab8b64c333d50b1d7
                                  • Opcode Fuzzy Hash: 35e1ec0cb6eb822cca7e57ca60293c7af9ff44f854269893050401b6579c35db
                                  • Instruction Fuzzy Hash: 53D22471E086298BDB75CE28CC447EABBB5FB84345F1445EBD40DA7240EB78AE858F41
                                  Function 005BC960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction ID: 0e8ebace06537052f35a9a54edb47d9d8862ff8c120bbf6057b4a5c75119c6f0
                                  • Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction Fuzzy Hash: 24022871E002199FDF14CFA9C8806EEBFB1FF88314F24826AD919AB341D731A941CB94
                                  Function 005B361D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTimePreciseAsFileTime.KERNEL32(?,005B3077,?,?,?,?,00647E2F), ref: 005B3655
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: Time$FilePreciseSystem
                                  • String ID: `-X
                                  • API String ID: 1802150274-4060909851
                                  • Opcode ID: 11030c24364ca991a3d19e6b214ed6d49a0ec77bc3c6769179450a4e7c75e7ba
                                  • Instruction ID: fb01bd420f035ba2070b6456a67b699c40f30560101f7743916a8d7a15a7ab6f
                                  • Opcode Fuzzy Hash: 11030c24364ca991a3d19e6b214ed6d49a0ec77bc3c6769179450a4e7c75e7ba
                                  • Instruction Fuzzy Hash: 02F06572A44558EFCB019F54DC05F9EBBA8FB09B10F014626E812E7790DB74A9008E94
                                  Function 00672FD0 Relevance: .7, Instructions: 735COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 64e9c0abed2e7589debaea49888c95bac1596adee29f6d05b56a34662257128a
                                  • Instruction ID: 57aa99d04412f6aff173a9ce1c02ee8f6fb8de0ec035bd3f4fc89509f5f81267
                                  • Opcode Fuzzy Hash: 64e9c0abed2e7589debaea49888c95bac1596adee29f6d05b56a34662257128a
                                  • Instruction Fuzzy Hash: C7624CB0E012559FDB18CF59C5846ADBBB2BF48308F24C1ADD818AB342D775DA46DF90
                                  Function 005AF580 Relevance: .4, Instructions: 394COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
                                  • Instruction ID: 10fbabe425d087221e15058648b915988ca7613ed3b7d92c5f03d53ed3ecce49
                                  • Opcode Fuzzy Hash: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
                                  • Instruction Fuzzy Hash: E8E10376E1022A9FCB05CFA8D4816ADFBF1FF89320F1942A9D915B7340D670AD45CBA0
                                  Function 005C036F Relevance: .3, Instructions: 333COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6665ebe8fa650c8c1f845cfa4a8782547fc1c7cb9d8a616eea8a7dec2caa958f
                                  • Instruction ID: 9bfee9d4164f47ab92cb38d3449510d5091b7169893b4812372c3406d32d483e
                                  • Opcode Fuzzy Hash: 6665ebe8fa650c8c1f845cfa4a8782547fc1c7cb9d8a616eea8a7dec2caa958f
                                  • Instruction Fuzzy Hash: 41C1B970900646CFCB28CEE8C484FBABFA1BF85310F246A1DD6969B6D1D330AD85CB51
                                  Function 005CDA86 Relevance: .3, Instructions: 270COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0ab2501460c97c37bc66cf3dd30333669de3ffa09423681ef0499ae37808c530
                                  • Instruction ID: 3a2b438ba1bb188f188c81234161a23d053909b21f9f14ef6befbaeaeeb755c2
                                  • Opcode Fuzzy Hash: 0ab2501460c97c37bc66cf3dd30333669de3ffa09423681ef0499ae37808c530
                                  • Instruction Fuzzy Hash: 55B124316106089FD719CF68C48AB657FB0FB45364F29866CE89ACF2A1C335E992CB50
                                  Function 005D8BB0 Relevance: .2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 76bc5c008dc7788c433eb2a106453ca78ca6abfb1c15c982f7542a757f469c88
                                  • Instruction ID: 21f02f6dfa73d9783c987f3dd014b25895f81a55cd40456ae9205c4957f0016b
                                  • Opcode Fuzzy Hash: 76bc5c008dc7788c433eb2a106453ca78ca6abfb1c15c982f7542a757f469c88
                                  • Instruction Fuzzy Hash: AC81C0B1D01246DFDB219F5CD8857BABFB5FB29300F54026AD9549B393CA349D09C7A0
                                  Function 0066FC40 Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2153788f4f032f5bbd540185ec0b399920189e7259226259fdc242c20ab92e52
                                  • Instruction ID: 695586c4ec705f1dc3bdce94535c38aca96e753f8da1704678e52ce07d34114c
                                  • Opcode Fuzzy Hash: 2153788f4f032f5bbd540185ec0b399920189e7259226259fdc242c20ab92e52
                                  • Instruction Fuzzy Hash: 9F6134316246A54FEB18CF1EFCC04763B53A38A3013855669EA85CF3D6C535EA26D7E0
                                  Function 005BA928 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                                  • Instruction ID: aa4492be10cc562045f6983e6db50c19140bf7236a2c3da1c898a592be7906de
                                  • Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                                  • Instruction Fuzzy Hash: B7518E72D0021AEFDF14CF98C940AEEBFB2FF88300F198459E955AB201D734AA40DB91
                                  Function 005B71A0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: 0081f709d2e7fc9484f47f6cf92fee0c20c31e28c14bd4118aa9bff11425dfc4
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: 15112B7B20D48A47D6148A3DC8B46F7EF95FBDD320B2D437AE0924FB58D222B945E510
                                  Function 0059A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0059A09D
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0059A0BF
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0059A0E7
                                  • __Getctype.LIBCPMT ref: 0059A1C5
                                  • std::_Facet_Register.LIBCPMT ref: 0059A1F9
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0059A223
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID: PDX$PGX$EX
                                  • API String ID: 1102183713-2800748994
                                  • Opcode ID: 9f980843c592bb5c681bf0990278489eeaa0226fa6ef6135ab1c52fee771764a
                                  • Instruction ID: 89db69fc106b7a12f4bcbfea98495c022d6cc802067d29e08903156def197929
                                  • Opcode Fuzzy Hash: 9f980843c592bb5c681bf0990278489eeaa0226fa6ef6135ab1c52fee771764a
                                  • Instruction Fuzzy Hash: BD5198B0D01246DFCF11DF58C9457AEBFB0BB40714F288259D855AB391DB74AA44CBE2
                                  Function 005B72D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 005B7307
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 005B730F
                                  • _ValidateLocalCookies.LIBCMT ref: 005B7398
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 005B73C3
                                  • _ValidateLocalCookies.LIBCMT ref: 005B7418
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: `-X$csm
                                  • API String ID: 1170836740-1905254112
                                  • Opcode ID: 9bf277648b66732636178774b6c50e3674fa567e95aa350e3defcc5486bca38f
                                  • Instruction ID: a5d66899e1982b99602f8649b54cd44456e2f0d208955cc878d449534c8d2f98
                                  • Opcode Fuzzy Hash: 9bf277648b66732636178774b6c50e3674fa567e95aa350e3defcc5486bca38f
                                  • Instruction Fuzzy Hash: D9418E34A0420D9BCF10DF68C885AEEBFE5BF89314F148556E8199B392DB31FA05DB91
                                  Function 0059C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0059C45A
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0059C47C
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0059C4A4
                                  • std::_Facet_Register.LIBCPMT ref: 0059C59A
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0059C5C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID: EX$PDX
                                  • API String ID: 459529453-3077487657
                                  • Opcode ID: 9c285c222024e44ccf39a8f14889344acde48911e3ffc1a780a2325a3aaf4b08
                                  • Instruction ID: c03dc3c3cdfd1c51e35d1baf40ceb642cf3e1ef968539353a135e1a4873efd5a
                                  • Opcode Fuzzy Hash: 9c285c222024e44ccf39a8f14889344acde48911e3ffc1a780a2325a3aaf4b08
                                  • Instruction Fuzzy Hash: C951ABB0A00245DFDF11DF58C854BAEBFF0FB41314F248559E849AB381DB75AA05CB91
                                  Function 005CBB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction ID: 620ecf723f188c27a93c9c478f9f29f061dbd67ffe2070b1f9407405a789cd6a
                                  • Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction Fuzzy Hash: 7AB14672E002569FEB218FA8CC83FEA7FA9FF55710F14415AE905AB282D7749D01C7A1
                                  Function 005B2729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 005B2730
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 005B273B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 005B27A9
                                    • Part of subcall function 005B288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 005B28A4
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 005B2756
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                  • String ID: `-X
                                  • API String ID: 677527491-4060909851
                                  • Opcode ID: f46bf465325885c946f0a65a7052d80b9f92b62c0895a5a4c8231b83e65d2cc9
                                  • Instruction ID: 809e328ba3d2907baae7fea7e6fbb383b3177d93473f70c5deffe28d9a230e07
                                  • Opcode Fuzzy Hash: f46bf465325885c946f0a65a7052d80b9f92b62c0895a5a4c8231b83e65d2cc9
                                  • Instruction Fuzzy Hash: 54015A75A016129BCB0AEB24D8495BDBFA2FBC9750F154109E81157391CF78BA02CBAA
                                  Function 00587350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0058750C
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00587522
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: )X$[json.exception.
                                  • API String ID: 4194217158-4038045775
                                  • Opcode ID: 151a74fdb7cc2aca7247cbe8645a5268969624a0446c8c0fa70ca09b4d0e3421
                                  • Instruction ID: 2fb7d8c6f4519791ac47d206daef4289835a587325ec69db0c5cb88ae45d1673
                                  • Opcode Fuzzy Hash: 151a74fdb7cc2aca7247cbe8645a5268969624a0446c8c0fa70ca09b4d0e3421
                                  • Instruction Fuzzy Hash: 9951E0B0C057499BDB00DFA8C905B9EBFB4FF55314F104259E850AB382E7B45A44C7E1
                                  Function 00584900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0058499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 323602529-1866435925
                                  • Opcode ID: f7472c174918ec07fa445c3fbf22ee52cb0b11a0b8253c9c4391ab427c32b25a
                                  • Instruction ID: aca178d31bb9983c0e8472ca3af3eb651046e4cdad4541588bb34f53a398e091
                                  • Opcode Fuzzy Hash: f7472c174918ec07fa445c3fbf22ee52cb0b11a0b8253c9c4391ab427c32b25a
                                  • Instruction Fuzzy Hash: F9112C72904B856BC720EF5C8C07BAA7B98F745710F044629FE69972C1FB35A901CB92
                                  Function 005836E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00583819
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 005838F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: )X
                                  • API String ID: 2970364248-3875199455
                                  • Opcode ID: 9a918def4731b6d3e5eb7f631f7e489d9cae0af89207ad1cf60661b7062be738
                                  • Instruction ID: dc185f7b4b15437f385b184ef59ab3923e727a87231a502c4f65e37845bbafd7
                                  • Opcode Fuzzy Hash: 9a918def4731b6d3e5eb7f631f7e489d9cae0af89207ad1cf60661b7062be738
                                  • Instruction Fuzzy Hash: 136188B1C01249DFDB10DF98C849B9DFFB5FF08324F14825AE818AB282D7B55A44CBA1
                                  Function 005847F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0058499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::failbit set
                                  • API String ID: 323602529-1240500531
                                  • Opcode ID: 3d5e21e196f706f9aa2556d450240ca84628bd395bc0ea15cb818d9a54b9062a
                                  • Instruction ID: f5039d316d9b04badd714047ae60ea920a96efe4ccd692f8fd554c2830e13bb8
                                  • Opcode Fuzzy Hash: 3d5e21e196f706f9aa2556d450240ca84628bd395bc0ea15cb818d9a54b9062a
                                  • Instruction Fuzzy Hash: 934135B1D00649ABCB04EF58CC45BAEBFB9FB45710F24821DF954AB381E7756A00CBA1
                                  Function 00584040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00584061
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005840C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                  • String ID: bad locale name
                                  • API String ID: 3988782225-1405518554
                                  • Opcode ID: a53472c7994080b8e441467cbc93c728ddd126100efc478ece229b133f7d293c
                                  • Instruction ID: b63ccfd900e8d89123c323785ac421a5031375b77cf04a983631b3ce5e8af644
                                  • Opcode Fuzzy Hash: a53472c7994080b8e441467cbc93c728ddd126100efc478ece229b133f7d293c
                                  • Instruction Fuzzy Hash: 0911E670805BC4EED721CF68C50878BBFF4AF15714F14868DE4959BB81D3B96604CBA1
                                  Function 00596590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 005965C9
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 005965FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: )X
                                  • API String ID: 2659868963-3875199455
                                  • Opcode ID: f5ad671392453e81c40b1df2b3d449eb69b12a16722a7b7d1297c3a418cc5d2e
                                  • Instruction ID: 994437175ba8ac5ccdd29ea24fb74d96126f076d6a2d593c930f8766b66c4eb0
                                  • Opcode Fuzzy Hash: f5ad671392453e81c40b1df2b3d449eb69b12a16722a7b7d1297c3a418cc5d2e
                                  • Instruction Fuzzy Hash: 37112EB1910745EBCB11DF99D980B86FBF9FF09720F10876AE9149B741E774A6408BA0
                                  Function 00587A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00587A5C
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00587A72
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3636606230.0000000000581000.00000040.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true
                                  • Associated: 00000000.00000002.3636469569.0000000000580000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3636606230.0000000000705000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3637426316.000000000070A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000070D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.000000000096F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3638293541.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3643625441.00000000009C3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644742846.0000000000B59000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3644840814.0000000000B5B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_580000_Ke5ufWcgxp.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: )X
                                  • API String ID: 4194217158-3875199455
                                  • Opcode ID: a30ba0da27bfc803ad87410e0d68e7e54790bbe79b63413079f58b7bbb588d2b
                                  • Instruction ID: 1156f975b0db08375c48274611ca5dd8c3cba564ac33e30e43bb882534642bdb
                                  • Opcode Fuzzy Hash: a30ba0da27bfc803ad87410e0d68e7e54790bbe79b63413079f58b7bbb588d2b
                                  • Instruction Fuzzy Hash: 01F062B1C04745DFCB10DF98D90178DBBF8FB05724F50066AE415A3781D3B566048BA1

                                  Execution Graph

                                  Execution Coverage:3.5%
                                  Dynamic/Decrypted Code Coverage:0.9%
                                  Signature Coverage:0%
                                  Total number of Nodes:1830
                                  Total number of Limit Nodes:25
                                  execution_graph 19179 4e00b61 19180 4e00b6f GetCurrentHwProfileW 19179->19180 19182 4e00b97 19179->19182 19180->19182 19399 4e00b22 19400 4e00b50 GetCurrentHwProfileW 19399->19400 19402 4e00b97 19400->19402 19146 4e00983 19147 4e00999 19146->19147 19152 4e00b2b 19147->19152 19153 4e00b50 GetCurrentHwProfileW 19152->19153 19155 4e00b97 19153->19155 16835 247b00 16836 247ecc 16835->16836 16839 247b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16835->16839 16837 247b87 setsockopt recv 16837->16839 16839->16836 16839->16837 16840 247eb7 Sleep 16839->16840 16841 247e15 recv 16839->16841 16843 247eaf Sleep 16839->16843 16847 247ee1 16839->16847 16851 247cd6 setsockopt recv 16839->16851 16852 198dc0 2 API calls 16839->16852 16855 248590 WSAStartup 16839->16855 16861 198dc0 16839->16861 16870 1963b0 16839->16870 16875 247ef0 16839->16875 16931 1b3069 16839->16931 16934 189280 16839->16934 16840->16836 16840->16839 16841->16843 16843->16840 16845 247c2d recv 16845->16839 16846 247c4e recv 16845->16846 16846->16839 16944 1b8c70 16847->16944 16851->16839 16852->16851 16856 2485c8 16855->16856 16857 248686 16855->16857 16856->16857 16858 248654 socket 16856->16858 16857->16839 16858->16857 16859 24866a connect 16858->16859 16859->16857 16860 24867c closesocket 16859->16860 16860->16857 16860->16858 16863 198e11 16861->16863 16864 198de2 std::locale::_Setgloballocale 16861->16864 16862 198ef8 16863->16862 16947 1832d0 16863->16947 16864->16845 16866 198e66 std::locale::_Locimp::_Locimp std::locale::_Setgloballocale 16867 198ecb std::locale::_Locimp::_Locimp std::locale::_Setgloballocale 16866->16867 16961 182fe0 16866->16961 16867->16845 16869 198eb8 16869->16845 16872 1963d8 16870->16872 16871 1963e7 16871->16839 16872->16871 16873 1832d0 std::_Throw_Cpp_error 2 API calls 16872->16873 16874 19642a std::locale::_Locimp::_Locimp 16873->16874 16874->16839 16876 247f6c 16875->16876 16877 247f3e 16875->16877 16879 247f74 16876->16879 16880 247f8e 16876->16880 16878 182cf0 std::_Throw_Cpp_error 2 API calls 16877->16878 16884 247f50 16878->16884 17153 196290 16879->17153 16882 247f96 16880->16882 16883 247fb0 16880->16883 16885 196290 2 API calls 16882->16885 16886 247fd5 16883->16886 16887 247fb8 16883->16887 16888 189280 3 API calls 16884->16888 16928 247f64 16885->16928 16889 247fdd 16886->16889 16890 247ffb 16886->16890 16891 196290 2 API calls 16887->16891 16887->16928 16888->16928 17157 1c12b7 16889->17157 16893 2482c0 16890->16893 16894 24801b 16890->16894 16890->16928 16891->16928 16896 2482c8 16893->16896 16897 24831b 16893->16897 17116 185400 16894->17116 17186 19b430 16896->17186 16898 248376 16897->16898 16899 248323 16897->16899 16902 2483d1 16898->16902 16903 24837e 16898->16903 16901 19b430 3 API calls 16899->16901 16901->16928 16905 24842c 16902->16905 16906 2483d9 16902->16906 16904 19b430 3 API calls 16903->16904 16904->16928 16907 248484 16905->16907 16908 248434 16905->16908 16910 19b430 3 API calls 16906->16910 16907->16928 17193 1d8b00 16907->17193 16911 19b430 3 API calls 16908->16911 16910->16928 16911->16928 16914 248040 16915 24810b 16914->16915 16914->16928 17126 182cf0 16914->17126 17130 19ace0 16914->17130 17133 182d30 16915->17133 16919 248140 16920 2481b2 16919->16920 16922 2481e5 16919->16922 16921 1963b0 std::_Throw_Cpp_error 2 API calls 16920->16921 16923 2481ce 16921->16923 17150 1b9820 16922->17150 17163 24f280 16923->17163 16928->16839 18737 1b361d 16931->18737 16935 1963b0 std::_Throw_Cpp_error 2 API calls 16934->16935 16936 1892d4 16935->16936 16937 198dc0 2 API calls 16936->16937 16938 189523 std::locale::_Locimp::_Locimp 16936->16938 16937->16938 16940 1896e2 std::ios_base::_Ios_base_dtor 16938->16940 16941 1896b6 WSASend 16938->16941 16939 18975d std::ios_base::_Ios_base_dtor 16939->16839 16940->16939 16942 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16940->16942 16941->16938 16941->16940 16943 18979c 16942->16943 16943->16839 16945 1b8bac ___std_exception_copy RtlAllocateHeap 16944->16945 16946 1b8c7f __Getctype 16945->16946 16948 1832e2 16947->16948 16949 183306 16947->16949 16950 1832e9 16948->16950 16951 18331f 16948->16951 16952 183318 16949->16952 16954 1b3672 std::_Facet_Register 2 API calls 16949->16954 16966 1b3672 16950->16966 16974 182b50 16951->16974 16952->16866 16957 183310 16954->16957 16956 1832ef 16958 1832f8 16956->16958 16959 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16956->16959 16957->16866 16958->16866 16960 183329 16959->16960 16962 183007 16961->16962 16963 183017 std::ios_base::_Ios_base_dtor 16961->16963 16962->16963 16964 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 16962->16964 16963->16869 16965 183036 16964->16965 16969 1b3677 std::_Facet_Register 16966->16969 16968 1b3691 16968->16956 16969->16968 16970 182b50 Concurrency::cancel_current_task std::_Throw_Cpp_error 16969->16970 16978 1c23ec 16969->16978 16971 1b369d 16970->16971 16984 1b4b15 16970->16984 16971->16971 16975 182b5e Concurrency::cancel_current_task std::_Throw_Cpp_error 16974->16975 16976 1b4b15 ___std_exception_copy 2 API calls 16975->16976 16977 182bac 16976->16977 16977->16956 16983 1cb094 __Getctype std::_Facet_Register 16978->16983 16979 1cb0d2 16992 1c16ff 16979->16992 16981 1cb0bd RtlAllocateHeap 16982 1cb0d0 16981->16982 16981->16983 16982->16969 16983->16979 16983->16981 16985 1b4b22 16984->16985 16991 182bac 16984->16991 16986 1c23ec ___std_exception_copy 2 API calls 16985->16986 16985->16991 16987 1b4b3f 16986->16987 16990 1b4b4f 16987->16990 17054 1c99a5 16987->17054 17063 1c1c96 16990->17063 16991->16956 16995 1c9f93 16992->16995 16996 1c9f9c __Getctype 16995->16996 17003 1c1704 16996->17003 17006 1ca65a 16996->17006 16998 1c9fe0 __Getctype 16999 1c9fe8 __Getctype 16998->16999 17000 1ca020 16998->17000 17010 1cb01a 16999->17010 17014 1c9c70 17000->17014 17003->16982 17005 1cb01a __freea RtlAllocateHeap 17005->17003 17007 1ca667 __Getctype std::_Facet_Register 17006->17007 17008 1ca692 RtlAllocateHeap 17007->17008 17009 1ca6a5 ___std_exception_copy 17007->17009 17008->17007 17008->17009 17009->16998 17011 1cb025 __freea 17010->17011 17013 1cb04f 17010->17013 17012 1c16ff ___std_exception_copy RtlAllocateHeap 17011->17012 17011->17013 17012->17013 17013->17003 17015 1c9cde __Getctype 17014->17015 17018 1c9c16 17015->17018 17017 1c9d07 17017->17005 17019 1c9c22 std::_Lockit::_Lockit std::locale::_Setgloballocale 17018->17019 17022 1c9df7 17019->17022 17021 1c9c44 __Getctype 17021->17017 17023 1c9e2d __Getctype 17022->17023 17024 1c9e06 __Getctype 17022->17024 17023->17021 17024->17023 17026 1d2146 17024->17026 17028 1d21c6 17026->17028 17031 1d215c 17026->17031 17027 1d22b7 __Getctype RtlAllocateHeap 17043 1d2222 17027->17043 17029 1cb01a __freea RtlAllocateHeap 17028->17029 17053 1d2214 17028->17053 17030 1d21e8 17029->17030 17034 1cb01a __freea RtlAllocateHeap 17030->17034 17031->17028 17032 1d218f 17031->17032 17036 1cb01a __freea RtlAllocateHeap 17031->17036 17033 1d21b1 17032->17033 17038 1cb01a __freea RtlAllocateHeap 17032->17038 17035 1cb01a __freea RtlAllocateHeap 17033->17035 17037 1d21fb 17034->17037 17040 1d21bb 17035->17040 17042 1d2184 17036->17042 17039 1cb01a __freea RtlAllocateHeap 17037->17039 17044 1d21a6 17038->17044 17045 1d2209 17039->17045 17046 1cb01a __freea RtlAllocateHeap 17040->17046 17041 1d2282 17047 1cb01a __freea RtlAllocateHeap 17041->17047 17048 1d144a __Getctype RtlAllocateHeap 17042->17048 17043->17041 17051 1cb01a RtlAllocateHeap __freea 17043->17051 17049 1d18a9 __Getctype RtlAllocateHeap 17044->17049 17050 1cb01a __freea RtlAllocateHeap 17045->17050 17046->17028 17052 1d2288 17047->17052 17048->17032 17049->17033 17050->17053 17051->17043 17052->17023 17053->17027 17055 1c99c1 17054->17055 17056 1c99b3 17054->17056 17057 1c16ff ___std_exception_copy RtlAllocateHeap 17055->17057 17056->17055 17058 1c99d9 17056->17058 17062 1c99c9 17057->17062 17060 1c99d3 17058->17060 17061 1c16ff ___std_exception_copy RtlAllocateHeap 17058->17061 17060->16990 17061->17062 17066 1b8c60 17062->17066 17064 1cb01a __freea RtlAllocateHeap 17063->17064 17065 1c1cae 17064->17065 17065->16991 17069 1b8bac 17066->17069 17070 1b8bbe ___std_exception_copy 17069->17070 17075 1b8be3 17070->17075 17072 1b8bd6 17082 1b899c 17072->17082 17076 1b8bf3 17075->17076 17078 1b8bfa ___std_exception_copy __Getctype 17075->17078 17088 1b8a01 17076->17088 17079 1b8c08 17078->17079 17080 1b8bac ___std_exception_copy RtlAllocateHeap 17078->17080 17079->17072 17081 1b8c6c 17080->17081 17081->17072 17083 1b89a8 17082->17083 17086 1b89bf 17083->17086 17103 1b8a47 17083->17103 17085 1b8a47 ___std_exception_copy RtlAllocateHeap 17087 1b89d2 17085->17087 17086->17085 17086->17087 17087->17060 17089 1b8a10 17088->17089 17092 1ca044 17089->17092 17093 1ca057 __Getctype 17092->17093 17094 1ca65a __Getctype RtlAllocateHeap 17093->17094 17100 1b8a32 17093->17100 17095 1ca087 __Getctype 17094->17095 17096 1ca08f __Getctype 17095->17096 17097 1ca0c3 17095->17097 17098 1cb01a __freea RtlAllocateHeap 17096->17098 17099 1c9c70 __Getctype RtlAllocateHeap 17097->17099 17098->17100 17101 1ca0ce 17099->17101 17100->17078 17102 1cb01a __freea RtlAllocateHeap 17101->17102 17102->17100 17104 1b8a5a 17103->17104 17105 1b8a51 17103->17105 17104->17086 17106 1b8a01 ___std_exception_copy RtlAllocateHeap 17105->17106 17107 1b8a56 17106->17107 17107->17104 17110 1c41c6 17107->17110 17109 1b8a63 17111 1c41cb std::locale::_Setgloballocale 17110->17111 17112 1cf665 std::locale::_Setgloballocale RtlAllocateHeap 17111->17112 17114 1c41d6 std::locale::_Setgloballocale 17111->17114 17112->17114 17113 1c36e2 std::locale::_Setgloballocale RtlAllocateHeap 17115 1c4209 __Getctype std::locale::_Setgloballocale 17113->17115 17114->17113 17115->17109 17198 1b2b99 17116->17198 17119 185410 17120 185419 17119->17120 17122 1b2534 std::_Throw_Cpp_error 3 API calls 17119->17122 17120->16914 17123 185430 17122->17123 17207 1b953c 17123->17207 17127 182d13 17126->17127 17127->17127 17128 183040 std::_Throw_Cpp_error 2 API calls 17127->17128 17129 182d25 17128->17129 17129->16914 17131 19ad10 17130->17131 17131->17131 17524 19fbf0 17131->17524 17134 183040 std::_Throw_Cpp_error 2 API calls 17133->17134 17135 182d55 17134->17135 17136 2562c0 17135->17136 17137 256358 17136->17137 17139 256361 std::locale::_Setgloballocale 17136->17139 17533 19e4b0 17137->17533 17142 256553 17139->17142 17148 25654f 17139->17148 17556 274760 17139->17556 17567 1a4160 17139->17567 17143 256580 std::ios_base::_Ios_base_dtor 17142->17143 17145 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17142->17145 17143->16919 17146 2565ce 17145->17146 17147 1b3069 __Xtime_get_ticks GetSystemTimePreciseAsFileTime 17146->17147 17149 2565d6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17147->17149 17148->17142 17635 196130 17148->17635 17149->16919 17722 1b975e 17150->17722 17152 1b9832 17152->16928 17174 1c1628 17152->17174 17154 19629d 17153->17154 17155 1962b1 17153->17155 17156 196130 2 API calls 17154->17156 17155->16928 17156->17155 17158 1c12ca ___std_exception_copy 17157->17158 17746 1bd6a5 17158->17746 17160 1c12e4 17161 1b899c ___std_exception_copy RtlAllocateHeap 17160->17161 17162 1c12f1 17161->17162 17162->16928 17164 24f2f6 std::locale::_Setgloballocale 17163->17164 17905 19ab20 17164->17905 17167 198f00 std::_Throw_Cpp_error 2 API calls 17168 24f47f 17167->17168 17910 183440 17168->17910 17171 24f58b std::ios_base::_Ios_base_dtor 17171->16928 17172 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17173 24f5ce 17172->17173 17173->16928 17175 1c163b ___std_exception_copy 17174->17175 18151 1c140a 17175->18151 17177 1c1650 17178 1b899c ___std_exception_copy RtlAllocateHeap 17177->17178 17179 1c165d 17178->17179 17180 1bd0a8 17179->17180 17181 1bd0bb ___std_exception_copy 17180->17181 18252 1bcf83 17181->18252 17183 1bd0c7 17184 1b899c ___std_exception_copy RtlAllocateHeap 17183->17184 17185 1bd0d3 17184->17185 17185->16928 18322 197ef0 17186->18322 17188 19b48d 18339 1a2100 17188->18339 17192 19b503 17192->16928 18706 1d8bb0 17193->18706 17195 1d8b31 std::locale::_Locimp::_Locimp 17196 183040 std::_Throw_Cpp_error 2 API calls 17195->17196 17197 1d8b7c 17196->17197 17197->16928 17213 1b2bc8 17198->17213 17200 185409 17200->17119 17201 1b2534 17200->17201 17202 1b254a std::_Throw_Cpp_error 17201->17202 17220 1b24e7 17202->17220 17205 1b255a __EH_prolog3 std::_Throw_Cpp_error 17226 199cb0 17205->17226 17206 1b25c7 std::_Throw_Cpp_error 17206->17119 17208 1b954f ___std_exception_copy 17207->17208 17508 1b93db 17208->17508 17210 1b955e 17211 1b899c ___std_exception_copy RtlAllocateHeap 17210->17211 17212 185450 17211->17212 17212->16914 17216 1b2be2 17213->17216 17214 1b2bf2 _ValidateLocalCookies 17214->17200 17216->17214 17217 1b302b 17216->17217 17218 1b3069 __Xtime_get_ticks GetSystemTimePreciseAsFileTime 17217->17218 17219 1b3036 __aulldiv __aullrem 17218->17219 17219->17216 17221 1b24f3 __EH_prolog3_GS 17220->17221 17222 182cf0 std::_Throw_Cpp_error 2 API calls 17221->17222 17223 1b2507 17222->17223 17237 1836e0 17223->17237 17225 1b251c std::_Throw_Cpp_error 17225->17205 17264 184900 17226->17264 17228 199d26 17229 1b3672 std::_Facet_Register 2 API calls 17228->17229 17230 199d2d 17229->17230 17269 1b2729 17230->17269 17232 199d39 17277 19a060 17232->17277 17234 199d76 17235 199dc7 std::_Throw_Cpp_error 17234->17235 17236 184900 std::_Throw_Cpp_error 2 API calls 17234->17236 17235->17206 17236->17235 17238 1963b0 std::_Throw_Cpp_error 2 API calls 17237->17238 17239 183731 17238->17239 17240 18375a 17239->17240 17251 198f00 17239->17251 17242 198f00 std::_Throw_Cpp_error 2 API calls 17240->17242 17243 18378a 17242->17243 17244 1b4b15 ___std_exception_copy 2 API calls 17243->17244 17246 18381e 17244->17246 17245 18385f std::ios_base::_Ios_base_dtor 17245->17225 17246->17245 17247 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17246->17247 17248 1838b0 17247->17248 17260 1b4b78 17248->17260 17250 1838f5 std::ios_base::_Ios_base_dtor 17250->17225 17252 198f4f 17251->17252 17253 198f22 std::locale::_Locimp::_Locimp 17251->17253 17254 1832d0 std::_Throw_Cpp_error 2 API calls 17252->17254 17255 19902f std::ios_base::_Ios_base_dtor 17252->17255 17253->17240 17256 198fa4 std::locale::_Locimp::_Locimp 17254->17256 17255->17240 17257 199002 std::locale::_Locimp::_Locimp 17256->17257 17258 182fe0 std::_Throw_Cpp_error RtlAllocateHeap 17256->17258 17257->17240 17259 198fef 17258->17259 17259->17240 17261 1b4b8c 17260->17261 17262 1b4b85 17260->17262 17261->17250 17263 1c1c96 __freea RtlAllocateHeap 17262->17263 17263->17261 17265 184922 17264->17265 17266 18491a std::_Throw_Cpp_error 17264->17266 17265->17228 17289 1847f0 17266->17289 17268 184968 std::ios_base::_Ios_base_dtor std::_Throw_Cpp_error 17268->17228 17270 1b2735 __EH_prolog3 std::_Lockit::_Lockit 17269->17270 17275 1b2771 std::_Throw_Cpp_error std::_Lockit::~_Lockit 17270->17275 17307 1b288c 17270->17307 17272 1b2753 17313 1b28af 17272->17313 17275->17232 17279 19a0a2 std::_Throw_Cpp_error std::_Lockit::~_Lockit std::_Lockit::_Lockit 17277->17279 17278 19a144 std::_Lockit::~_Lockit 17278->17234 17279->17278 17280 1b3672 std::_Facet_Register 2 API calls 17279->17280 17281 19a152 17280->17281 17378 184040 17281->17378 17287 19a1f1 17413 1b26f7 17287->17413 17290 184851 17289->17290 17290->17290 17301 183040 17290->17301 17292 184865 17293 1836e0 std::_Throw_Cpp_error 2 API calls 17292->17293 17295 18487b 17293->17295 17294 1848a5 std::ios_base::_Ios_base_dtor 17294->17268 17295->17294 17296 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17295->17296 17298 1848f7 std::_Throw_Cpp_error 17296->17298 17297 184922 17297->17268 17298->17297 17299 1847f0 std::_Throw_Cpp_error 2 API calls 17298->17299 17300 184968 std::ios_base::_Ios_base_dtor std::_Throw_Cpp_error 17299->17300 17300->17268 17303 183052 17301->17303 17304 1830c8 17301->17304 17302 183057 std::locale::_Locimp::_Locimp 17302->17292 17303->17302 17305 1832d0 std::_Throw_Cpp_error 2 API calls 17303->17305 17304->17292 17306 1830a3 std::locale::_Locimp::_Locimp 17305->17306 17306->17292 17308 1b3672 std::_Facet_Register 2 API calls 17307->17308 17309 1b2897 17308->17309 17310 1b28ab 17309->17310 17323 1b2611 17309->17323 17310->17272 17314 1b28bb 17313->17314 17315 1b275b 17313->17315 17326 1b333a 17314->17326 17317 195a60 17315->17317 17318 195a86 17317->17318 17322 195ab3 std::locale::_Locimp::_Locimp 17317->17322 17319 1c1c96 __freea RtlAllocateHeap 17318->17319 17320 195a90 17318->17320 17319->17320 17321 1c23ec ___std_exception_copy 2 API calls 17320->17321 17320->17322 17321->17322 17322->17275 17324 195a60 std::locale::_Locimp::_Locimp 2 API calls 17323->17324 17325 1b264b 17324->17325 17325->17272 17327 1b334a std::locale::_Setgloballocale 17326->17327 17327->17315 17330 1c41d6 std::locale::_Setgloballocale 17327->17330 17332 1cf665 17327->17332 17353 1c36e2 17330->17353 17331 1c4209 __Getctype std::locale::_Setgloballocale 17331->17315 17333 1cf671 std::locale::_Setgloballocale 17332->17333 17334 1c9f93 ___std_exception_copy RtlAllocateHeap 17333->17334 17335 1cf6c1 17333->17335 17338 1cf6a2 std::locale::_Setgloballocale 17333->17338 17340 1cf6d3 std::_Lockit::_Lockit std::locale::_Setgloballocale 17333->17340 17334->17338 17336 1c16ff ___std_exception_copy RtlAllocateHeap 17335->17336 17337 1cf6c6 17336->17337 17339 1b8c60 ___std_exception_copy RtlAllocateHeap 17337->17339 17338->17335 17338->17340 17352 1cf6ab 17338->17352 17339->17352 17341 1cf746 17340->17341 17342 1cf843 std::_Lockit::~_Lockit 17340->17342 17344 1cf774 std::locale::_Setgloballocale 17340->17344 17341->17344 17356 1c9e42 17341->17356 17343 1c36e2 std::locale::_Setgloballocale RtlAllocateHeap 17342->17343 17345 1cf856 17343->17345 17347 1c9e42 __Getctype RtlAllocateHeap 17344->17347 17350 1cf7c9 17344->17350 17344->17352 17347->17350 17349 1c9e42 __Getctype RtlAllocateHeap 17349->17344 17351 1c9e42 __Getctype RtlAllocateHeap 17350->17351 17350->17352 17351->17352 17352->17330 17370 1c3552 17353->17370 17355 1c36f3 17355->17331 17357 1c9e4b __Getctype 17356->17357 17358 1ca65a __Getctype RtlAllocateHeap 17357->17358 17359 1c9e62 17357->17359 17361 1c9e8f __Getctype 17358->17361 17360 1c9ef2 17359->17360 17362 1c41c6 __Getctype RtlAllocateHeap 17359->17362 17360->17349 17363 1c9ecf 17361->17363 17364 1c9e97 __Getctype 17361->17364 17365 1c9efc 17362->17365 17367 1c9c70 __Getctype RtlAllocateHeap 17363->17367 17366 1cb01a __freea RtlAllocateHeap 17364->17366 17366->17359 17368 1c9eda 17367->17368 17369 1cb01a __freea RtlAllocateHeap 17368->17369 17369->17359 17371 1c357f std::locale::_Setgloballocale 17370->17371 17374 1c33e3 17371->17374 17373 1c35c8 std::locale::_Setgloballocale 17373->17355 17375 1c33ef std::_Lockit::_Lockit std::locale::_Setgloballocale 17374->17375 17376 1c346a std::locale::_Setgloballocale RtlAllocateHeap 17375->17376 17377 1c3406 std::locale::_Setgloballocale 17376->17377 17377->17373 17379 184066 std::_Lockit::_Lockit 17378->17379 17380 1840c2 17379->17380 17381 1840e6 17379->17381 17416 1b2827 17380->17416 17425 1b1d4a 17381->17425 17385 1840f0 17386 1b2cf4 17457 1c3cf8 17386->17457 17388 1b2cfd __Getctype 17389 1b2d17 17388->17389 17390 1b2d35 17388->17390 17462 1c454e 17389->17462 17392 1c454e __Getctype RtlAllocateHeap 17390->17392 17393 1b2d1e 17392->17393 17467 1c3d42 17393->17467 17396 19a1ca 17398 184100 17396->17398 17504 1b2872 17398->17504 17401 184140 17403 18415b 17401->17403 17404 1c1c96 __freea RtlAllocateHeap 17401->17404 17402 1c1c96 __freea RtlAllocateHeap 17402->17401 17405 1c1c96 __freea RtlAllocateHeap 17403->17405 17409 184176 17403->17409 17404->17403 17405->17409 17406 1c1c96 __freea RtlAllocateHeap 17408 184191 17406->17408 17407 1841ac 17411 1841c7 std::_Lockit::~_Lockit 17407->17411 17412 1c1c96 __freea RtlAllocateHeap 17407->17412 17408->17407 17410 1c1c96 __freea RtlAllocateHeap 17408->17410 17409->17406 17409->17408 17410->17407 17411->17287 17412->17411 17414 1b3672 std::_Facet_Register 2 API calls 17413->17414 17415 1b2702 17414->17415 17415->17278 17428 1c4516 17416->17428 17419 195a60 std::locale::_Locimp::_Locimp 2 API calls 17420 1b284b 17419->17420 17421 1c4516 std::_Locinfo::_Locinfo_ctor 2 API calls 17420->17421 17422 1b285b 17420->17422 17421->17422 17423 195a60 std::locale::_Locimp::_Locimp 2 API calls 17422->17423 17424 1840c9 17423->17424 17424->17386 17454 183540 17425->17454 17427 1b1d5b std::_Throw_Cpp_error 17427->17385 17429 1c4523 std::_Lockit::_Lockit 17428->17429 17432 1c42c1 17429->17432 17431 1b2833 17431->17419 17433 1c42cd std::_Lockit::_Lockit std::locale::_Setgloballocale 17432->17433 17436 1c431c 17433->17436 17435 1c42e8 std::_Locinfo::_Locinfo_ctor 17435->17431 17437 1c447b std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 17436->17437 17438 1c4337 17437->17438 17439 1c9e42 __Getctype RtlAllocateHeap 17438->17439 17444 1c4370 __Getctype 17438->17444 17440 1c4344 17439->17440 17441 1c3379 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 17440->17441 17442 1c4369 17441->17442 17443 1cb094 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 17442->17443 17442->17444 17445 1c4395 17443->17445 17444->17435 17445->17444 17446 1c3379 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 17445->17446 17447 1c43b1 17446->17447 17448 1c43b8 17447->17448 17449 1c43d3 17447->17449 17448->17444 17450 1cb01a __freea RtlAllocateHeap 17448->17450 17451 1cb01a __freea RtlAllocateHeap 17449->17451 17452 1c43fe 17449->17452 17450->17444 17451->17452 17452->17444 17453 1cb01a __freea RtlAllocateHeap 17452->17453 17453->17444 17455 1b4b15 ___std_exception_copy 2 API calls 17454->17455 17456 183585 17455->17456 17456->17427 17458 1c9e42 __Getctype RtlAllocateHeap 17457->17458 17459 1c3d03 17458->17459 17478 1ca12d 17459->17478 17463 1c9e42 __Getctype RtlAllocateHeap 17462->17463 17464 1c4559 17463->17464 17465 1ca12d __Getctype RtlAllocateHeap 17464->17465 17466 1c4569 17465->17466 17466->17393 17468 1c9e42 __Getctype RtlAllocateHeap 17467->17468 17469 1c3d4d 17468->17469 17470 1ca12d __Getctype RtlAllocateHeap 17469->17470 17471 1b2d46 17470->17471 17471->17396 17472 1c4572 17471->17472 17473 1c45b3 __Getctype 17472->17473 17474 1c457f 17472->17474 17473->17396 17475 1c23ec ___std_exception_copy 2 API calls 17474->17475 17476 1c45a2 17475->17476 17476->17473 17495 1ce2f4 17476->17495 17479 1ca140 17478->17479 17481 1c3d13 17478->17481 17479->17481 17482 1d2392 17479->17482 17481->17388 17483 1d239e std::locale::_Setgloballocale 17482->17483 17484 1c9e42 __Getctype RtlAllocateHeap 17483->17484 17486 1d23a7 std::_Lockit::_Lockit 17484->17486 17485 1d23ed 17485->17481 17486->17485 17491 1d2413 17486->17491 17488 1d23d6 __Getctype 17488->17485 17489 1c41c6 __Getctype RtlAllocateHeap 17488->17489 17490 1d2412 17489->17490 17492 1d2421 __Getctype 17491->17492 17494 1d242e 17491->17494 17493 1d2146 __Getctype RtlAllocateHeap 17492->17493 17492->17494 17493->17494 17494->17488 17496 1ce302 17495->17496 17498 1ce310 17495->17498 17496->17498 17502 1ce32a 17496->17502 17497 1c16ff ___std_exception_copy RtlAllocateHeap 17499 1ce31a 17497->17499 17498->17497 17500 1b8c60 ___std_exception_copy RtlAllocateHeap 17499->17500 17501 1ce324 17500->17501 17501->17473 17502->17501 17503 1c16ff ___std_exception_copy RtlAllocateHeap 17502->17503 17503->17499 17505 18412c 17504->17505 17506 1b287e 17504->17506 17505->17401 17505->17402 17507 1c4516 std::_Locinfo::_Locinfo_ctor 2 API calls 17506->17507 17507->17505 17509 1b93e7 std::locale::_Setgloballocale 17508->17509 17510 1b93f0 17509->17510 17512 1b9414 17509->17512 17511 1b8be3 ___std_exception_copy RtlAllocateHeap 17510->17511 17516 1b9409 17511->17516 17514 1b9432 17512->17514 17517 1ca1e9 17512->17517 17515 1b8be3 ___std_exception_copy RtlAllocateHeap 17514->17515 17514->17516 17515->17516 17516->17210 17518 1ca20a 17517->17518 17519 1ca1f5 17517->17519 17518->17514 17520 1c16ff ___std_exception_copy RtlAllocateHeap 17519->17520 17521 1ca1fa 17520->17521 17522 1b8c60 ___std_exception_copy RtlAllocateHeap 17521->17522 17523 1ca205 17522->17523 17523->17514 17525 19fc8d 17524->17525 17529 19fc12 std::locale::_Locimp::_Locimp 17524->17529 17526 19fd5e 17525->17526 17527 1832d0 std::_Throw_Cpp_error 2 API calls 17525->17527 17528 19fce1 std::locale::_Locimp::_Locimp 17527->17528 17530 19fd3a std::locale::_Locimp::_Locimp 17528->17530 17531 182fe0 std::_Throw_Cpp_error RtlAllocateHeap 17528->17531 17532 19fd27 17531->17532 17534 19e528 17533->17534 17535 19e4c2 17533->17535 17646 183330 17534->17646 17537 19e4f9 17535->17537 17538 19e4ca 17535->17538 17541 19e516 17537->17541 17543 1b3672 std::_Facet_Register 2 API calls 17537->17543 17539 19e52d 17538->17539 17540 19e4d1 17538->17540 17544 182b50 Concurrency::cancel_current_task 2 API calls 17539->17544 17542 1b3672 std::_Facet_Register 2 API calls 17540->17542 17541->17139 17545 19e4d7 17542->17545 17546 19e503 17543->17546 17544->17545 17547 19e4e0 17545->17547 17548 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17545->17548 17546->17139 17547->17139 17549 19e537 17548->17549 17649 196ad0 17549->17649 17551 19e574 17552 184900 std::_Throw_Cpp_error 2 API calls 17551->17552 17553 19e5fb 17552->17553 17554 19e613 17553->17554 17653 199b60 17553->17653 17554->17139 17557 274767 17556->17557 17558 27476c 17556->17558 17557->17139 17559 1c23ec ___std_exception_copy 2 API calls 17558->17559 17565 2747af 17558->17565 17559->17565 17560 2747c2 17560->17139 17561 274877 17561->17139 17562 1c1c96 __freea RtlAllocateHeap 17563 274867 17562->17563 17563->17139 17564 274821 17564->17561 17564->17562 17565->17560 17565->17564 17566 1c1c96 __freea RtlAllocateHeap 17565->17566 17566->17564 17568 1a4288 17567->17568 17569 1a4195 17567->17569 17571 183330 2 API calls 17568->17571 17570 1a41b1 17569->17570 17573 1a4202 17569->17573 17574 1a41f2 17569->17574 17576 1b3672 std::_Facet_Register 2 API calls 17570->17576 17572 1a428d 17571->17572 17575 182b50 Concurrency::cancel_current_task 2 API calls 17572->17575 17578 1b3672 std::_Facet_Register 2 API calls 17573->17578 17584 1a41cf std::locale::_Locimp::_Locimp std::locale::_Setgloballocale 17573->17584 17574->17570 17574->17572 17577 1a4292 17575->17577 17579 1a41c4 17576->17579 17580 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17577->17580 17578->17584 17579->17577 17579->17584 17581 1a4297 17580->17581 17582 1a42fa 17581->17582 17583 1a43e9 17581->17583 17693 1a6ff0 17582->17693 17585 183330 2 API calls 17583->17585 17688 1a77d0 17584->17688 17586 1a43ee 17585->17586 17588 1a445a 17586->17588 17589 1a4549 17586->17589 17593 1a6ff0 2 API calls 17588->17593 17591 183330 2 API calls 17589->17591 17601 1a454e 17591->17601 17592 1a425e 17592->17139 17596 1a4496 17593->17596 17594 1a470b 17595 183330 2 API calls 17594->17595 17621 1a46af 17595->17621 17600 1963b0 std::_Throw_Cpp_error 2 API calls 17596->17600 17597 1a4706 17598 182b50 Concurrency::cancel_current_task 2 API calls 17597->17598 17598->17594 17599 1a4336 17701 1a7830 17599->17701 17613 1a44c4 17600->17613 17601->17594 17601->17597 17602 1a45ee 17601->17602 17603 1a4615 17601->17603 17602->17597 17605 1a45f9 17602->17605 17610 1b3672 std::_Facet_Register 2 API calls 17603->17610 17617 1a45ff 17603->17617 17604 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17606 1a4715 17604->17606 17607 1b3672 std::_Facet_Register 2 API calls 17605->17607 17713 19d010 17606->17713 17607->17617 17610->17617 17611 1a43b0 17611->17139 17615 1a7830 RtlAllocateHeap 17613->17615 17618 1a4510 17615->17618 17616 1a472f std::_Throw_Cpp_error 17620 1a4798 17616->17620 17623 1a475b 17616->17623 17624 1a477f 17616->17624 17619 1a46d1 std::ios_base::_Ios_base_dtor 17617->17619 17617->17621 17706 1b1f9c 17617->17706 17618->17139 17619->17139 17622 182b50 Concurrency::cancel_current_task 2 API calls 17620->17622 17621->17604 17621->17619 17626 1a4768 17622->17626 17623->17620 17627 1a4762 17623->17627 17625 1a4791 17624->17625 17628 1b3672 std::_Facet_Register 2 API calls 17624->17628 17625->17139 17630 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17626->17630 17634 1a4771 17626->17634 17631 1b3672 std::_Facet_Register 2 API calls 17627->17631 17632 1a4789 17628->17632 17633 1a47a2 17630->17633 17631->17626 17632->17139 17634->17139 17636 196174 17635->17636 17638 196143 std::locale::_Locimp::_Locimp 17635->17638 17637 196180 17636->17637 17639 196200 17636->17639 17640 1832d0 std::_Throw_Cpp_error 2 API calls 17637->17640 17638->17142 17639->17639 17641 198f00 std::_Throw_Cpp_error 2 API calls 17639->17641 17642 1961bf std::locale::_Locimp::_Locimp 17640->17642 17643 196232 17641->17643 17644 1961ed 17642->17644 17645 182fe0 std::_Throw_Cpp_error RtlAllocateHeap 17642->17645 17643->17142 17644->17142 17645->17644 17657 1b1cea 17646->17657 17651 196b02 17649->17651 17650 196b1d 17650->17551 17651->17650 17677 1950e0 17651->17677 17654 199bbb 17653->17654 17655 199b96 17653->17655 17654->17554 17655->17654 17685 1988a0 17655->17685 17664 1b1a9f 17657->17664 17659 1b1cfb std::_Throw_Cpp_error 17667 1b1af4 17659->17667 17661 1b1d1b std::_Throw_Cpp_error 17670 1b1b37 17661->17670 17663 1b1d3b std::_Throw_Cpp_error 17674 1834e0 17664->17674 17668 1834e0 std::invalid_argument::invalid_argument 2 API calls 17667->17668 17669 1b1b06 17668->17669 17669->17661 17671 1b1b4b std::regex_error::regex_error 17670->17671 17672 1834e0 std::invalid_argument::invalid_argument 2 API calls 17671->17672 17673 1b1b54 17672->17673 17673->17663 17675 1b4b15 ___std_exception_copy 2 API calls 17674->17675 17676 183522 17675->17676 17676->17659 17678 1951b5 17677->17678 17679 195117 17677->17679 17678->17650 17680 196ad0 2 API calls 17679->17680 17681 195120 17680->17681 17682 19519d 17681->17682 17683 184900 std::_Throw_Cpp_error 2 API calls 17681->17683 17682->17678 17684 199b60 2 API calls 17682->17684 17683->17682 17684->17678 17686 184900 std::_Throw_Cpp_error 2 API calls 17685->17686 17687 1988bf 17686->17687 17687->17654 17689 1a77f9 std::ios_base::_Ios_base_dtor 17688->17689 17690 1a77dc 17688->17690 17689->17592 17690->17689 17691 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17690->17691 17692 1a7824 17691->17692 17694 1a6ff9 17693->17694 17695 1a703c 17693->17695 17694->17695 17696 1b3672 std::_Facet_Register 2 API calls 17694->17696 17698 1a7013 17694->17698 17695->17695 17696->17698 17697 1b3672 std::_Facet_Register 2 API calls 17699 1a7035 17697->17699 17698->17697 17700 1a701c 17698->17700 17699->17599 17700->17599 17702 1a7882 std::ios_base::_Ios_base_dtor 17701->17702 17703 1a783d 17701->17703 17702->17611 17703->17702 17704 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17703->17704 17705 1a78b6 17704->17705 17707 1b1fb2 17706->17707 17708 1b1fa5 17706->17708 17707->17617 17708->17707 17709 1c41c6 __Getctype RtlAllocateHeap 17708->17709 17710 1b1fbb 17709->17710 17711 1b1f9c RtlAllocateHeap 17710->17711 17712 1b1fca 17711->17712 17712->17617 17714 19d01a 17713->17714 17715 19d02e 17713->17715 17714->17715 17716 1b1f9c RtlAllocateHeap 17714->17716 17717 199910 17715->17717 17716->17714 17718 199928 17717->17718 17719 199938 std::ios_base::_Ios_base_dtor 17717->17719 17718->17719 17720 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 17718->17720 17719->17616 17721 19994d 17720->17721 17725 1b976a std::locale::_Setgloballocale 17722->17725 17723 1b9771 17724 1c16ff ___std_exception_copy RtlAllocateHeap 17723->17724 17726 1b9776 17724->17726 17725->17723 17727 1b9791 17725->17727 17728 1b8c60 ___std_exception_copy RtlAllocateHeap 17726->17728 17729 1b97a3 17727->17729 17730 1b9796 17727->17730 17733 1b9781 17728->17733 17736 1ca8ef 17729->17736 17731 1c16ff ___std_exception_copy RtlAllocateHeap 17730->17731 17731->17733 17733->17152 17734 1b97ac 17734->17733 17735 1c16ff ___std_exception_copy RtlAllocateHeap 17734->17735 17735->17733 17737 1ca8fb std::_Lockit::_Lockit std::locale::_Setgloballocale 17736->17737 17740 1ca993 17737->17740 17739 1ca916 17739->17734 17741 1ca9b6 17740->17741 17742 1ca65a __Getctype RtlAllocateHeap 17741->17742 17745 1ca9fc std::locale::_Setgloballocale 17741->17745 17743 1caa17 17742->17743 17744 1cb01a __freea RtlAllocateHeap 17743->17744 17744->17745 17745->17739 17760 1bce79 17746->17760 17748 1bd6ff 17754 1bd723 17748->17754 17767 1be1d0 17748->17767 17749 1bd6cc 17751 1b8be3 ___std_exception_copy RtlAllocateHeap 17749->17751 17750 1bd6b7 17750->17748 17750->17749 17759 1bd6e7 std::_Locinfo::_Locinfo_ctor 17750->17759 17751->17759 17756 1bd747 17754->17756 17774 1bce94 17754->17774 17755 1bd7cf 17757 1bce22 RtlAllocateHeap 17755->17757 17756->17755 17781 1bce22 17756->17781 17757->17759 17759->17160 17761 1bce7e 17760->17761 17762 1bce91 17760->17762 17763 1c16ff ___std_exception_copy RtlAllocateHeap 17761->17763 17762->17750 17764 1bce83 17763->17764 17765 1b8c60 ___std_exception_copy RtlAllocateHeap 17764->17765 17766 1bce8e 17765->17766 17766->17750 17768 1b8a47 ___std_exception_copy RtlAllocateHeap 17767->17768 17769 1be1e0 17768->17769 17787 1ca15a 17769->17787 17775 1bcea0 17774->17775 17776 1bceb6 17774->17776 17777 1c454e __Getctype RtlAllocateHeap 17775->17777 17780 1bcec6 17776->17780 17889 1c9a39 17776->17889 17779 1bceab std::_Locinfo::_Locinfo_ctor 17777->17779 17779->17754 17780->17754 17782 1bce47 17781->17782 17783 1bce33 17781->17783 17782->17755 17783->17782 17784 1c16ff ___std_exception_copy RtlAllocateHeap 17783->17784 17785 1bce3c 17784->17785 17786 1b8c60 ___std_exception_copy RtlAllocateHeap 17785->17786 17786->17782 17788 1be1fd 17787->17788 17789 1ca171 17787->17789 17791 1ca1b8 17788->17791 17789->17788 17790 1d2392 __Getctype RtlAllocateHeap 17789->17790 17790->17788 17792 1ca1cf 17791->17792 17793 1be20a 17791->17793 17792->17793 17795 1d06bd 17792->17795 17793->17754 17796 1c9e42 __Getctype RtlAllocateHeap 17795->17796 17797 1d06c2 17796->17797 17800 1d05d5 17797->17800 17799 1d06cd 17799->17793 17803 1d05e1 std::_Lockit::_Lockit std::locale::_Setgloballocale 17800->17803 17801 1d05fb std::_Locinfo::_Locinfo_ctor 17802 1d0602 17801->17802 17804 1c41c6 __Getctype RtlAllocateHeap 17801->17804 17802->17799 17803->17801 17808 1cb01a __freea RtlAllocateHeap 17803->17808 17805 1d0674 17804->17805 17806 1d06b0 17805->17806 17811 1c9efd 17805->17811 17806->17799 17808->17801 17812 1c9f08 __Getctype 17811->17812 17814 1ca65a __Getctype RtlAllocateHeap 17812->17814 17821 1c9f14 17812->17821 17813 1c41c6 __Getctype RtlAllocateHeap 17815 1c9f92 17813->17815 17816 1c9f38 __Getctype 17814->17816 17817 1c9f40 __Getctype 17816->17817 17818 1c9f74 17816->17818 17819 1cb01a __freea RtlAllocateHeap 17817->17819 17820 1c9c70 __Getctype RtlAllocateHeap 17818->17820 17819->17821 17822 1c9f7f 17820->17822 17821->17813 17824 1c9f19 17821->17824 17823 1cb01a __freea RtlAllocateHeap 17822->17823 17823->17824 17825 1d0480 17824->17825 17826 1d05d5 std::_Locinfo::_Locinfo_ctor 2 API calls 17825->17826 17827 1d04aa 17826->17827 17848 1d0207 17827->17848 17832 1d04dc 17834 1cb01a __freea RtlAllocateHeap 17832->17834 17833 1d04ea 17857 1d06d0 17833->17857 17836 1d04c3 17834->17836 17836->17806 17837 1d0517 17838 1d0522 17837->17838 17842 1d053d std::_Locinfo::_Locinfo_ctor 17837->17842 17839 1c16ff ___std_exception_copy RtlAllocateHeap 17838->17839 17841 1d0527 17839->17841 17840 1d0569 17843 1d05b2 17840->17843 17862 1d00f9 17840->17862 17844 1cb01a __freea RtlAllocateHeap 17841->17844 17842->17840 17845 1cb01a __freea RtlAllocateHeap 17842->17845 17847 1cb01a __freea RtlAllocateHeap 17843->17847 17844->17836 17845->17840 17847->17836 17866 1b95ae 17848->17866 17851 1cb094 17852 1cb0d2 17851->17852 17856 1cb0a2 __Getctype std::_Facet_Register 17851->17856 17853 1c16ff ___std_exception_copy RtlAllocateHeap 17852->17853 17855 1cb0d0 17853->17855 17854 1cb0bd RtlAllocateHeap 17854->17855 17854->17856 17855->17832 17855->17833 17856->17852 17856->17854 17858 1d0207 std::_Locinfo::_Locinfo_ctor 2 API calls 17857->17858 17860 1d06f0 std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 17858->17860 17859 1d07f5 std::_Locinfo::_Locinfo_ctor _ValidateLocalCookies 17859->17837 17860->17859 17874 1d02db 17860->17874 17863 1d0105 std::_Lockit::_Lockit std::locale::_Setgloballocale 17862->17863 17882 1d0146 17863->17882 17865 1d011c std::_Locinfo::_Locinfo_ctor 17865->17843 17867 1b95cc 17866->17867 17868 1b95c5 17866->17868 17867->17868 17869 1c9e42 __Getctype RtlAllocateHeap 17867->17869 17868->17836 17868->17851 17870 1b95ed 17869->17870 17871 1ca12d __Getctype RtlAllocateHeap 17870->17871 17872 1b9603 17871->17872 17873 1ca18b std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 17872->17873 17873->17868 17876 1d0303 17874->17876 17881 1d03cc _ValidateLocalCookies 17874->17881 17875 1cf44d std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 17877 1d0383 17875->17877 17876->17875 17876->17881 17878 1ca8a6 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 17877->17878 17879 1d03a4 17878->17879 17880 1ca8a6 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 17879->17880 17880->17881 17881->17859 17883 1bceeb std::_Locinfo::_Locinfo_ctor RtlAllocateHeap 17882->17883 17884 1d0168 17883->17884 17885 1bceeb std::_Locinfo::_Locinfo_ctor RtlAllocateHeap 17884->17885 17886 1d0187 17885->17886 17887 1cb01a __freea RtlAllocateHeap 17886->17887 17888 1d01ae 17886->17888 17887->17888 17888->17865 17890 1b95ae std::_Locinfo::_Locinfo_ctor 2 API calls 17889->17890 17891 1c9a56 17890->17891 17893 1c9a66 _ValidateLocalCookies 17891->17893 17894 1cf44d 17891->17894 17893->17780 17895 1b95ae std::_Locinfo::_Locinfo_ctor 2 API calls 17894->17895 17896 1cf46d std::_Locinfo::_Locinfo_ctor 17895->17896 17898 1cb094 std::_Locinfo::_Locinfo_ctor 2 API calls 17896->17898 17899 1cf529 _ValidateLocalCookies 17896->17899 17900 1cf4bf std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 17896->17900 17898->17900 17899->17893 17901 1b3275 17900->17901 17902 1b327f 17901->17902 17903 1b3290 17901->17903 17902->17903 17904 1c1c96 __freea RtlAllocateHeap 17902->17904 17903->17899 17904->17903 17906 19ab55 17905->17906 17907 19aba3 17906->17907 17914 19e8a0 17906->17914 17909 19ab83 17909->17167 17911 183459 17910->17911 17918 1c0dd7 17911->17918 17915 19e8ce 17914->17915 17916 19e8f8 std::locale::_Locimp::_Locimp 17914->17916 17917 1832d0 std::_Throw_Cpp_error 2 API calls 17915->17917 17916->17909 17917->17916 17919 1c0deb ___std_exception_copy 17918->17919 17924 1be565 17919->17924 17921 1c0e06 17922 1b899c ___std_exception_copy RtlAllocateHeap 17921->17922 17923 183467 17922->17923 17923->17171 17923->17172 17925 1be591 17924->17925 17926 1be5b4 17924->17926 17927 1b8be3 ___std_exception_copy RtlAllocateHeap 17925->17927 17926->17925 17928 1be5bc 17926->17928 17929 1be5a9 _ValidateLocalCookies 17927->17929 17933 1bfaa7 17928->17933 17929->17921 17951 1c0b0d 17933->17951 17936 1bfacc 17938 1b8be3 ___std_exception_copy RtlAllocateHeap 17936->17938 17937 1bfaf4 std::_Locinfo::_Locinfo_ctor 17939 1be63d 17937->17939 17942 1be1d0 std::_Locinfo::_Locinfo_ctor 2 API calls 17937->17942 17944 1bfbd0 17937->17944 17955 1bf49b 17937->17955 17958 1bfed4 17937->17958 17990 1c036f 17937->17990 17938->17939 17948 1bf28d 17939->17948 17942->17937 17945 1b8be3 ___std_exception_copy RtlAllocateHeap 17944->17945 17946 1bfbea 17945->17946 17947 1b8be3 ___std_exception_copy RtlAllocateHeap 17946->17947 17947->17939 17949 1cb01a __freea RtlAllocateHeap 17948->17949 17950 1bf29d 17949->17950 17950->17929 17952 1bfac1 17951->17952 17953 1c0b18 17951->17953 17952->17936 17952->17937 17952->17939 17954 1b8be3 ___std_exception_copy RtlAllocateHeap 17953->17954 17954->17952 18017 1be842 17955->18017 17957 1bf4d6 17957->17937 17959 1bfedb 17958->17959 17960 1bfef2 17958->17960 17961 1c03f4 17959->17961 17962 1c0394 17959->17962 17969 1bff31 17959->17969 17963 1b8be3 ___std_exception_copy RtlAllocateHeap 17960->17963 17960->17969 17967 1c042d 17961->17967 17968 1c03f9 17961->17968 17964 1c041a 17962->17964 17965 1c039a 17962->17965 17966 1bff26 17963->17966 18052 1bebfc 17964->18052 17979 1c039f 17965->17979 17980 1c03eb 17965->17980 17966->17937 17970 1c044a 17967->17970 17971 1c0432 17967->17971 17972 1c03fb 17968->17972 17973 1c0426 17968->17973 17969->17937 18063 1c0a4d 17970->18063 17971->17964 17971->17980 17989 1c03c5 17971->17989 17975 1c03ae 17972->17975 17982 1c040a 17972->17982 18059 1c0a30 17973->18059 17988 1c0453 _ValidateLocalCookies 17975->17988 18027 1c0785 17975->18027 17979->17975 17983 1c03d8 17979->17983 17979->17989 17980->17988 18041 1bed89 17980->18041 17982->17964 17985 1c040e 17982->17985 17983->17988 18037 1c0916 17983->18037 17985->17988 18048 1c09ab 17985->18048 17988->17937 17989->17988 18066 1cc5ba 17989->18066 17991 1c03f4 17990->17991 17992 1c0394 17990->17992 17995 1c042d 17991->17995 17996 1c03f9 17991->17996 17993 1c041a 17992->17993 17994 1c039a 17992->17994 18000 1bebfc 2 API calls 17993->18000 18005 1c039f 17994->18005 18007 1c03eb 17994->18007 17997 1c044a 17995->17997 18002 1c0432 17995->18002 17998 1c0426 17996->17998 18004 1c03fb 17996->18004 17999 1c0a4d 2 API calls 17997->17999 18001 1c0a30 2 API calls 17998->18001 18014 1c03c5 17999->18014 18000->18014 18001->18014 18002->17993 18002->18007 18002->18014 18003 1c03ae 18006 1c0785 2 API calls 18003->18006 18016 1c0453 _ValidateLocalCookies 18003->18016 18004->18003 18010 1c040a 18004->18010 18005->18003 18008 1c03d8 18005->18008 18005->18014 18006->18014 18009 1bed89 2 API calls 18007->18009 18007->18016 18011 1c0916 2 API calls 18008->18011 18008->18016 18009->18014 18010->17993 18012 1c040e 18010->18012 18011->18014 18013 1c09ab RtlAllocateHeap 18012->18013 18012->18016 18013->18014 18015 1cc5ba 2 API calls 18014->18015 18014->18016 18015->18014 18016->17937 18018 1bce79 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap 18017->18018 18020 1be854 18018->18020 18019 1be869 18021 1b8be3 ___std_exception_copy RtlAllocateHeap 18019->18021 18020->18019 18023 1be89c 18020->18023 18026 1be884 std::_Locinfo::_Locinfo_ctor 18020->18026 18021->18026 18022 1be933 18024 1bce22 RtlAllocateHeap 18022->18024 18023->18022 18025 1bce22 RtlAllocateHeap 18023->18025 18024->18026 18025->18022 18026->17957 18028 1c079f 18027->18028 18072 1be790 18028->18072 18030 1c07de 18083 1cc439 18030->18083 18033 1be1d0 std::_Locinfo::_Locinfo_ctor 2 API calls 18034 1c0895 18033->18034 18035 1be1d0 std::_Locinfo::_Locinfo_ctor 2 API calls 18034->18035 18036 1c08c8 18034->18036 18035->18036 18036->17989 18036->18036 18038 1c0931 18037->18038 18039 1c0967 18038->18039 18040 1cc5ba 2 API calls 18038->18040 18039->17989 18040->18039 18042 1bed9e 18041->18042 18043 1bedc0 18042->18043 18045 1bede7 18042->18045 18044 1b8be3 ___std_exception_copy RtlAllocateHeap 18043->18044 18047 1beddd 18044->18047 18046 1be790 2 API calls 18045->18046 18045->18047 18046->18047 18047->17989 18051 1c09c1 18048->18051 18049 1b8be3 ___std_exception_copy RtlAllocateHeap 18050 1c09e2 18049->18050 18050->17989 18051->18049 18051->18050 18053 1bec11 18052->18053 18054 1bec33 18053->18054 18056 1bec5a 18053->18056 18055 1b8be3 ___std_exception_copy RtlAllocateHeap 18054->18055 18058 1bec50 18055->18058 18057 1be790 2 API calls 18056->18057 18056->18058 18057->18058 18058->17989 18060 1c0a3c 18059->18060 18144 1bea6f 18060->18144 18062 1c0a4c 18062->17989 18064 1bed89 2 API calls 18063->18064 18065 1c0a62 18064->18065 18065->17989 18067 1cc5cf 18066->18067 18069 1be1d0 std::_Locinfo::_Locinfo_ctor 2 API calls 18067->18069 18070 1cc5d3 std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 18067->18070 18071 1cc5fc std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 18067->18071 18068 1b8be3 ___std_exception_copy RtlAllocateHeap 18068->18070 18069->18071 18070->17989 18071->18068 18071->18070 18073 1be7b7 18072->18073 18074 1be7a5 18072->18074 18073->18074 18075 1cb094 std::_Locinfo::_Locinfo_ctor 2 API calls 18073->18075 18074->18030 18076 1be7db 18075->18076 18077 1be7ee 18076->18077 18078 1be7e3 18076->18078 18102 1bf2a7 18077->18102 18080 1cb01a __freea RtlAllocateHeap 18078->18080 18080->18074 18082 1cb01a __freea RtlAllocateHeap 18082->18074 18084 1cc46e 18083->18084 18085 1cc44a 18083->18085 18084->18085 18087 1cc4a1 18084->18087 18086 1b8be3 ___std_exception_copy RtlAllocateHeap 18085->18086 18099 1c0871 18086->18099 18088 1cc509 18087->18088 18089 1cc4da 18087->18089 18090 1cc532 18088->18090 18091 1cc537 18088->18091 18105 1cc2dd 18089->18105 18092 1cc55f 18090->18092 18093 1cc599 18090->18093 18110 1cbb66 18091->18110 18096 1cc57f 18092->18096 18097 1cc564 18092->18097 18137 1cbe93 18093->18137 18130 1cc08a 18096->18130 18120 1cc20e 18097->18120 18099->18033 18099->18034 18103 1cb01a __freea RtlAllocateHeap 18102->18103 18104 1be7f9 18103->18104 18104->18082 18106 1cc2f3 18105->18106 18107 1cc2fe 18105->18107 18106->18099 18108 1c99a5 ___std_exception_copy RtlAllocateHeap 18107->18108 18109 1cc359 __Getctype 18108->18109 18109->18099 18111 1cbb79 18110->18111 18112 1cbb88 18111->18112 18113 1cbbaa 18111->18113 18114 1b8be3 ___std_exception_copy RtlAllocateHeap 18112->18114 18115 1cbbbf 18113->18115 18117 1cbc12 18113->18117 18119 1cbba0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::locale::_Setgloballocale __allrem _strrchr 18114->18119 18116 1cbe93 RtlAllocateHeap RtlAllocateHeap 18115->18116 18116->18119 18118 1be1d0 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 18117->18118 18117->18119 18118->18119 18119->18099 18121 1d47bf RtlAllocateHeap 18120->18121 18122 1cc23e 18121->18122 18123 1d46c5 RtlAllocateHeap 18122->18123 18124 1cc27c 18123->18124 18125 1cc2bc 18124->18125 18126 1cc295 18124->18126 18128 1cc283 18124->18128 18127 1cbf37 RtlAllocateHeap RtlAllocateHeap 18125->18127 18129 1cc120 RtlAllocateHeap RtlAllocateHeap 18126->18129 18127->18128 18128->18099 18129->18128 18131 1d47bf RtlAllocateHeap 18130->18131 18132 1cc0b9 18131->18132 18133 1d46c5 RtlAllocateHeap 18132->18133 18134 1cc0fa 18133->18134 18135 1cc101 18134->18135 18136 1cc120 RtlAllocateHeap RtlAllocateHeap 18134->18136 18135->18099 18136->18135 18138 1d47bf RtlAllocateHeap 18137->18138 18139 1cbebd 18138->18139 18140 1d46c5 RtlAllocateHeap 18139->18140 18141 1cbf0b 18140->18141 18142 1cbf12 18141->18142 18143 1cbf37 RtlAllocateHeap RtlAllocateHeap 18141->18143 18142->18099 18143->18142 18145 1bea84 18144->18145 18146 1beaa6 18145->18146 18148 1beacd 18145->18148 18147 1b8be3 ___std_exception_copy RtlAllocateHeap 18146->18147 18150 1beac3 18147->18150 18149 1be790 2 API calls 18148->18149 18148->18150 18149->18150 18150->18062 18152 1c1440 18151->18152 18153 1c1418 18151->18153 18152->17177 18153->18152 18154 1c1425 18153->18154 18155 1c1447 18153->18155 18156 1b8be3 ___std_exception_copy RtlAllocateHeap 18154->18156 18159 1c1363 18155->18159 18156->18152 18158 1c147f 18158->17177 18160 1c136f std::locale::_Setgloballocale 18159->18160 18163 1c13be 18160->18163 18162 1c138a 18162->18158 18170 1cc8aa 18163->18170 18190 1cc86c 18170->18190 18172 1c13d6 18177 1c1481 18172->18177 18173 1cc8bb 18173->18172 18174 1cb094 std::_Locinfo::_Locinfo_ctor 2 API calls 18173->18174 18175 1cc914 18174->18175 18176 1cb01a __freea RtlAllocateHeap 18175->18176 18176->18172 18178 1c13f4 18177->18178 18181 1c1493 18177->18181 18186 1cc955 18178->18186 18179 1c14a1 18180 1b8be3 ___std_exception_copy RtlAllocateHeap 18179->18180 18180->18178 18181->18178 18181->18179 18185 1c14d7 std::locale::_Locimp::_Locimp 18181->18185 18183 1ca1e9 RtlAllocateHeap 18183->18185 18185->18178 18185->18183 18206 1b9a91 18185->18206 18212 1c9678 18185->18212 18187 1cc960 18186->18187 18188 1c1400 18186->18188 18187->18188 18189 1b9a91 4 API calls 18187->18189 18188->18162 18189->18188 18191 1cc878 18190->18191 18192 1cc8a2 18191->18192 18193 1ca1e9 RtlAllocateHeap 18191->18193 18192->18173 18194 1cc893 18193->18194 18197 1d3be3 18194->18197 18196 1cc899 18196->18173 18198 1d3bfd 18197->18198 18199 1d3bf0 18197->18199 18201 1d3c09 18198->18201 18202 1c16ff ___std_exception_copy RtlAllocateHeap 18198->18202 18200 1c16ff ___std_exception_copy RtlAllocateHeap 18199->18200 18203 1d3bf5 18200->18203 18201->18196 18204 1d3c2a 18202->18204 18203->18196 18205 1b8c60 ___std_exception_copy RtlAllocateHeap 18204->18205 18205->18203 18207 1b9aaa 18206->18207 18208 1b9ad1 18206->18208 18207->18208 18209 1ca1e9 RtlAllocateHeap 18207->18209 18208->18185 18210 1b9ac6 18209->18210 18211 1c9678 4 API calls 18210->18211 18211->18208 18213 1c9684 std::locale::_Setgloballocale 18212->18213 18214 1c96c5 18213->18214 18216 1c970b 18213->18216 18218 1c968c 18213->18218 18215 1b8be3 ___std_exception_copy RtlAllocateHeap 18214->18215 18215->18218 18216->18218 18219 1c9789 18216->18219 18218->18185 18220 1c97b1 18219->18220 18232 1c97d4 18219->18232 18221 1c97b5 18220->18221 18223 1c9810 18220->18223 18222 1b8be3 ___std_exception_copy RtlAllocateHeap 18221->18222 18222->18232 18224 1c982e 18223->18224 18238 1c263d 18223->18238 18233 1c92ce 18224->18233 18228 1c988d 18230 1c98f6 WriteFile 18228->18230 18228->18232 18229 1c9846 18229->18232 18241 1c8e9f 18229->18241 18230->18232 18232->18218 18234 1d3be3 RtlAllocateHeap 18233->18234 18236 1c92e0 18234->18236 18235 1c930e 18235->18228 18235->18229 18236->18235 18237 1be1d0 std::_Locinfo::_Locinfo_ctor 2 API calls 18236->18237 18237->18235 18247 1c251c 18238->18247 18240 1c2656 18240->18224 18242 1c8f07 18241->18242 18243 1be1d0 std::_Locinfo::_Locinfo_ctor 2 API calls 18242->18243 18246 1c8f18 std::_Locinfo::_Locinfo_ctor std::locale::_Locimp::_Locimp 18242->18246 18243->18246 18244 1cc724 RtlAllocateHeap RtlAllocateHeap 18244->18246 18245 1c91ce _ValidateLocalCookies 18245->18232 18245->18245 18246->18244 18246->18245 18248 1ce940 RtlAllocateHeap 18247->18248 18249 1c252e 18248->18249 18250 1c254a SetFilePointerEx 18249->18250 18251 1c2536 18249->18251 18250->18251 18251->18240 18253 1bcf8f std::locale::_Setgloballocale 18252->18253 18254 1bcf99 18253->18254 18255 1bcfbc 18253->18255 18256 1b8be3 ___std_exception_copy RtlAllocateHeap 18254->18256 18258 1bcfb4 18255->18258 18259 1bd01a 18255->18259 18256->18258 18258->17183 18260 1bd04a 18259->18260 18261 1bd027 18259->18261 18263 1bd042 18260->18263 18264 1b9a91 4 API calls 18260->18264 18262 1b8be3 ___std_exception_copy RtlAllocateHeap 18261->18262 18262->18263 18263->18258 18265 1bd062 18264->18265 18273 1cb054 18265->18273 18268 1ca1e9 RtlAllocateHeap 18269 1bd076 18268->18269 18277 1c8d2c 18269->18277 18272 1cb01a __freea RtlAllocateHeap 18272->18263 18274 1cb06b 18273->18274 18275 1bd06a 18273->18275 18274->18275 18276 1cb01a __freea RtlAllocateHeap 18274->18276 18275->18268 18276->18275 18278 1bd07d 18277->18278 18279 1c8d55 18277->18279 18278->18263 18278->18272 18280 1c8da4 18279->18280 18282 1c8d7c 18279->18282 18281 1b8be3 ___std_exception_copy RtlAllocateHeap 18280->18281 18281->18278 18284 1c8c9b 18282->18284 18285 1c8ca7 std::locale::_Setgloballocale 18284->18285 18286 1c8ce6 18285->18286 18288 1c8dff 18285->18288 18286->18278 18300 1ce940 18288->18300 18290 1c8e15 18313 1ce8af 18290->18313 18292 1c8e0f 18292->18290 18293 1c8e47 18292->18293 18294 1ce940 RtlAllocateHeap 18292->18294 18293->18290 18295 1ce940 RtlAllocateHeap 18293->18295 18296 1c8e3e 18294->18296 18297 1c8e53 FindCloseChangeNotification 18295->18297 18298 1ce940 RtlAllocateHeap 18296->18298 18297->18290 18298->18293 18299 1c8e6d 18299->18286 18301 1ce94d 18300->18301 18303 1ce962 18300->18303 18319 1c16ec 18301->18319 18304 1c16ec RtlAllocateHeap 18303->18304 18306 1ce987 18303->18306 18307 1ce992 18304->18307 18306->18292 18310 1c16ff ___std_exception_copy RtlAllocateHeap 18307->18310 18308 1c16ff ___std_exception_copy RtlAllocateHeap 18309 1ce95a 18308->18309 18309->18292 18311 1ce99a 18310->18311 18312 1b8c60 ___std_exception_copy RtlAllocateHeap 18311->18312 18312->18309 18314 1ce8be 18313->18314 18315 1c16ff ___std_exception_copy RtlAllocateHeap 18314->18315 18318 1ce8e8 18314->18318 18316 1ce92a 18315->18316 18317 1c16ec RtlAllocateHeap 18316->18317 18317->18318 18318->18299 18320 1c9f93 ___std_exception_copy RtlAllocateHeap 18319->18320 18321 1c16f1 18320->18321 18321->18308 18323 197f1d 18322->18323 18324 198034 18322->18324 18325 197fcb 18323->18325 18326 197f2b 18323->18326 18327 197f7c 18323->18327 18328 197f83 18323->18328 18329 197f24 18323->18329 18334 182cf0 std::_Throw_Cpp_error 2 API calls 18324->18334 18335 197f29 18324->18335 18325->17188 18333 1b3672 std::_Facet_Register 2 API calls 18326->18333 18402 19cf80 18327->18402 18331 1b3672 std::_Facet_Register 2 API calls 18328->18331 18397 19c3a0 18329->18397 18331->18335 18333->18335 18336 19804f 18334->18336 18335->17188 18407 187f90 18336->18407 18338 198062 std::_Throw_Cpp_error 18341 1a215f 18339->18341 18464 1c133b 18341->18464 18344 19b4f0 18345 19db10 18344->18345 18346 19de3d 18345->18346 18347 19db56 18345->18347 18349 19fd70 2 API calls 18346->18349 18516 19ebb0 18347->18516 18351 19de87 18349->18351 18350 19dba4 18353 19fd70 2 API calls 18350->18353 18352 19eda0 3 API calls 18351->18352 18394 19df4f std::ios_base::_Ios_base_dtor 18351->18394 18357 19dee2 18352->18357 18354 19dbc1 18353->18354 18396 19dcc3 std::ios_base::_Ios_base_dtor 18354->18396 18522 19eda0 18354->18522 18355 197ef0 2 API calls 18362 19dfc7 18355->18362 18356 19de38 std::ios_base::_Ios_base_dtor 18356->17192 18358 1875c0 2 API calls 18357->18358 18363 19df06 18358->18363 18360 19dcec 18366 197ef0 2 API calls 18360->18366 18361 19dd82 18370 197ef0 2 API calls 18361->18370 18377 19dd9f 18361->18377 18362->18356 18367 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18362->18367 18364 19f440 3 API calls 18363->18364 18378 19df1f 18364->18378 18365 19dc1c 18569 1875c0 18365->18569 18392 19dd01 18366->18392 18368 19e06f 18367->18368 18618 1990b0 18368->18618 18370->18377 18372 19e093 18376 1990b0 2 API calls 18372->18376 18373 19dc40 18599 19f440 18373->18599 18374 19e07d std::_Throw_Cpp_error 18385 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18374->18385 18380 19e0a1 std::_Throw_Cpp_error 18376->18380 18381 1935b0 RtlAllocateHeap 18377->18381 18378->18372 18383 187a20 RtlAllocateHeap 18378->18383 18379 19dc56 18379->18368 18384 19dc6b 18379->18384 18388 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18380->18388 18382 19dd6c 18381->18382 18387 1935b0 RtlAllocateHeap 18382->18387 18383->18394 18608 187a20 18384->18608 18385->18372 18389 19de26 18387->18389 18391 19e0b7 18388->18391 18393 1935b0 RtlAllocateHeap 18389->18393 18613 1935b0 18392->18613 18393->18356 18394->18355 18394->18362 18394->18380 18395 19dc86 18395->18374 18395->18396 18396->18360 18396->18361 18398 1b3672 std::_Facet_Register 2 API calls 18397->18398 18399 19c3c3 18398->18399 18400 1b3672 std::_Facet_Register 2 API calls 18399->18400 18401 19c3ec 18400->18401 18401->18335 18403 1b3672 std::_Facet_Register 2 API calls 18402->18403 18404 19cfb7 18403->18404 18405 183040 std::_Throw_Cpp_error 2 API calls 18404->18405 18406 19cfee 18405->18406 18406->18335 18418 187350 18407->18418 18409 188029 18436 19ad80 18409->18436 18411 18803d 18414 1880df 18411->18414 18415 188076 std::ios_base::_Ios_base_dtor 18411->18415 18413 1880aa 18413->18338 18416 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18414->18416 18440 1872b0 18415->18440 18417 1880e4 18416->18417 18417->18338 18443 184d70 18418->18443 18427 198f00 std::_Throw_Cpp_error 2 API calls 18428 1873e6 18427->18428 18429 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18428->18429 18430 187476 std::ios_base::_Ios_base_dtor 18428->18430 18431 1874c4 18429->18431 18430->18409 18432 1b4b78 ___std_exception_destroy RtlAllocateHeap 18431->18432 18433 187511 18432->18433 18434 1b4b78 ___std_exception_destroy RtlAllocateHeap 18433->18434 18435 187527 std::ios_base::_Ios_base_dtor 18434->18435 18435->18409 18437 19adb4 18436->18437 18438 198f00 std::_Throw_Cpp_error 2 API calls 18437->18438 18439 19adbf 18438->18439 18439->18411 18441 1b4b15 ___std_exception_copy 2 API calls 18440->18441 18442 18731a 18441->18442 18442->18413 18445 184da6 18443->18445 18444 184dd8 18447 19ac50 18444->18447 18445->18444 18446 183040 std::_Throw_Cpp_error 2 API calls 18445->18446 18446->18444 18448 19ac81 18447->18448 18449 19e8a0 2 API calls 18448->18449 18450 19acd3 18448->18450 18451 1873af 18449->18451 18452 19abb0 18451->18452 18453 19abe1 18452->18453 18453->18453 18454 198f00 std::_Throw_Cpp_error 2 API calls 18453->18454 18455 1873c2 18454->18455 18456 19ae20 18455->18456 18459 19e710 18456->18459 18458 1873d1 18458->18427 18460 19e753 18459->18460 18461 19e758 std::locale::_Locimp::_Locimp 18460->18461 18462 1832d0 std::_Throw_Cpp_error 2 API calls 18460->18462 18461->18458 18463 19e843 std::locale::_Locimp::_Locimp 18462->18463 18463->18458 18465 1c9e42 __Getctype RtlAllocateHeap 18464->18465 18466 1c1346 18465->18466 18467 1ca12d __Getctype RtlAllocateHeap 18466->18467 18468 1a225f 18467->18468 18469 19fd70 18468->18469 18472 19fd84 18469->18472 18475 19fde4 18469->18475 18471 19ff6c 18471->18344 18476 19fdc2 18472->18476 18483 1a9e20 18472->18483 18479 19fe74 18475->18479 18505 1a01e0 18475->18505 18476->18475 18477 19fe58 18476->18477 18478 1a9e20 2 API calls 18476->18478 18477->18479 18501 1a1430 18477->18501 18478->18477 18479->18344 18481 1a9e20 2 API calls 18482 19fecc 18481->18482 18482->18471 18482->18481 18509 1a08f0 18482->18509 18484 1a9e62 18483->18484 18485 1a9f76 18483->18485 18487 1a9e7c 18484->18487 18488 1a9eca 18484->18488 18489 1a9eba 18484->18489 18486 183330 2 API calls 18485->18486 18490 1a9f7b 18486->18490 18491 1b3672 std::_Facet_Register 2 API calls 18487->18491 18494 1b3672 std::_Facet_Register 2 API calls 18488->18494 18498 1a9e9a std::locale::_Locimp::_Locimp 18488->18498 18489->18487 18489->18490 18492 182b50 Concurrency::cancel_current_task 2 API calls 18490->18492 18493 1a9e8f 18491->18493 18495 1a9f80 18492->18495 18493->18495 18493->18498 18494->18498 18496 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18495->18496 18497 1a9f85 18496->18497 18499 1a77d0 RtlAllocateHeap 18498->18499 18500 1a9f47 18499->18500 18500->18476 18503 1a1443 18501->18503 18502 1a1471 18502->18475 18503->18502 18504 1a9e20 2 API calls 18503->18504 18504->18502 18506 1a01f0 18505->18506 18507 1a9e20 2 API calls 18506->18507 18508 1a0260 18506->18508 18507->18506 18508->18482 18510 1a1430 2 API calls 18509->18510 18511 1a08fc 18510->18511 18512 1a090a 18511->18512 18514 1a9e20 2 API calls 18511->18514 18515 1a0995 18511->18515 18512->18482 18513 1a9e20 RtlAllocateHeap RtlAllocateHeap 18513->18515 18514->18511 18515->18512 18515->18513 18517 19ec6d 18516->18517 18518 197ef0 2 API calls 18517->18518 18519 19ec8d 18518->18519 18621 1a16c0 18519->18621 18521 19ecdf 18521->18350 18523 19ee46 18522->18523 18548 19ef1f std::ios_base::_Ios_base_dtor 18522->18548 18524 19f425 18523->18524 18527 19e8a0 2 API calls 18523->18527 18531 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18524->18531 18525 198f00 std::_Throw_Cpp_error 2 API calls 18526 19ef5b 18525->18526 18528 19ef6a 18526->18528 18537 19f191 18526->18537 18529 19ee79 18527->18529 18530 19f440 3 API calls 18528->18530 18532 198f00 std::_Throw_Cpp_error 2 API calls 18529->18532 18533 19ef79 18530->18533 18534 19f42f 18531->18534 18536 19ee93 18532->18536 18543 183040 std::_Throw_Cpp_error 2 API calls 18533->18543 18535 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18534->18535 18538 19f434 18535->18538 18539 198f00 std::_Throw_Cpp_error 2 API calls 18536->18539 18537->18537 18540 183040 std::_Throw_Cpp_error 2 API calls 18537->18540 18541 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18538->18541 18542 19eee3 18539->18542 18544 19f1c9 18540->18544 18567 19f375 std::ios_base::_Ios_base_dtor 18541->18567 18542->18524 18542->18548 18545 19efba 18543->18545 18546 19fbf0 2 API calls 18544->18546 18549 198f00 std::_Throw_Cpp_error 2 API calls 18545->18549 18550 19f1e0 18546->18550 18547 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18551 19f43e 18547->18551 18548->18525 18552 19efcd 18549->18552 18553 198f00 std::_Throw_Cpp_error 2 API calls 18550->18553 18554 19e710 2 API calls 18552->18554 18559 19f22f std::ios_base::_Ios_base_dtor 18553->18559 18555 19f019 18554->18555 18556 198f00 std::_Throw_Cpp_error 2 API calls 18555->18556 18557 19f032 18556->18557 18558 198f00 std::_Throw_Cpp_error 2 API calls 18557->18558 18561 19f081 std::ios_base::_Ios_base_dtor 18558->18561 18559->18538 18562 19f161 std::ios_base::_Ios_base_dtor 18559->18562 18560 183040 std::_Throw_Cpp_error 2 API calls 18563 19f30c 18560->18563 18561->18534 18561->18562 18562->18560 18568 19f3f2 std::ios_base::_Ios_base_dtor 18562->18568 18564 19fbf0 2 API calls 18563->18564 18565 19f323 18564->18565 18566 198f00 std::_Throw_Cpp_error 2 API calls 18565->18566 18566->18567 18567->18547 18567->18568 18568->18365 18690 184e30 18569->18690 18572 184e30 2 API calls 18573 18762b 18572->18573 18574 19ace0 2 API calls 18573->18574 18575 187640 18574->18575 18576 19abb0 2 API calls 18575->18576 18577 187656 18576->18577 18578 19e710 2 API calls 18577->18578 18579 18766d std::ios_base::_Ios_base_dtor 18578->18579 18580 187a09 18579->18580 18582 18770a std::ios_base::_Ios_base_dtor 18579->18582 18581 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18580->18581 18583 187a0e 18581->18583 18586 187350 2 API calls 18582->18586 18584 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18583->18584 18585 187a13 18584->18585 18587 1877a4 18586->18587 18588 198f00 std::_Throw_Cpp_error 2 API calls 18587->18588 18589 1877b9 18588->18589 18590 19e710 2 API calls 18589->18590 18591 18780c 18590->18591 18592 198f00 std::_Throw_Cpp_error 2 API calls 18591->18592 18593 187828 18592->18593 18594 19ad80 2 API calls 18593->18594 18596 187879 std::ios_base::_Ios_base_dtor 18594->18596 18595 187975 std::ios_base::_Ios_base_dtor 18597 1872b0 2 API calls 18595->18597 18596->18583 18596->18595 18598 1879ca 18597->18598 18598->18373 18600 19f630 18599->18600 18606 19f4c9 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 18599->18606 18600->18379 18602 19f647 18603 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18602->18603 18607 19f651 18603->18607 18604 198f00 std::_Throw_Cpp_error 2 API calls 18604->18606 18605 1832d0 std::_Throw_Cpp_error 2 API calls 18605->18606 18606->18600 18606->18602 18606->18604 18606->18605 18694 1834a0 18606->18694 18607->18379 18609 1b4b78 ___std_exception_destroy RtlAllocateHeap 18608->18609 18610 187a61 18609->18610 18611 1b4b78 ___std_exception_destroy RtlAllocateHeap 18610->18611 18612 187a77 18611->18612 18612->18395 18614 1935d1 18613->18614 18615 1935f1 std::ios_base::_Ios_base_dtor 18613->18615 18614->18615 18616 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18614->18616 18615->18382 18617 193625 18616->18617 18617->18382 18701 196590 18618->18701 18624 1a17d0 18621->18624 18623 1a16da std::locale::_Setgloballocale 18623->18521 18625 1a1809 18624->18625 18631 1a1838 18624->18631 18626 1a1923 18625->18626 18629 1a181b 18625->18629 18641 1a1990 18626->18641 18629->18631 18632 1a9f90 18629->18632 18631->18623 18633 1a9fc2 18632->18633 18634 1aa0a3 18632->18634 18651 1ad190 18633->18651 18635 183330 2 API calls 18634->18635 18639 1aa000 std::locale::_Locimp::_Locimp 18635->18639 18637 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18638 1aa0ad 18637->18638 18639->18637 18640 1aa05f std::ios_base::_Ios_base_dtor 18639->18640 18640->18631 18642 1b1cea 2 API calls 18641->18642 18644 1a199a 18642->18644 18643 1a1928 18644->18643 18645 182cf0 std::_Throw_Cpp_error 2 API calls 18644->18645 18646 1a1a03 18645->18646 18647 19ace0 2 API calls 18646->18647 18648 1a1a18 18647->18648 18659 187cf0 18648->18659 18650 1a1a2d std::_Throw_Cpp_error 18652 1ad1d9 18651->18652 18654 1ad199 18651->18654 18652->18652 18653 1ad1b0 18655 1ad1b9 18653->18655 18657 1b3672 std::_Facet_Register 2 API calls 18653->18657 18654->18652 18654->18653 18656 1b3672 std::_Facet_Register 2 API calls 18654->18656 18655->18639 18656->18653 18658 1ad1d2 18657->18658 18658->18639 18660 187350 2 API calls 18659->18660 18661 187d80 18660->18661 18662 19ad80 2 API calls 18661->18662 18663 187d94 18662->18663 18664 187dcd std::ios_base::_Ios_base_dtor 18663->18664 18666 187e33 18663->18666 18665 1872b0 2 API calls 18664->18665 18667 187dfd 18665->18667 18668 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18666->18668 18667->18650 18669 187e38 18668->18669 18670 187350 2 API calls 18669->18670 18671 187ece 18670->18671 18672 19ad80 2 API calls 18671->18672 18673 187ee2 18672->18673 18674 187f1b std::ios_base::_Ios_base_dtor 18673->18674 18676 187f81 18673->18676 18675 1872b0 2 API calls 18674->18675 18677 187f4b 18675->18677 18678 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18676->18678 18677->18650 18679 187f86 18678->18679 18680 187350 2 API calls 18679->18680 18681 188029 18680->18681 18682 19ad80 2 API calls 18681->18682 18683 18803d 18682->18683 18684 188076 std::ios_base::_Ios_base_dtor 18683->18684 18687 1880df 18683->18687 18685 1872b0 2 API calls 18684->18685 18686 1880aa 18685->18686 18686->18650 18688 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18687->18688 18689 1880e4 18688->18689 18689->18650 18691 184e66 18690->18691 18691->18691 18692 184ea8 18691->18692 18693 183040 std::_Throw_Cpp_error 2 API calls 18691->18693 18692->18572 18693->18692 18697 183380 18694->18697 18698 183399 18697->18698 18699 1c0dd7 2 API calls 18698->18699 18700 1833a7 18699->18700 18700->18606 18702 1b4b15 ___std_exception_copy 2 API calls 18701->18702 18703 1965ce 18702->18703 18704 1b4b15 ___std_exception_copy 2 API calls 18703->18704 18705 196601 18704->18705 18705->18374 18707 1d8e17 18706->18707 18711 1d8c08 18706->18711 18707->17195 18709 1d8d38 std::locale::_Setgloballocale 18709->18707 18710 183130 2 API calls 18709->18710 18710->18709 18711->18709 18713 1b87b0 18711->18713 18722 183130 18711->18722 18714 1b87e3 18713->18714 18719 1b87c7 18713->18719 18715 1c9e42 __Getctype RtlAllocateHeap 18714->18715 18716 1b87e8 18715->18716 18717 1ca12d __Getctype RtlAllocateHeap 18716->18717 18718 1b87f8 18717->18718 18718->18719 18720 1c9a39 2 API calls 18718->18720 18719->18711 18721 1b882a 18720->18721 18721->18711 18723 18316f 18722->18723 18724 1832b3 18722->18724 18726 183189 18723->18726 18728 1831d7 18723->18728 18729 1831c7 18723->18729 18725 183330 2 API calls 18724->18725 18727 1832b8 18725->18727 18731 1b3672 std::_Facet_Register 2 API calls 18726->18731 18730 182b50 Concurrency::cancel_current_task 2 API calls 18727->18730 18732 1b3672 std::_Facet_Register 2 API calls 18728->18732 18735 18319c std::locale::_Locimp::_Locimp 18728->18735 18729->18726 18729->18727 18730->18735 18731->18735 18732->18735 18733 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 18734 1832c2 18733->18734 18735->18733 18736 18326b std::ios_base::_Ios_base_dtor 18735->18736 18736->18711 18738 1b3077 18737->18738 18739 1b364d GetSystemTimePreciseAsFileTime 18737->18739 18738->16839 18739->18738 19187 1a47b0 19188 1a48ed 19187->19188 19191 1a47ed 19187->19191 19189 183330 2 API calls 19188->19189 19190 1a48f2 19189->19190 19192 1a493d 19190->19192 19193 1a4a23 19190->19193 19194 1a4a30 2 API calls 19191->19194 19197 1a4a30 2 API calls 19192->19197 19195 183330 2 API calls 19193->19195 19200 1a4827 19194->19200 19196 1a4a28 19195->19196 19198 1a4977 19197->19198 19206 193d50 19198->19206 19201 19e1e0 RtlAllocateHeap 19200->19201 19202 1a48b4 19201->19202 19203 1a499f 19204 19e1e0 RtlAllocateHeap 19203->19204 19205 1a49ea 19204->19205 19207 193d8f 19206->19207 19237 193df7 std::locale::_Locimp::_Locimp 19206->19237 19208 193e69 19207->19208 19209 193f7d 19207->19209 19210 193f1e 19207->19210 19211 193d96 19207->19211 19207->19237 19213 1b3672 std::_Facet_Register 2 API calls 19208->19213 19215 1b3672 std::_Facet_Register 2 API calls 19209->19215 19278 197e80 19210->19278 19214 1b3672 std::_Facet_Register 2 API calls 19211->19214 19216 193e73 19213->19216 19217 193da0 19214->19217 19218 193f8a 19215->19218 19216->19237 19239 1abf30 19216->19239 19219 1b3672 std::_Facet_Register 2 API calls 19217->19219 19222 19408e 19218->19222 19223 193fd3 19218->19223 19218->19237 19221 193dd2 19219->19221 19266 1af460 19221->19266 19226 183330 2 API calls 19222->19226 19227 193fdb 19223->19227 19228 194004 19223->19228 19224 193eb1 19235 193d50 6 API calls 19224->19235 19224->19237 19230 194093 19226->19230 19227->19230 19231 193fe6 19227->19231 19229 1b3672 std::_Facet_Register 2 API calls 19228->19229 19229->19237 19232 182b50 Concurrency::cancel_current_task 2 API calls 19230->19232 19233 1b3672 std::_Facet_Register 2 API calls 19231->19233 19234 193fec 19232->19234 19233->19234 19236 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 19234->19236 19234->19237 19235->19224 19238 19409d 19236->19238 19237->19203 19240 1abfab 19239->19240 19241 1abf42 19239->19241 19242 183330 2 API calls 19240->19242 19243 1abf7c 19241->19243 19244 1abf4d 19241->19244 19246 1abfb0 19242->19246 19245 1abf99 19243->19245 19248 1b3672 std::_Facet_Register 2 API calls 19243->19248 19244->19246 19247 1abf54 19244->19247 19245->19224 19249 182b50 Concurrency::cancel_current_task 2 API calls 19246->19249 19250 1b3672 std::_Facet_Register 2 API calls 19247->19250 19252 1abf86 19248->19252 19251 1abf5a 19249->19251 19250->19251 19253 1abf63 19251->19253 19254 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 19251->19254 19252->19224 19253->19224 19255 1abfba 19254->19255 19256 1ac00c 19255->19256 19257 1ac077 19255->19257 19260 1ac013 std::locale::_Locimp::_Locimp 19255->19260 19283 19fab0 19256->19283 19259 183330 2 API calls 19257->19259 19261 1ac07c 19259->19261 19260->19224 19262 1b3672 std::_Facet_Register 2 API calls 19261->19262 19263 1ac0ae 19262->19263 19264 183040 std::_Throw_Cpp_error 2 API calls 19263->19264 19265 1ac0f2 19264->19265 19265->19224 19267 1af498 19266->19267 19268 1af53f 19266->19268 19269 1b3672 std::_Facet_Register 2 API calls 19267->19269 19268->19237 19270 1af4ba 19269->19270 19271 1963b0 std::_Throw_Cpp_error 2 API calls 19270->19271 19272 1af4d0 19271->19272 19273 193d50 6 API calls 19272->19273 19274 1af4e0 19273->19274 19275 1af460 6 API calls 19274->19275 19276 1af531 19275->19276 19277 1af460 6 API calls 19276->19277 19277->19268 19279 1b3672 std::_Facet_Register 2 API calls 19278->19279 19280 197ea6 19279->19280 19281 1963b0 std::_Throw_Cpp_error 2 API calls 19280->19281 19282 197ec5 19281->19282 19282->19237 19284 19fb2b 19283->19284 19285 19fac2 19283->19285 19286 182b50 Concurrency::cancel_current_task 2 API calls 19284->19286 19287 19facd 19285->19287 19288 19fafc 19285->19288 19290 19fada 19286->19290 19287->19284 19291 19fad4 19287->19291 19289 19fb19 19288->19289 19292 1b3672 std::_Facet_Register 2 API calls 19288->19292 19289->19260 19293 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 19290->19293 19296 19fae3 19290->19296 19294 1b3672 std::_Facet_Register 2 API calls 19291->19294 19295 19fb06 19292->19295 19297 19fb35 19293->19297 19294->19290 19295->19260 19296->19260 19298 19fb5b std::locale::_Setgloballocale 19297->19298 19301 1a9c70 19297->19301 19298->19260 19300 19fb7f 19300->19260 19302 1a9dc4 19301->19302 19307 1a9ca2 19301->19307 19303 183330 2 API calls 19302->19303 19316 1a9d04 std::locale::_Locimp::_Locimp 19303->19316 19304 1a9dbf 19305 182b50 Concurrency::cancel_current_task 2 API calls 19304->19305 19305->19302 19306 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 19308 1a9dce 19306->19308 19307->19304 19309 1a9d1d 19307->19309 19310 1a9cf3 19307->19310 19318 199950 19308->19318 19313 1b3672 std::_Facet_Register 2 API calls 19309->19313 19309->19316 19310->19304 19312 1a9cfe 19310->19312 19314 1b3672 std::_Facet_Register 2 API calls 19312->19314 19313->19316 19314->19316 19315 1a9dd9 std::_Throw_Cpp_error 19316->19306 19317 1a9d8f std::ios_base::_Ios_base_dtor 19316->19317 19317->19300 19319 199968 19318->19319 19320 199978 std::ios_base::_Ios_base_dtor 19318->19320 19319->19320 19321 1b8c70 std::_Throw_Cpp_error RtlAllocateHeap 19319->19321 19320->19315 19322 19998d 19321->19322 19323 199a4f 19322->19323 19330 1b2b74 19322->19330 19323->19315 19329 199a04 19329->19315 19331 1b2af7 19330->19331 19332 1999cc 19331->19332 19352 1b9815 19331->19352 19332->19323 19338 1983b0 19332->19338 19334 1b2b43 19334->19332 19366 1bd5f6 19334->19366 19337 1bd0a8 5 API calls 19337->19332 19339 19843c 19338->19339 19340 198463 19338->19340 19392 1c120a 19339->19392 19342 19c430 19340->19342 19344 19c45f std::_Throw_Cpp_error std::_Lockit::~_Lockit std::_Lockit::_Lockit 19342->19344 19343 19c4f8 std::_Lockit::~_Lockit 19343->19329 19344->19343 19345 1b3672 std::_Facet_Register 2 API calls 19344->19345 19346 19c506 19345->19346 19347 184040 std::_Throw_Cpp_error 3 API calls 19346->19347 19348 19c536 19347->19348 19349 184100 std::_Throw_Cpp_error 2 API calls 19348->19349 19350 19c592 19349->19350 19351 1b26f7 std::_Facet_Register 2 API calls 19350->19351 19351->19343 19354 1b975e std::locale::_Setgloballocale 19352->19354 19353 1b9771 19355 1c16ff ___std_exception_copy RtlAllocateHeap 19353->19355 19354->19353 19357 1b9791 19354->19357 19356 1b9776 19355->19356 19358 1b8c60 ___std_exception_copy RtlAllocateHeap 19356->19358 19359 1b97a3 19357->19359 19360 1b9796 19357->19360 19365 1b9781 19358->19365 19362 1ca8ef RtlAllocateHeap 19359->19362 19361 1c16ff ___std_exception_copy RtlAllocateHeap 19360->19361 19361->19365 19363 1b97ac 19362->19363 19364 1c16ff ___std_exception_copy RtlAllocateHeap 19363->19364 19363->19365 19364->19365 19365->19334 19367 1bd609 ___std_exception_copy 19366->19367 19372 1bd34d 19367->19372 19369 1bd61e 19370 1b899c ___std_exception_copy RtlAllocateHeap 19369->19370 19371 1b2b5e 19370->19371 19371->19332 19371->19337 19374 1bd359 std::locale::_Setgloballocale 19372->19374 19373 1bd35f 19375 1b8be3 ___std_exception_copy RtlAllocateHeap 19373->19375 19374->19373 19376 1bd3a2 19374->19376 19378 1bd37a 19375->19378 19379 1bd4d0 19376->19379 19378->19369 19380 1bd4e3 19379->19380 19381 1bd4f6 19379->19381 19380->19378 19388 1bd3f7 19381->19388 19383 1bd519 19384 1b9a91 4 API calls 19383->19384 19387 1bd5a7 19383->19387 19385 1bd547 19384->19385 19386 1c263d 2 API calls 19385->19386 19386->19387 19387->19378 19389 1bd460 19388->19389 19390 1bd408 19388->19390 19389->19383 19390->19389 19391 1c25fd SetFilePointerEx RtlAllocateHeap 19390->19391 19391->19389 19393 1c122b 19392->19393 19394 1c1216 19392->19394 19393->19340 19395 1c16ff ___std_exception_copy RtlAllocateHeap 19394->19395 19396 1c121b 19395->19396 19397 1b8c60 ___std_exception_copy RtlAllocateHeap 19396->19397 19398 1c1226 19397->19398 19398->19340 19414 4e00b10 19415 4e00b13 19414->19415 19416 4e00b86 GetCurrentHwProfileW 19414->19416 19417 4e00b2b GetCurrentHwProfileW 19415->19417 19421 4e00b97 19416->19421 19419 4e00b1e GetCurrentHwProfileW 19417->19419 19419->19421

                                  Executed Functions

                                  Function 00247B00 Relevance: 16.8, APIs: 11, Instructions: 284networksleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • setsockopt.WS2_32(000003F4,0000FFFF,00001006,?,00000008), ref: 00247BA6
                                  • recv.WS2_32(?,00000004,00000002), ref: 00247BC1
                                  • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00247C43
                                  • recv.WS2_32(00000000,0000000C,00000008), ref: 00247C64
                                  • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00247D01
                                    • Part of subcall function 00248590: WSAStartup.WS2_32 ref: 002485BA
                                    • Part of subcall function 00248590: socket.WS2_32(?,?,?,?,?,?,00309328,?,?), ref: 0024865E
                                    • Part of subcall function 00248590: connect.WS2_32(00000000,002D9BFC,?,?,?,?,00309328,?,?), ref: 00248671
                                    • Part of subcall function 00248590: closesocket.WS2_32(00000000), ref: 0024867D
                                  • recv.WS2_32(00000000,?,00000008), ref: 00247D1B
                                  • recv.WS2_32(?,00000004,00000008), ref: 00247E23
                                  • __Xtime_get_ticks.LIBCPMT ref: 00247E2A
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00247E38
                                  • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00247EB1
                                  • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00247EB9
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
                                  • String ID:
                                  • API String ID: 301102601-0
                                  • Opcode ID: e459f39bedbfcde756fe09d17baf4b6f1983af703d579ab8916ee786210360a5
                                  • Instruction ID: 01167bdf9768f9e657ac40c74d19d4d54c6a217bf08524f0b5f902fd79cde8a4
                                  • Opcode Fuzzy Hash: e459f39bedbfcde756fe09d17baf4b6f1983af703d579ab8916ee786210360a5
                                  • Instruction Fuzzy Hash: 31B1DC70D14308DFEB15DFA4CC99BAEBBB5BB54304F20425AE454AB2E2D7B06D44CB91
                                  Function 00248590 Relevance: 6.1, APIs: 4, Instructions: 99networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 57 248590-2485c2 WSAStartup 58 248696-24869f 57->58 59 2485c8-2485f2 call 26a420 * 2 57->59 64 2485f4-2485f8 59->64 65 2485fe-248644 59->65 64->58 64->65 67 248646-24864c 65->67 68 248690 65->68 69 2486a4-2486ae 67->69 70 24864e 67->70 68->58 69->68 76 2486b0-2486b8 69->76 71 248654-248668 socket 70->71 71->68 72 24866a-24867a connect 71->72 74 2486a0 72->74 75 24867c-248684 closesocket 72->75 74->69 75->71 77 248686-24868f 75->77 77->68
                                  APIs
                                  • WSAStartup.WS2_32 ref: 002485BA
                                  • socket.WS2_32(?,?,?,?,?,?,00309328,?,?), ref: 0024865E
                                  • connect.WS2_32(00000000,002D9BFC,?,?,?,?,00309328,?,?), ref: 00248671
                                  • closesocket.WS2_32(00000000), ref: 0024867D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 1af561908ef579670e3d1af10d3653286799cc6cea5bb4fb2a7b829d2d04a81f
                                  • Instruction ID: 7d1400bf024d6f60fb893602969403958cd287b7d443665c5f18de8790e2255e
                                  • Opcode Fuzzy Hash: 1af561908ef579670e3d1af10d3653286799cc6cea5bb4fb2a7b829d2d04a81f
                                  • Instruction Fuzzy Hash: CD3137729253015BC7209F248C4062FB7E8FFC5334F125F19FAA8A31E0D7309C648A92
                                  Function 00189280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 79 189280-1892dd call 1963b0 82 189413-189521 call 182df0 call 26a420 79->82 83 1892e3-1892e9 79->83 99 189523-189535 82->99 100 189537-18953f call 198dc0 82->100 84 1892f0-189313 83->84 86 189324-189331 84->86 87 189315-18931f 84->87 91 189342-18934f 86->91 92 189333-18933d 86->92 90 189403-189406 87->90 94 189409-18940d 90->94 95 189360-18936d 91->95 96 189351-18935b 91->96 92->90 94->82 94->84 97 18937e-18938b 95->97 98 18936f-189379 95->98 96->90 101 189399-1893a6 97->101 102 18938d-189397 97->102 98->90 103 189544-189597 call 26a420 * 2 99->103 100->103 105 1893a8-1893b2 101->105 106 1893b4-1893c1 101->106 102->90 116 189599-1895c8 call 26a420 call 1b5270 103->116 117 1895cb-1895e1 call 26a420 103->117 105->90 108 1893cf-1893dc 106->108 109 1893c3-1893cd 106->109 111 1893ea-1893f4 108->111 112 1893de-1893e8 108->112 109->90 111->94 115 1893f6-1893ff 111->115 112->90 115->90 116->117 122 1896e2 117->122 123 1895e7-1895ed 117->123 126 1896e6-1896f0 122->126 125 1895f0-1896ce WSASend 123->125 145 18975f-189763 125->145 146 1896d4-1896dc 125->146 128 18971e-18973d 126->128 129 1896f2-1896fe 126->129 130 18976f-189796 128->130 131 18973f-18974b 128->131 133 189700-18970e 129->133 134 189714-18971b call 1b38f3 129->134 135 18974d-18975b 131->135 136 189765-18976c call 1b38f3 131->136 133->134 137 189797-1897fe call 1b8c70 call 182df0 * 2 133->137 134->128 135->137 139 18975d 135->139 136->130 139->136 145->126 146->122 146->125
                                  APIs
                                  • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,002CD15C,00000000,76A923A0,-00309880), ref: 001896C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Send
                                  • String ID: Ws2_32.dll
                                  • API String ID: 121738739-3093949381
                                  • Opcode ID: bb3c4c721826dcc8540e76718a7f58e54a343a240de1c87e8abc00fc534e5bea
                                  • Instruction ID: 5ef0cd9ef63313e25aae1e0c4fd9f1fdb95815cb7ef5141bce2a8d6eddfca6ba
                                  • Opcode Fuzzy Hash: bb3c4c721826dcc8540e76718a7f58e54a343a240de1c87e8abc00fc534e5bea
                                  • Instruction Fuzzy Hash: 8102EDB0D14298DFDF25DFA4C8907ACBBB0FF55304F284289E4856B686D7741A86CF92
                                  Function 04E00983 Relevance: 1.8, APIs: 1, Instructions: 349COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 152 4e00983-4e00b77 call 4e00b2b 173 4e00b90-4e00b92 GetCurrentHwProfileW 152->173 174 4e00b97-4e00b98 173->174 175 4e00b99-4e00bd4 call 4e00bde 174->175 179 4e00bd6-4e00bd7 175->179 179->174 180 4e00bd9-4e00e3e call 4e00dc2 179->180
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3656088986.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d3da07d99dbc7d35c5d1ed12d979d988e1cd75fb33e7aac23c4803b90cccb1ef
                                  • Instruction ID: 13c4a80cd71d6e733d1c2640680055a7a191ec49ce5e701ed72bc2dbe3f1a571
                                  • Opcode Fuzzy Hash: d3da07d99dbc7d35c5d1ed12d979d988e1cd75fb33e7aac23c4803b90cccb1ef
                                  • Instruction Fuzzy Hash: AE618BEB24C121BDF10281823B64FFA676DE7D2730330E86AF857D1482F7946ACA6131
                                  Function 04E00B22 Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 210 4e00b22-4e00b77 213 4e00b90-4e00b92 GetCurrentHwProfileW 210->213 214 4e00b97-4e00b98 213->214 215 4e00b99-4e00bd4 call 4e00bde 214->215 219 4e00bd6-4e00bd7 215->219 219->214 220 4e00bd9-4e00e3e call 4e00dc2 219->220
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(04E00B1E), ref: 04E00B92
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3656088986.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 6d642d7d7211f1c28b6b23f1e5fb6d09bfd852706407c325e5cd14a5a50b4fe2
                                  • Instruction ID: ac7a9d0d1d60efa3394573abb64d9a93f52623a425b833d769e131a4c32c56bb
                                  • Opcode Fuzzy Hash: 6d642d7d7211f1c28b6b23f1e5fb6d09bfd852706407c325e5cd14a5a50b4fe2
                                  • Instruction Fuzzy Hash: 62418BEB24C121BDF50282813B64FFA6B6DE7D2730330E866F817D1082F7946A8A6531
                                  Function 04E00B2B Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 250 4e00b2b-4e00b77 253 4e00b90-4e00b92 GetCurrentHwProfileW 250->253 254 4e00b97-4e00b98 253->254 255 4e00b99-4e00bd4 call 4e00bde 254->255 259 4e00bd6-4e00bd7 255->259 259->254 260 4e00bd9-4e00e3e call 4e00dc2 259->260
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(04E00B1E), ref: 04E00B92
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3656088986.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 170b5571e310b64a4e7c6b668f70e146579d3cc434378259e809223dd0b0f9fb
                                  • Instruction ID: 9b72e7e024ef6ddbe590988f3306decfce2d678b7d8614c84999dd503890d393
                                  • Opcode Fuzzy Hash: 170b5571e310b64a4e7c6b668f70e146579d3cc434378259e809223dd0b0f9fb
                                  • Instruction Fuzzy Hash: 21417BEB24D121BDF50282813B64FFA6B6DE7D2730730E866F817D1582F7946ACA6131
                                  Function 04E00BAE Relevance: 1.7, APIs: 1, Instructions: 226COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 290 4e00bae-4e00bb5 291 4e00b50-4e00b92 GetCurrentHwProfileW 290->291 292 4e00bb7-4e00bb9 290->292 298 4e00b97-4e00b98 291->298 294 4e00bbb-4e00bd4 call 4e00bde 292->294 299 4e00bd6-4e00bd7 294->299 300 4e00b99-4e00ba9 294->300 298->300 299->298 301 4e00bd9-4e00e3e call 4e00dc2 299->301 300->294
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(04E00B1E), ref: 04E00B92
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3656088986.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 508749c07bcf1d3044902a7be2662128555f9e3ced58973062a257515df746d3
                                  • Instruction ID: 796984499bb1f47d5ebe3d8d98e39c4bd011445e281f2d26aea46e4151afda8e
                                  • Opcode Fuzzy Hash: 508749c07bcf1d3044902a7be2662128555f9e3ced58973062a257515df746d3
                                  • Instruction Fuzzy Hash: C1419AEB24D121BDF50281823B64FF66B2DE7C2B30330E866F817D5482F7946A8A6071
                                  Function 04E00B61 Relevance: 1.7, APIs: 1, Instructions: 215COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 331 4e00b61-4e00b6d 332 4e00be6-4e00e3e call 4e00dc2 331->332 333 4e00b6f-4e00b77 331->333 337 4e00b90-4e00b92 GetCurrentHwProfileW 333->337 338 4e00b97-4e00b98 337->338 340 4e00b99-4e00bd4 call 4e00bde 338->340 347 4e00bd6-4e00bd7 340->347 347->338 349 4e00bd9-4e00be5 347->349 349->332
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(04E00B1E), ref: 04E00B92
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3656088986.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: a0a06610b50b9f70e0bd68035bd446df5ce2770abb6e40e0b4687a86b1d50604
                                  • Instruction ID: dbf42098633868a7c8b4d371c6bdcae3fea2e14aa0a1b7dbf2c398658ded64c8
                                  • Opcode Fuzzy Hash: a0a06610b50b9f70e0bd68035bd446df5ce2770abb6e40e0b4687a86b1d50604
                                  • Instruction Fuzzy Hash: F0419FEB34D161BDF50281813B64FFA6B2DE7D2730330E8A6F813D5086F7946A8A6531
                                  Function 04E00B10 Relevance: 1.7, APIs: 1, Instructions: 213COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 371 4e00b10-4e00b11 372 4e00b13-4e00b77 call 4e00b2b 371->372 373 4e00b86-4e00b8f 371->373 385 4e00b90-4e00b92 GetCurrentHwProfileW 372->385 375 4e00b91-4e00b92 GetCurrentHwProfileW 373->375 376 4e00b97-4e00b98 375->376 379 4e00b99-4e00bd4 call 4e00bde 376->379 386 4e00bd6-4e00bd7 379->386 385->376 386->376 387 4e00bd9-4e00e3e call 4e00dc2 386->387
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(04E00B1E), ref: 04E00B92
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3656088986.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 889a1b9974b5f3e42d54a794f52a83188f39d7d69fb58cdbf36ffd694aeb1be4
                                  • Instruction ID: ae37bc51ccdb014562d10986aba0e1f492097b1195a05e9eae7dd07df696340d
                                  • Opcode Fuzzy Hash: 889a1b9974b5f3e42d54a794f52a83188f39d7d69fb58cdbf36ffd694aeb1be4
                                  • Instruction Fuzzy Hash: 1E41BDEB24C161BDF51282813B64FF66B2DE7D2730330E8A6F813D5082F7946ACA6131
                                  Function 04E00B7D Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 417 4e00b7d-4e00b8f 419 4e00b91-4e00b92 GetCurrentHwProfileW 417->419 420 4e00b97-4e00b98 419->420 421 4e00b99-4e00bd4 call 4e00bde 420->421 425 4e00bd6-4e00bd7 421->425 425->420 426 4e00bd9-4e00e3e call 4e00dc2 425->426
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(04E00B1E), ref: 04E00B92
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3656088986.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 45f0152daee50a3d4d23884aba72ed0b3cc4e97af5484e9b575cb08610e010ad
                                  • Instruction ID: 23556530eac608d37b79f6a7a106b635e9cbdc8bf0e9e8337ef9f7d770b674a2
                                  • Opcode Fuzzy Hash: 45f0152daee50a3d4d23884aba72ed0b3cc4e97af5484e9b575cb08610e010ad
                                  • Instruction Fuzzy Hash: 1D419EEB24C121BDF51281813B64FF6676DE7D2B30330E866F813E5082F7946ACA6131
                                  Function 001C9789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 456 1c9789-1c97ab 457 1c999e 456->457 458 1c97b1-1c97b3 456->458 459 1c99a0-1c99a4 457->459 460 1c97df-1c9802 458->460 461 1c97b5-1c97d4 call 1b8be3 458->461 462 1c9808-1c980e 460->462 463 1c9804-1c9806 460->463 467 1c97d7-1c97da 461->467 462->461 465 1c9810-1c9821 462->465 463->462 463->465 468 1c9834-1c9844 call 1c92ce 465->468 469 1c9823-1c9831 call 1c263d 465->469 467->459 474 1c988d-1c989f 468->474 475 1c9846-1c984c 468->475 469->468 476 1c98f6-1c9916 WriteFile 474->476 477 1c98a1-1c98a7 474->477 478 1c984e-1c9851 475->478 479 1c9875-1c988b call 1c8e9f 475->479 480 1c9918-1c991e 476->480 481 1c9921 476->481 483 1c98a9-1c98ac 477->483 484 1c98e2-1c98f4 call 1c934b 477->484 485 1c985c-1c986b call 1c9266 478->485 486 1c9853-1c9856 478->486 497 1c986e-1c9870 479->497 480->481 489 1c9924-1c992f 481->489 490 1c98ce-1c98e0 call 1c950f 483->490 491 1c98ae-1c98b1 483->491 503 1c98c9-1c98cc 484->503 485->497 486->485 492 1c9936-1c9939 486->492 498 1c9999-1c999c 489->498 499 1c9931-1c9934 489->499 490->503 500 1c993c-1c993e 491->500 501 1c98b7-1c98c4 call 1c9426 491->501 492->500 497->489 498->459 499->492 505 1c996c-1c9978 500->505 506 1c9940-1c9945 500->506 501->503 503->497 508 1c997a-1c9980 505->508 509 1c9982-1c9994 505->509 510 1c995e-1c9967 call 1c16c8 506->510 511 1c9947-1c9959 506->511 508->457 508->509 509->467 510->467 511->467
                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001C990E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 46bda0ff4784b18fe862455b014a310af42fa0ade3a1dc91ed163def2cd4d17a
                                  • Instruction ID: 5bc66584c60f191415e6e338de302e0f2da7ca8b0452bdedba26eda580d1f4d7
                                  • Opcode Fuzzy Hash: 46bda0ff4784b18fe862455b014a310af42fa0ade3a1dc91ed163def2cd4d17a
                                  • Instruction Fuzzy Hash: 0561C672D04159AFDF15CFA8C848FEEBBB9AF29308F15014DE904A7246D731D911CBA1
                                  Function 001C8DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 514 1c8dff-1c8e13 call 1ce940 517 1c8e19-1c8e21 514->517 518 1c8e15-1c8e17 514->518 520 1c8e2c-1c8e2f 517->520 521 1c8e23-1c8e2a 517->521 519 1c8e67-1c8e87 call 1ce8af 518->519 529 1c8e99 519->529 530 1c8e89-1c8e97 call 1c16c8 519->530 524 1c8e4d-1c8e5d call 1ce940 FindCloseChangeNotification 520->524 525 1c8e31-1c8e35 520->525 521->520 523 1c8e37-1c8e4b call 1ce940 * 2 521->523 523->518 523->524 524->518 533 1c8e5f-1c8e65 524->533 525->523 525->524 535 1c8e9b-1c8e9e 529->535 530->535 533->519
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001C8CE6,00000000,?,002FA178,0000000C,001C8DA2,?,?,?), ref: 001C8E55
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 5a0f7fd0d4b3a92fc547c07aec26127a5c7f48134d99014880edba42162770c1
                                  • Instruction ID: 4f89967dd62cd71733203b26e46d1cb2805e068e5fcc276ab6b9a86604a2f862
                                  • Opcode Fuzzy Hash: 5a0f7fd0d4b3a92fc547c07aec26127a5c7f48134d99014880edba42162770c1
                                  • Instruction Fuzzy Hash: 9F114E336051641AD625227568C2FBE678D8BF3738F29061DF9188B1C3DF71DC814261
                                  Function 001C251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 540 1c251c-1c2534 call 1ce940 543 1c254a-1c2560 SetFilePointerEx 540->543 544 1c2536-1c253d 540->544 546 1c2575-1c257f 543->546 547 1c2562-1c2573 call 1c16c8 543->547 545 1c2544-1c2548 544->545 549 1c259b-1c259e 545->549 546->545 548 1c2581-1c2596 546->548 547->545 548->549
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,001C2626,?,?,?,?,?), ref: 001C2558
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: d3f21811f57698b8860619b1ea13802af16925e36bcccd327e85d4b38832ff70
                                  • Instruction ID: e2a8544f5219c9a7e0f1a4a8de0fcc67d95f6273bdef8444880c6d92a1212e06
                                  • Opcode Fuzzy Hash: d3f21811f57698b8860619b1ea13802af16925e36bcccd327e85d4b38832ff70
                                  • Instruction Fuzzy Hash: 12012632710254AFCF09CF58DC11EDE7B69DB95334B24010CF8009B2A1EB71ED518BA0
                                  Function 001832D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 553 1832d0-1832e0 554 1832e2-1832e7 553->554 555 183306-183308 553->555 556 1832e9-1832ea call 1b3672 554->556 557 18331f call 182b50 554->557 558 183318-18331e 555->558 559 18330a-183317 call 1b3672 555->559 563 1832ef-1832f6 556->563 565 183324-183329 call 1b8c70 557->565 563->565 566 1832f8-183305 563->566
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0018331F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction ID: 9ed4b02ac229b45a1a310c2c913546ae7fd48b5ccdb163c4e3103eae90377dc4
                                  • Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction Fuzzy Hash: 5BF0B4721001049BDB147F64D4155E9B3F8EF24361754097AFCADC7212EB26DB50CB90
                                  Function 001CA65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 569 1ca65a-1ca665 570 1ca667-1ca671 569->570 571 1ca673-1ca679 569->571 570->571 572 1ca6a7-1ca6b2 call 1c16ff 570->572 573 1ca67b-1ca67c 571->573 574 1ca692-1ca6a3 RtlAllocateHeap 571->574 578 1ca6b4-1ca6b6 572->578 573->574 575 1ca67e-1ca685 call 1c8280 574->575 576 1ca6a5 574->576 575->572 582 1ca687-1ca690 call 1c5a89 575->582 576->578 582->572 582->574
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000001,?,001C9FE0,00000001,00000364,00000001,00000006,000000FF,?,001B4B3F,?,?,76A923A0,?), ref: 001CA69B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 7546c8c1b0fa1dc43a25adbb7b4cc7f6db585b82435d5f509915e3d9e668c4b7
                                  • Instruction ID: 5e4c4187f41ae11d974b8d0bbce163958d3607ac9920be33189fce3ae8906a39
                                  • Opcode Fuzzy Hash: 7546c8c1b0fa1dc43a25adbb7b4cc7f6db585b82435d5f509915e3d9e668c4b7
                                  • Instruction Fuzzy Hash: 3FF0E2321515386ADB236A72DC12F6A774DAF717B4F9D812EE804EB080DB30DC0086E6
                                  Function 001CB094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00000001,?,?,001B4B3F,?,?,76A923A0,?,?,00183522,?,?), ref: 001CB0C7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 08218610a062a868084db083e1fab89843fbd220a73f256dbd223f87925a6f37
                                  • Instruction ID: 388eb239681873e4b7ff9fad8e93dbf0bb7257616d28ed47ef3f22fe8fdadcbe
                                  • Opcode Fuzzy Hash: 08218610a062a868084db083e1fab89843fbd220a73f256dbd223f87925a6f37
                                  • Instruction Fuzzy Hash: 6BE02B311096306ADB3126759C93F5F766D9F723A0F050259FC24D24C1DB20CC30C1E6
                                  Function 04E10346 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3656160462.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fc22806dbe342e24f9adce13dfd386917e02ca0dd5c69a1fe410d66927a5894e
                                  • Instruction ID: 4d44907b0b8e4563912eda889ae8ac5bf5efcf3a608788436ebbc205bc426fa2
                                  • Opcode Fuzzy Hash: fc22806dbe342e24f9adce13dfd386917e02ca0dd5c69a1fe410d66927a5894e
                                  • Instruction Fuzzy Hash: 69C012773CC025DBC0C1A09626442F56755B3537313706263F04384C22754023D97521

                                  Non-executed Functions

                                  Function 001BC960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction ID: bd870b6c25173df810139d121d3ac0cc15803509ae083af51ec187d6f0536042
                                  • Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction Fuzzy Hash: 97022A75E012199BDF14CFA9C9806EEBBB1FF58314F24826AE919E7381D731A941CBD0
                                  Function 0019A060 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019A09D
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019A0BF
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019A0E7
                                  • __Getctype.LIBCPMT ref: 0019A1C5
                                  • std::_Facet_Register.LIBCPMT ref: 0019A1F9
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019A223
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID: W
                                  • API String ID: 1102183713-1235663173
                                  • Opcode ID: e296a2c9c687e739b93c7c84ddb23044a619728e46309fe2c704e470bcaed8de
                                  • Instruction ID: bf7af338d11fb01ad718cf2211c6b1ffc9f4216d384af837703a73491aa16505
                                  • Opcode Fuzzy Hash: e296a2c9c687e739b93c7c84ddb23044a619728e46309fe2c704e470bcaed8de
                                  • Instruction Fuzzy Hash: 1F5188B0D01245CBCB11DF58C9417AEBBB4BF11714F248299D855AB391DB74AE48CBD2
                                  Function 001B72D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 001B7307
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 001B730F
                                  • _ValidateLocalCookies.LIBCMT ref: 001B7398
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 001B73C3
                                  • _ValidateLocalCookies.LIBCMT ref: 001B7418
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm$iEa]
                                  • API String ID: 1170836740-1433933915
                                  • Opcode ID: fb6a0f5718628581a0da8c5d29705cd4807015128aee89b9639ac22af8a0994d
                                  • Instruction ID: f8058b93ad49525a024304d05409db8653cc1c46d5cb9e9c4c17b682464de9bf
                                  • Opcode Fuzzy Hash: fb6a0f5718628581a0da8c5d29705cd4807015128aee89b9639ac22af8a0994d
                                  • Instruction Fuzzy Hash: 0B41A134A042099FCF10DF68C885ADEBBE5BF95314F148196EC199B3A2DB31E901DB91
                                  Function 001CBB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction ID: 1d2b0f4d6bc6e4f79494d18678aa4d9ae3b84e4fffaabde0a461fd7dbdb60e4d
                                  • Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction Fuzzy Hash: BCB14232A082959FDB158F68C8C3FFA7BA5EF75710F14416AE905EB282D770D801C7A1
                                  Function 0019C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019C45A
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019C47C
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019C4A4
                                  • std::_Facet_Register.LIBCPMT ref: 0019C59A
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019C5C4
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID:
                                  • API String ID: 459529453-0
                                  • Opcode ID: 672710caead5b6b6abf9175d1f4f5f9faf653e344e37a5ac99f17013ed14e0a6
                                  • Instruction ID: 1db5e25c9ea9a6540e44e72843bf9c70ba4213c807652ca4f06187606cb69b8e
                                  • Opcode Fuzzy Hash: 672710caead5b6b6abf9175d1f4f5f9faf653e344e37a5ac99f17013ed14e0a6
                                  • Instruction Fuzzy Hash: CA51A9B0A01245DBEF12DF58C854BAEBBF4FB11314F24819AE895AB381D775AE05CBD0
                                  Function 001CA6B7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __freea.LIBCMT ref: 001CA86C
                                    • Part of subcall function 001CB094: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,001B4B3F,?,?,76A923A0,?,?,00183522,?,?), ref: 001CB0C7
                                  • __freea.LIBCMT ref: 001CA87F
                                  • __freea.LIBCMT ref: 001CA88C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: __freea$AllocateHeap
                                  • String ID: iEa]
                                  • API String ID: 2243444508-2013749009
                                  • Opcode ID: 13c6919d317bc04d9a20bb4ff511cb9f752443fcc7454835e887ab7e8d1f54fe
                                  • Instruction ID: 09ed3844c4e4e710b8e87995a1c3e81081bba963a4212380b158fdd7da54ce6d
                                  • Opcode Fuzzy Hash: 13c6919d317bc04d9a20bb4ff511cb9f752443fcc7454835e887ab7e8d1f54fe
                                  • Instruction Fuzzy Hash: 5651C17260020AABEB269EA4DC86FBB7BA9EF64715B55052DFD04D7110EB30DC1186A1
                                  Function 00184900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0018499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 323602529-1866435925
                                  • Opcode ID: ed527ccfaa617876f0949548d4de8d2bcf88de42822a155f58ccd1595dd8b334
                                  • Instruction ID: 7afe677da9cf6c34186d5469c8c483e759a6fdae3a1b0080a60c52041add5a43
                                  • Opcode Fuzzy Hash: ed527ccfaa617876f0949548d4de8d2bcf88de42822a155f58ccd1595dd8b334
                                  • Instruction Fuzzy Hash: 19112C72D647946BC720FF5C8C03FA67398D719714F044629FE68872C2EF35AA108B92
                                  Function 001B2729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 001B2730
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 001B273B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001B27A9
                                    • Part of subcall function 001B288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001B28A4
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 001B2756
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                  • String ID:
                                  • API String ID: 677527491-0
                                  • Opcode ID: 5fde5f644523d57f0807e3cf1dee0dbe961b294dae779e82fcba72b96590f082
                                  • Instruction ID: 1adb84c692a1219dd22c55454e2d58b3081159fb7f3acdceb53a5a9dfcfdf327
                                  • Opcode Fuzzy Hash: 5fde5f644523d57f0807e3cf1dee0dbe961b294dae779e82fcba72b96590f082
                                  • Instruction Fuzzy Hash: C601DF79A016109BCB0AEB24D8555BD7BB1FFE5750B14404AE81157391CF74AE06CFC6
                                  Function 00187350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0018750C
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00187522
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 5d6a1d3a15075020977b29c9edbf1074f946ad81b1bb26292726f98ba29edfef
                                  • Instruction ID: cfa56d36de850c2308cab8a1c5fbdaa9d2fbb45bed5685e8ff72d8ab090a7902
                                  • Opcode Fuzzy Hash: 5d6a1d3a15075020977b29c9edbf1074f946ad81b1bb26292726f98ba29edfef
                                  • Instruction Fuzzy Hash: FD51C1B1C146489FDB00EFA8C905B9EBBB4EF25314F144259E854AB382E7B45B44CBE1
                                  Function 001847F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0018499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::failbit set
                                  • API String ID: 323602529-1240500531
                                  • Opcode ID: 29c7cb8acbb97c3b68d82bc6330e448346c9e847bfdb3651ea8e5df6bd445e8d
                                  • Instruction ID: 3c769b5c32d0de714f0ac246b9d0722173be60247edf0c185007c9ec282834d3
                                  • Opcode Fuzzy Hash: 29c7cb8acbb97c3b68d82bc6330e448346c9e847bfdb3651ea8e5df6bd445e8d
                                  • Instruction Fuzzy Hash: 4D4116B1D00648ABCB14EF58CC45BAEBBB8EB19710F24825DF554A7381DB756F00CBA1
                                  Function 00184040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00184061
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001840C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3636595072.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000006.00000002.3636486064.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3636595072.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3637424331.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3638291706.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3643585194.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644739386.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3644836669.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                  • String ID: bad locale name
                                  • API String ID: 3988782225-1405518554
                                  • Opcode ID: ab56833a55ae58ba905199606e748174fc2b1f1ff861517a72351e6ed20b3c5b
                                  • Instruction ID: a313dbdf024ead10a8452ec9d0811ef2084efb8231dff073382adb1329e5b069
                                  • Opcode Fuzzy Hash: ab56833a55ae58ba905199606e748174fc2b1f1ff861517a72351e6ed20b3c5b
                                  • Instruction Fuzzy Hash: 8211D370805B84EED721CFA8C50478BBFF4AF26714F14869DE49597B81D3B96604CB91

                                  Executed Functions

                                  Function 00247B00 Relevance: 16.8, APIs: 11, Instructions: 284networksleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • setsockopt.WS2_32(000003E4,0000FFFF,00001006,?,00000008), ref: 00247BA7
                                  • recv.WS2_32(?,00000004,00000002), ref: 00247BC1
                                  • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00247C43
                                  • recv.WS2_32(00000000,0000000C,00000008), ref: 00247C64
                                  • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 00247D01
                                    • Part of subcall function 00248590: WSAStartup.WS2_32 ref: 002485BB
                                    • Part of subcall function 00248590: socket.WS2_32(?,?,?,?,?,?,00309328,?,?), ref: 0024865D
                                    • Part of subcall function 00248590: connect.WS2_32(00000000,002D9BFC,?,?,?,?,00309328,?,?), ref: 00248671
                                    • Part of subcall function 00248590: closesocket.WS2_32(00000000), ref: 0024867D
                                  • recv.WS2_32(00000000,?,00000008), ref: 00247D1B
                                  • recv.WS2_32(?,00000004,00000008), ref: 00247E23
                                  • __Xtime_get_ticks.LIBCPMT ref: 00247E2A
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00247E38
                                  • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00247EB1
                                  • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00247EB9
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
                                  • String ID:
                                  • API String ID: 301102601-0
                                  • Opcode ID: 6580aed4a1379b1b06c3394e8497da4f6805358f09f6416c4b02ab62aedddb60
                                  • Instruction ID: edb0086e38b27651fa01a21da02dfdc4cbf6efefb1a62c17210e972640d70996
                                  • Opcode Fuzzy Hash: 6580aed4a1379b1b06c3394e8497da4f6805358f09f6416c4b02ab62aedddb60
                                  • Instruction Fuzzy Hash: 46B1CB70D14308DFEB15DFA4CC99BAEBBB5BB45300F20425AE454AB2E2D7B06D84CB91
                                  Function 00248590 Relevance: 6.1, APIs: 4, Instructions: 99networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 57 248590-2485c2 WSAStartup 58 248696-24869f 57->58 59 2485c8-2485f2 call 26a420 * 2 57->59 64 2485f4-2485f8 59->64 65 2485fe-248644 59->65 64->58 64->65 67 248646-24864c 65->67 68 248690 65->68 69 2486a4-2486ae 67->69 70 24864e 67->70 68->58 69->68 76 2486b0-2486b8 69->76 71 248654-248668 socket 70->71 71->68 72 24866a-24867a connect 71->72 74 2486a0 72->74 75 24867c-248684 closesocket 72->75 74->69 75->71 77 248686-24868a 75->77 77->68
                                  APIs
                                  • WSAStartup.WS2_32 ref: 002485BB
                                  • socket.WS2_32(?,?,?,?,?,?,00309328,?,?), ref: 0024865D
                                  • connect.WS2_32(00000000,002D9BFC,?,?,?,?,00309328,?,?), ref: 00248671
                                  • closesocket.WS2_32(00000000), ref: 0024867D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: c4bdeaeea399484152d205e3b61abc59bc15fba2f3340f69fdc5741898b208eb
                                  • Instruction ID: e1ad9fb36bad8236a0f214b60c3bc5db9b15bfd1e71e2163f67d3618e0cc9da8
                                  • Opcode Fuzzy Hash: c4bdeaeea399484152d205e3b61abc59bc15fba2f3340f69fdc5741898b208eb
                                  • Instruction Fuzzy Hash: A73139715253015BC7209F248C4562FB7E8FFC5334F125F19FAA4531E0D7309C548692
                                  Function 04CF061B Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 391COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 78 4cf061b-4cf061e 79 4cf05b9-4cf0604 78->79 80 4cf0620-4cf0858 78->80 86 4cf0605 79->86 106 4cf0859-4cf086c GetCurrentHwProfileW 80->106 86->86 107 4cf087c-4cf0b69 106->107
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 01f74f265337a1f2bf96b4878827b5c753a85cabbf8a2abbfe445faca7aca016
                                  • Instruction ID: 5891f8166287c0794eefb6f68097e3c177f66daf2b8b456b07b2d6a1ffce1ed3
                                  • Opcode Fuzzy Hash: 01f74f265337a1f2bf96b4878827b5c753a85cabbf8a2abbfe445faca7aca016
                                  • Instruction Fuzzy Hash: 9C715BEB34C111BDB18281836F24AFB676FE6D2F30735846BFA07D5503F2985A8A6431
                                  Function 00189280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 138 189280-1892dd call 1963b0 141 189413-189521 call 182df0 call 26a420 138->141 142 1892e3-1892e9 138->142 156 189523-189535 141->156 157 189537-18953f call 198dc0 141->157 143 1892f0-189313 142->143 145 189324-189331 143->145 146 189315-18931f 143->146 149 189342-18934f 145->149 150 189333-18933d 145->150 148 189403-189406 146->148 153 189409-18940d 148->153 154 189360-18936d 149->154 155 189351-18935b 149->155 150->148 153->141 153->143 158 18937e-18938b 154->158 159 18936f-189379 154->159 155->148 162 189544-189597 call 26a420 * 2 156->162 157->162 160 189399-1893a6 158->160 161 18938d-189397 158->161 159->148 164 1893a8-1893b2 160->164 165 1893b4-1893c1 160->165 161->148 175 189599-1895c8 call 26a420 call 1b5270 162->175 176 1895cb-1895e1 call 26a420 162->176 164->148 167 1893cf-1893dc 165->167 168 1893c3-1893cd 165->168 170 1893ea-1893f4 167->170 171 1893de-1893e8 167->171 168->148 170->153 174 1893f6-1893ff 170->174 171->148 174->148 175->176 181 1896e2 176->181 182 1895e7-1895ed 176->182 185 1896e6-1896f0 181->185 184 1895f0-1896ce WSASend 182->184 204 18975f-189763 184->204 205 1896d4-1896dc 184->205 187 18971e-18973d 185->187 188 1896f2-1896fe 185->188 189 18976f-189796 187->189 190 18973f-18974b 187->190 192 189700-18970e 188->192 193 189714-18971b call 1b38f3 188->193 194 18974d-18975b 190->194 195 189765-18976c call 1b38f3 190->195 192->193 196 189797-1897fe call 1b8c70 call 182df0 * 2 192->196 193->187 194->196 198 18975d 194->198 195->189 198->195 204->185 205->181 205->184
                                  APIs
                                  • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,002CD15C,00000000,76A923A0,-00309880), ref: 001896C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Send
                                  • String ID: Ws2_32.dll
                                  • API String ID: 121738739-3093949381
                                  • Opcode ID: c55b971bfca33273b7da805d038e1ece5992086eb48c0509bd43963282ad88a3
                                  • Instruction ID: 6fef90a0a579e6c184865225f69a54bc86fe8546f12c4f1cec5c9455980c1504
                                  • Opcode Fuzzy Hash: c55b971bfca33273b7da805d038e1ece5992086eb48c0509bd43963282ad88a3
                                  • Instruction Fuzzy Hash: 6D02EDB0D14298DFDF25DFA4C8907ACBBB0FF55304F284289E4856B286D7741A86CF92
                                  Function 04CF063D Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 378COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 211 4cf063d-4cf0647 212 4cf060c-4cf0612 211->212 213 4cf0649-4cf064a 211->213 212->211 214 4cf064c-4cf0858 213->214 215 4cf060a 213->215 236 4cf0859-4cf086c GetCurrentHwProfileW 214->236 215->212 216 4cf05f4-4cf0604 215->216 216->215 237 4cf087c-4cf0b69 236->237
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 721280e9d763498a9c75470836314012088909137eb47a308789fba74b02c195
                                  • Instruction ID: fb231930b4b683047aa3784d2042cc7fa91f0ee889f4cbcada0ce3d3dafe2af5
                                  • Opcode Fuzzy Hash: 721280e9d763498a9c75470836314012088909137eb47a308789fba74b02c195
                                  • Instruction Fuzzy Hash: 3F716CEB34C111BDB28281436F24AFB676FE6C2B30735846BFA07D5503F2985A8A6531
                                  Function 04CF0614 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 357COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 268 4cf0614-4cf0858 291 4cf0859-4cf086c GetCurrentHwProfileW 268->291 292 4cf087c-4cf0b69 291->292
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: f536caec5339043e143064a5070d1ed54a803adf7808666430dbbd6502f95dc9
                                  • Instruction ID: 9c676e25a9c2fcfb0cdc2480e173fa644cd2c70e65512343fd457568c0001289
                                  • Opcode Fuzzy Hash: f536caec5339043e143064a5070d1ed54a803adf7808666430dbbd6502f95dc9
                                  • Instruction Fuzzy Hash: 39615AEB34C111BDB18280836F24AFB57AFE6D2F30734846BFA07D5503F2985A896431
                                  Function 04CF062F Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 353COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 323 4cf062f-4cf0858 344 4cf0859-4cf086c GetCurrentHwProfileW 323->344 345 4cf087c-4cf0b69 344->345
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 2567902f26673633dae39261d4cf09a465275fbcb69a1fc4b93e949210673f07
                                  • Instruction ID: 4ec88fa3b6a048e4abc579176723673e709e954b0db2b239b85fcd7100effef2
                                  • Opcode Fuzzy Hash: 2567902f26673633dae39261d4cf09a465275fbcb69a1fc4b93e949210673f07
                                  • Instruction Fuzzy Hash: C6614AEB34C111BDB18281836F24AFB67AEE6D2F30734846BFA07D5507F2985A896531
                                  Function 04CF0670 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 337COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 376 4cf0670-4cf0858 395 4cf0859-4cf086c GetCurrentHwProfileW 376->395 396 4cf087c-4cf0b69 395->396
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: e59780ff18b229196af0717639c1c09008f71efe0c4994e1b4bdf9877730ab87
                                  • Instruction ID: b0ef7c067719abfd72a2d23ac0db0ab41f354e3962ef84461022e08085a7e834
                                  • Opcode Fuzzy Hash: e59780ff18b229196af0717639c1c09008f71efe0c4994e1b4bdf9877730ab87
                                  • Instruction Fuzzy Hash: 89513AEB34C115BDB19280836F24AFB676FE6D2F30734846BFA07D5507F2985A8A6431
                                  Function 04CF06A6 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 427 4cf06a6-4cf0858 446 4cf0859-4cf086c GetCurrentHwProfileW 427->446 447 4cf087c-4cf0b69 446->447
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: d997d3ef265017970dac68823559927b3ae4753d7dd593e438ce03625a398224
                                  • Instruction ID: 1cfeafea81182b45a6d561e657a5ab3f08abf5836224f8535c854a9aa437b703
                                  • Opcode Fuzzy Hash: d997d3ef265017970dac68823559927b3ae4753d7dd593e438ce03625a398224
                                  • Instruction Fuzzy Hash: 415139EB34C115BDB18281832F24AFB57AFE6D2F30734846BFA07D5507F2981A896431
                                  Function 04CF06B2 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 315COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 478 4cf06b2-4cf0858 496 4cf0859-4cf086c GetCurrentHwProfileW 478->496 497 4cf087c-4cf0b69 496->497
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: d1f405b6e577643c5bc33c219e8c7642a523c2041ba6992b063d37be02027af2
                                  • Instruction ID: f67b8de6a3f8f18a0eb2934f8a77d20bf916491376e6fa7db55a0ea0205b35e1
                                  • Opcode Fuzzy Hash: d1f405b6e577643c5bc33c219e8c7642a523c2041ba6992b063d37be02027af2
                                  • Instruction Fuzzy Hash: 625159EB34C115BDB18281836F24AFB576FE6D2F30738846BFA07D5503F2981A8A6531
                                  Function 04CF06CB Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 306COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 528 4cf06cb-4cf0858 545 4cf0859-4cf086c GetCurrentHwProfileW 528->545 546 4cf087c-4cf0b69 545->546
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 64816da106ad3bed9be368a76b4256f74313f9daaf57dd7bf2e697aba4efa4bb
                                  • Instruction ID: 366ace4d44bff72fd441055d1858dff691835652b17892dc3ccb91b7b495f688
                                  • Opcode Fuzzy Hash: 64816da106ad3bed9be368a76b4256f74313f9daaf57dd7bf2e697aba4efa4bb
                                  • Instruction Fuzzy Hash: 8B5148EB34C115BDB18281836F24AFB67AFE6D2F30734846BFA07D1507F6981A896431
                                  Function 04CF0772 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 290COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 577 4cf0772-4cf0773 578 4cf0775-4cf0777 577->578 579 4cf0733-4cf076a 577->579 580 4cf0778-4cf0858 578->580 579->580 591 4cf0859-4cf086c GetCurrentHwProfileW 580->591 592 4cf087c-4cf0b69 591->592
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 3ead539436cf87552750adb8e065bb0e990f7a6416297a324f2c79c38a6ca3a1
                                  • Instruction ID: 2a7c1d6fa516dbaa03cb802f4ae7d0a317cb1b5ccfd90a92fb10f597972c3419
                                  • Opcode Fuzzy Hash: 3ead539436cf87552750adb8e065bb0e990f7a6416297a324f2c79c38a6ca3a1
                                  • Instruction Fuzzy Hash: 2E519DEB34C111BDB28280532F24AF757AFE6D2F30739846BFA07C5507F2881A896071
                                  Function 04CF0727 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 282COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 623 4cf0727-4cf0858 636 4cf0859-4cf086c GetCurrentHwProfileW 623->636 637 4cf087c-4cf0b69 636->637
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 0f6545e79c59a11a381a1263385111a8569b44ae2b2e1e55e3fda85da6e3ddc6
                                  • Instruction ID: febf71be99124623b366dac82535a7078d6ad9fd1c7da92caad4ab04acee39cb
                                  • Opcode Fuzzy Hash: 0f6545e79c59a11a381a1263385111a8569b44ae2b2e1e55e3fda85da6e3ddc6
                                  • Instruction Fuzzy Hash: DC518DEB34C111BDB19280532F24AFB67AFE6D6F30735846BFA07C5507F2985A8A6071
                                  Function 04CF06FA Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 281COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 668 4cf06fa-4cf0858 683 4cf0859-4cf086c GetCurrentHwProfileW 668->683 684 4cf087c-4cf0b69 683->684
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: e502ea78f43c6a7d308f0fd7a51ee95cdbcb84d59041b2d2243bab5dda597991
                                  • Instruction ID: c5504e839b01df174006dc30441c2345d6342078fc0824a9895230b5c20d2e73
                                  • Opcode Fuzzy Hash: e502ea78f43c6a7d308f0fd7a51ee95cdbcb84d59041b2d2243bab5dda597991
                                  • Instruction Fuzzy Hash: E0515BAB34C115BDB18281436F24AFB67AFE6D6F30734846BFA07C5507F2982A896431
                                  Function 04CF0713 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 280COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 715 4cf0713-4cf071b 716 4cf071d 715->716 717 4cf0722-4cf0858 715->717 716->717 730 4cf0859-4cf086c GetCurrentHwProfileW 717->730 731 4cf087c-4cf0b69 730->731
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: e2878860171af9f203450233de28d96c1cf04771152c7005a55733090941101f
                                  • Instruction ID: 1cdf2f0f31f38fdceb39f0d2ed610ff04f4cd701f3bd4fa6a46d6069c586b8ea
                                  • Opcode Fuzzy Hash: e2878860171af9f203450233de28d96c1cf04771152c7005a55733090941101f
                                  • Instruction Fuzzy Hash: 71514AEB34C115BDB18280432F24AFB57AFE6D6F30738846BFA07C5507F6986A896471
                                  Function 04CF07BE Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 258COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: afebfcb38959172c709cf0a4c588939a6ed24710bc9a14197a37384011da42df
                                  • Instruction ID: 915aee926f2f8a87950255f14149d948dcc4230a36c6da81f6e04fe29b102a6c
                                  • Opcode Fuzzy Hash: afebfcb38959172c709cf0a4c588939a6ed24710bc9a14197a37384011da42df
                                  • Instruction Fuzzy Hash: 80517CEB74C125BDB19280532F64AFB57AFE6D2F30734846BFA07C1507F2986A896071
                                  Function 04CF07A2 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 254COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 3e453141e8015c05f464afb94d91152cf99f90f6d480b6b3ecce03d3ccb12a06
                                  • Instruction ID: c97d3f59e0815d4aa74c536452413231833b75fef84484ab67c0814863e322e1
                                  • Opcode Fuzzy Hash: 3e453141e8015c05f464afb94d91152cf99f90f6d480b6b3ecce03d3ccb12a06
                                  • Instruction Fuzzy Hash: 59417DEB34C125BDB19280432F24AFB57AFE6D2F30734846BFA07C1507F2985A896071
                                  Function 04CF0756 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 254COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 002635e703c39ddf20ef5f695b05a734797f5f3a972efd006c0cbbf6727d114f
                                  • Instruction ID: 0011fecd8280eee384c63dcb4d4515f6441e73ff4cac221208b5cb59b493f7f9
                                  • Opcode Fuzzy Hash: 002635e703c39ddf20ef5f695b05a734797f5f3a972efd006c0cbbf6727d114f
                                  • Instruction Fuzzy Hash: 9D419CEB34C211BDB19281532F24AFB67AFE6D2F307788467FA07C5503F2981A4A6171
                                  Function 04CF07D7 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 2456f75dc4adbc35fd8241e62bd3e90018fbeb4b62535c73661628c1ae6079f6
                                  • Instruction ID: 6ec9f5220698d31a262493fd3d83455f7cb3ab1a5f8f36336cba5c60dcdaca28
                                  • Opcode Fuzzy Hash: 2456f75dc4adbc35fd8241e62bd3e90018fbeb4b62535c73661628c1ae6079f6
                                  • Instruction Fuzzy Hash: 484159EB34C211BDB19280432F24AFB67AFE6D6F30778846BFA07C5503F2885A496071
                                  Function 04CF0803 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: 44fe031d7b34b1f75984c019116a41eb4fc3f6afde655d3d103294b5ba2cb687
                                  • Instruction ID: 5363833682f33fa1a000c309b6675e971b5c2ef6436ddb21514ac463c7328973
                                  • Opcode Fuzzy Hash: 44fe031d7b34b1f75984c019116a41eb4fc3f6afde655d3d103294b5ba2cb687
                                  • Instruction Fuzzy Hash: D7415AEB34C111BDB19281833F24AFB67AFE6D6F30734846AFA07C1507F2985A496071
                                  Function 04CF0830 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 208COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: da4923b69805af5fb1d43719b174cd3bbd8d47fe3396a77b27d1be9dfc4da35a
                                  • Instruction ID: 71bb2eb7198d3bc315925f63625cde77958d06cab0b9b5b2b72b977eb77b2428
                                  • Opcode Fuzzy Hash: da4923b69805af5fb1d43719b174cd3bbd8d47fe3396a77b27d1be9dfc4da35a
                                  • Instruction Fuzzy Hash: 6D418FEB34C211BDB19281476F24AFB67AFE6D6F307348467F607C5503F2985A496131
                                  Function 04CF084E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CF085A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3655994682.0000000004CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4cf0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: 9yZ
                                  • API String ID: 2104809126-3320311314
                                  • Opcode ID: f30aff24895ee535ec1232a288782b215e5bfe84c174e9422879779198cafd6e
                                  • Instruction ID: d874d4e67f76cbdcf9aac0855b5ab4a2e08ed1442ce31ab11cdbbc090a94957b
                                  • Opcode Fuzzy Hash: f30aff24895ee535ec1232a288782b215e5bfe84c174e9422879779198cafd6e
                                  • Instruction Fuzzy Hash: B4418FEB34C115BDB18281432F24AFB67AFE6D6F307388467FA07C5503F6985A896071
                                  Function 001C9789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001C990E
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: a6f319b00cd7f9ace37470c227af5698cf72ace714e7bf2262d4b39cb9871a57
                                  • Instruction ID: 98499f1e538ce4967c2097479b893bf04689ed0d48f73cdc8a198f79594e0adb
                                  • Opcode Fuzzy Hash: a6f319b00cd7f9ace37470c227af5698cf72ace714e7bf2262d4b39cb9871a57
                                  • Instruction Fuzzy Hash: E461C572C04159AFDF15DFA8C888FEEBBB9AF29308F15014DE904A7256D732D911CBA1
                                  Function 001C8DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001C8CE6,00000000,?,002FA178,0000000C,001C8DA2,?,?,?), ref: 001C8E55
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 63666eee067ae5b42cf6dc543c65f6e2856f50a136f1ec2b1e4023f1dcf30b88
                                  • Instruction ID: 852a05434cf128767997a54ac8e46126baebecc2da37bc7a412c2ccdb3fe2d0c
                                  • Opcode Fuzzy Hash: 63666eee067ae5b42cf6dc543c65f6e2856f50a136f1ec2b1e4023f1dcf30b88
                                  • Instruction Fuzzy Hash: 2211263360516429D6252279A8C2FBE67C94BB3738F29061DF9188B1D3DFB1EC818251
                                  Function 001C251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,001C2626,?,?,?,?,?), ref: 001C2558
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: ac48bf1ac6c5cac488a0bfe5d6e9d0d56739643bf2a613971c6c05f7cd495a11
                                  • Instruction ID: 3720e252cc6489ba7945f15e9d73a358b34b72cfb5da0a37895cb3f77de61d5f
                                  • Opcode Fuzzy Hash: ac48bf1ac6c5cac488a0bfe5d6e9d0d56739643bf2a613971c6c05f7cd495a11
                                  • Instruction Fuzzy Hash: AC012632610114AFDF09DF19DC11EDE7B6ADB95330B24010CF8009B2A1E771ED418B90
                                  Function 001832D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0018331F
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction ID: 9ed4b02ac229b45a1a310c2c913546ae7fd48b5ccdb163c4e3103eae90377dc4
                                  • Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction Fuzzy Hash: 5BF0B4721001049BDB147F64D4155E9B3F8EF24361754097AFCADC7212EB26DB50CB90
                                  Function 001CA65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000001,?,001C9FE0,00000001,00000364,00000001,00000006,000000FF,?,001B4B3F,?,?,76A923A0,?), ref: 001CA69C
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: e2bbdc92e78e516b0c38923513752a0b52f8a7d8f19737d09a36b32e4c80e039
                                  • Instruction ID: 1f5036b3737353ffdae8a511066d4c051e32abb9e0c8d2b02c643d20a2cf6973
                                  • Opcode Fuzzy Hash: e2bbdc92e78e516b0c38923513752a0b52f8a7d8f19737d09a36b32e4c80e039
                                  • Instruction Fuzzy Hash: BDF0BE321116386A9B236A729826F6A774DAF713B4F9D811AE804EB080DB20DC0086E6
                                  Function 001CB094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00000001,?,?,001B4B3F,?,?,76A923A0,?,?,00183522,?,?), ref: 001CB0C7
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 08218610a062a868084db083e1fab89843fbd220a73f256dbd223f87925a6f37
                                  • Instruction ID: 388eb239681873e4b7ff9fad8e93dbf0bb7257616d28ed47ef3f22fe8fdadcbe
                                  • Opcode Fuzzy Hash: 08218610a062a868084db083e1fab89843fbd220a73f256dbd223f87925a6f37
                                  • Instruction Fuzzy Hash: 6BE02B311096306ADB3126759C93F5F766D9F723A0F050259FC24D24C1DB20CC30C1E6

                                  Non-executed Functions

                                  Function 001BC960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction ID: bd870b6c25173df810139d121d3ac0cc15803509ae083af51ec187d6f0536042
                                  • Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction Fuzzy Hash: 97022A75E012199BDF14CFA9C9806EEBBB1FF58314F24826AE919E7381D731A941CBD0
                                  Function 001CBB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction ID: 1d2b0f4d6bc6e4f79494d18678aa4d9ae3b84e4fffaabde0a461fd7dbdb60e4d
                                  • Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction Fuzzy Hash: BCB14232A082959FDB158F68C8C3FFA7BA5EF75710F14416AE905EB282D770D801C7A1
                                  Function 001B72D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 001B7307
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 001B730F
                                  • _ValidateLocalCookies.LIBCMT ref: 001B7398
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 001B73C3
                                  • _ValidateLocalCookies.LIBCMT ref: 001B7418
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: fb6a0f5718628581a0da8c5d29705cd4807015128aee89b9639ac22af8a0994d
                                  • Instruction ID: f8058b93ad49525a024304d05409db8653cc1c46d5cb9e9c4c17b682464de9bf
                                  • Opcode Fuzzy Hash: fb6a0f5718628581a0da8c5d29705cd4807015128aee89b9639ac22af8a0994d
                                  • Instruction Fuzzy Hash: 0B41A134A042099FCF10DF68C885ADEBBE5BF95314F148196EC199B3A2DB31E901DB91
                                  Function 0019A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019A09D
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019A0BF
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019A0E7
                                  • __Getctype.LIBCPMT ref: 0019A1C5
                                  • std::_Facet_Register.LIBCPMT ref: 0019A1F9
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019A223
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID:
                                  • API String ID: 1102183713-0
                                  • Opcode ID: e296a2c9c687e739b93c7c84ddb23044a619728e46309fe2c704e470bcaed8de
                                  • Instruction ID: bf7af338d11fb01ad718cf2211c6b1ffc9f4216d384af837703a73491aa16505
                                  • Opcode Fuzzy Hash: e296a2c9c687e739b93c7c84ddb23044a619728e46309fe2c704e470bcaed8de
                                  • Instruction Fuzzy Hash: 1F5188B0D01245CBCB11DF58C9417AEBBB4BF11714F248299D855AB391DB74AE48CBD2
                                  Function 0019C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019C45A
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019C47C
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019C4A4
                                  • std::_Facet_Register.LIBCPMT ref: 0019C59A
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019C5C4
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID:
                                  • API String ID: 459529453-0
                                  • Opcode ID: 672710caead5b6b6abf9175d1f4f5f9faf653e344e37a5ac99f17013ed14e0a6
                                  • Instruction ID: 1db5e25c9ea9a6540e44e72843bf9c70ba4213c807652ca4f06187606cb69b8e
                                  • Opcode Fuzzy Hash: 672710caead5b6b6abf9175d1f4f5f9faf653e344e37a5ac99f17013ed14e0a6
                                  • Instruction Fuzzy Hash: CA51A9B0A01245DBEF12DF58C854BAEBBF4FB11314F24819AE895AB381D775AE05CBD0
                                  Function 00184900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0018499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 323602529-1866435925
                                  • Opcode ID: ed527ccfaa617876f0949548d4de8d2bcf88de42822a155f58ccd1595dd8b334
                                  • Instruction ID: 7afe677da9cf6c34186d5469c8c483e759a6fdae3a1b0080a60c52041add5a43
                                  • Opcode Fuzzy Hash: ed527ccfaa617876f0949548d4de8d2bcf88de42822a155f58ccd1595dd8b334
                                  • Instruction Fuzzy Hash: 19112C72D647946BC720FF5C8C03FA67398D719714F044629FE68872C2EF35AA108B92
                                  Function 001B2729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 001B2730
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 001B273B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001B27A9
                                    • Part of subcall function 001B288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001B28A4
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 001B2756
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                  • String ID:
                                  • API String ID: 677527491-0
                                  • Opcode ID: 5fde5f644523d57f0807e3cf1dee0dbe961b294dae779e82fcba72b96590f082
                                  • Instruction ID: 1adb84c692a1219dd22c55454e2d58b3081159fb7f3acdceb53a5a9dfcfdf327
                                  • Opcode Fuzzy Hash: 5fde5f644523d57f0807e3cf1dee0dbe961b294dae779e82fcba72b96590f082
                                  • Instruction Fuzzy Hash: C601DF79A016109BCB0AEB24D8555BD7BB1FFE5750B14404AE81157391CF74AE06CFC6
                                  Function 00187350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0018750C
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00187522
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 5d6a1d3a15075020977b29c9edbf1074f946ad81b1bb26292726f98ba29edfef
                                  • Instruction ID: cfa56d36de850c2308cab8a1c5fbdaa9d2fbb45bed5685e8ff72d8ab090a7902
                                  • Opcode Fuzzy Hash: 5d6a1d3a15075020977b29c9edbf1074f946ad81b1bb26292726f98ba29edfef
                                  • Instruction Fuzzy Hash: FD51C1B1C146489FDB00EFA8C905B9EBBB4EF25314F144259E854AB382E7B45B44CBE1
                                  Function 001847F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0018499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::failbit set
                                  • API String ID: 323602529-1240500531
                                  • Opcode ID: 29c7cb8acbb97c3b68d82bc6330e448346c9e847bfdb3651ea8e5df6bd445e8d
                                  • Instruction ID: 3c769b5c32d0de714f0ac246b9d0722173be60247edf0c185007c9ec282834d3
                                  • Opcode Fuzzy Hash: 29c7cb8acbb97c3b68d82bc6330e448346c9e847bfdb3651ea8e5df6bd445e8d
                                  • Instruction Fuzzy Hash: 4D4116B1D00648ABCB14EF58CC45BAEBBB8EB19710F24825DF554A7381DB756F00CBA1
                                  Function 00184040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00184061
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001840C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3636572214.0000000000181000.00000040.00000001.01000000.00000005.sdmp, Offset: 00180000, based on PE: true
                                  • Associated: 00000007.00000002.3636394421.0000000000180000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3636572214.0000000000305000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3637432440.000000000030A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000030D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000048D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.000000000056F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005AC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005B4000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3638295977.00000000005C2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3643624192.00000000005C3000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644741337.0000000000759000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3644835018.000000000075B000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_180000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                  • String ID: bad locale name
                                  • API String ID: 3988782225-1405518554
                                  • Opcode ID: ab56833a55ae58ba905199606e748174fc2b1f1ff861517a72351e6ed20b3c5b
                                  • Instruction ID: a313dbdf024ead10a8452ec9d0811ef2084efb8231dff073382adb1329e5b069
                                  • Opcode Fuzzy Hash: ab56833a55ae58ba905199606e748174fc2b1f1ff861517a72351e6ed20b3c5b
                                  • Instruction Fuzzy Hash: 8211D370805B84EED721CFA8C50478BBFF4AF26714F14869DE49597B81D3B96604CB91

                                  Executed Functions

                                  Function 007C7B00 Relevance: 16.8, APIs: 11, Instructions: 284networksleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • setsockopt.WS2_32(00000408,0000FFFF,00001006,?,00000008), ref: 007C7BA7
                                  • recv.WS2_32(?,00000004,00000002), ref: 007C7BC1
                                  • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 007C7C43
                                  • recv.WS2_32(00000000,0000000C,00000008), ref: 007C7C64
                                  • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 007C7D00
                                    • Part of subcall function 007C8590: WSAStartup.WS2_32 ref: 007C85BB
                                    • Part of subcall function 007C8590: socket.WS2_32(?,?,?,?,?,?,00889328,?,?), ref: 007C865D
                                    • Part of subcall function 007C8590: connect.WS2_32(00000000,00859BFC,?,?,?,?,00889328,?,?), ref: 007C8672
                                    • Part of subcall function 007C8590: closesocket.WS2_32(00000000), ref: 007C867D
                                  • recv.WS2_32(00000000,?,00000008), ref: 007C7D1B
                                  • recv.WS2_32(?,00000004,00000008), ref: 007C7E23
                                  • __Xtime_get_ticks.LIBCPMT ref: 007C7E2A
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007C7E38
                                  • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 007C7EB1
                                  • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 007C7EB9
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
                                  • String ID:
                                  • API String ID: 301102601-0
                                  • Opcode ID: dbb466f14517dcf569e2b711a4db92752d3a3e4a4fcd2d250309017344559f96
                                  • Instruction ID: d4d17d5a8ef32d54f9617420f09ad7fda704c6b8352694070e03506ddf6673fc
                                  • Opcode Fuzzy Hash: dbb466f14517dcf569e2b711a4db92752d3a3e4a4fcd2d250309017344559f96
                                  • Instruction Fuzzy Hash: F9B19B71D04308DFEB24DBA8CC89BADBBB5BB54310F24025DE454AB2D2DBB85D84CB91
                                  Function 007C8590 Relevance: 6.1, APIs: 4, Instructions: 99networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 57 7c8590-7c85c2 WSAStartup 58 7c85c8-7c85f2 call 7ea420 * 2 57->58 59 7c8696-7c869f 57->59 64 7c85fe-7c8644 58->64 65 7c85f4-7c85f8 58->65 67 7c8646-7c864c 64->67 68 7c8690 64->68 65->59 65->64 69 7c864e 67->69 70 7c86a4-7c86ae 67->70 68->59 71 7c8654-7c8668 socket 69->71 70->68 74 7c86b0-7c86b8 70->74 71->68 73 7c866a-7c867a connect 71->73 75 7c867c-7c8684 closesocket 73->75 76 7c86a0 73->76 75->71 77 7c8686-7c868f 75->77 76->70 77->68
                                  APIs
                                  • WSAStartup.WS2_32 ref: 007C85BB
                                  • socket.WS2_32(?,?,?,?,?,?,00889328,?,?), ref: 007C865D
                                  • connect.WS2_32(00000000,00859BFC,?,?,?,?,00889328,?,?), ref: 007C8672
                                  • closesocket.WS2_32(00000000), ref: 007C867D
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: c446d019e7e3f08c7ed3bbc4ef1506afd7bec5bd94b58de89d8ddb174afd1684
                                  • Instruction ID: f59778b444123b932502906e16e8dc82ffb5af4e5c58f4af8b9f01c296828944
                                  • Opcode Fuzzy Hash: c446d019e7e3f08c7ed3bbc4ef1506afd7bec5bd94b58de89d8ddb174afd1684
                                  • Instruction Fuzzy Hash: 3731E1729053416BD7208E288C45B6BB7E4FB85328F115F1DFAA4A22E1E775AC048697
                                  Function 00709280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 79 709280-7092dd call 7163b0 82 709413-709521 call 702df0 call 7ea420 79->82 83 7092e3-7092e9 79->83 99 709523-709535 82->99 100 709537-70953f call 718dc0 82->100 84 7092f0-709313 83->84 86 709324-709331 84->86 87 709315-70931f 84->87 90 709342-70934f 86->90 91 709333-70933d 86->91 89 709403-709406 87->89 93 709409-70940d 89->93 94 709360-70936d 90->94 95 709351-70935b 90->95 91->89 93->82 93->84 97 70937e-70938b 94->97 98 70936f-709379 94->98 95->89 101 709399-7093a6 97->101 102 70938d-709397 97->102 98->89 103 709544-709597 call 7ea420 * 2 99->103 100->103 106 7093b4-7093c1 101->106 107 7093a8-7093b2 101->107 102->89 116 709599-7095c8 call 7ea420 call 735270 103->116 117 7095cb-7095e1 call 7ea420 103->117 108 7093c3-7093cd 106->108 109 7093cf-7093dc 106->109 107->89 108->89 111 7093ea-7093f4 109->111 112 7093de-7093e8 109->112 111->93 115 7093f6-7093ff 111->115 112->89 115->89 116->117 123 7096e2 117->123 124 7095e7-7095ed 117->124 125 7096e6-7096f0 123->125 127 7095f0-7096ce WSASend 124->127 128 7096f2-7096fe 125->128 129 70971e-70973d 125->129 145 7096d4-7096dc 127->145 146 70975f-709763 127->146 131 709700-70970e 128->131 132 709714-70971b call 7338f3 128->132 133 70976f-709796 129->133 134 70973f-70974b 129->134 131->132 135 709797-7097fe call 738c70 call 702df0 * 2 131->135 132->129 137 709765-70976c call 7338f3 134->137 138 70974d-70975b 134->138 137->133 138->135 143 70975d 138->143 143->137 145->123 145->127 146->125
                                  APIs
                                  • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0084D15C,00000000,76A923A0,-00889880), ref: 007096C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Send
                                  • String ID: Ws2_32.dll
                                  • API String ID: 121738739-3093949381
                                  • Opcode ID: 30c2909f2a0d8fd56a656c45f2aa03cb854989379236318d3a88eaf6a4c38d66
                                  • Instruction ID: ca2089664e0350294d137bef476dec1ed7a00be190a9d1ce8ce25822a77dc143
                                  • Opcode Fuzzy Hash: 30c2909f2a0d8fd56a656c45f2aa03cb854989379236318d3a88eaf6a4c38d66
                                  • Instruction Fuzzy Hash: B502CD70D04298DFDF25CFA8C8947ADBBB0EF59304F244289E4856B2C7D7781986CB92
                                  Function 0501099B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 152 501099b-501099c 153 501095c-5010960 152->153 154 501099e-5010b77 152->154 156 5010963-5010971 call 5010975 153->156 187 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 154->187 161 5010910-501094c 156->161 162 5010973 156->162 161->156 189 5010b84-5010bd9 call 5010be3 187->189 189->187 193 5010bdb-5010bdd 189->193 193->187 194 5010bdf-5010be1 193->194
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: ]h
                                  • API String ID: 2104809126-3573960236
                                  • Opcode ID: 2e17d2cf278e93de51af5fb676a9b82054fbc1e217b21c00a3bbd76db258d3cb
                                  • Instruction ID: 0475da6979efc0e444b9079f24c78934b194d4d7c66d32d09acb4609822585c8
                                  • Opcode Fuzzy Hash: 2e17d2cf278e93de51af5fb676a9b82054fbc1e217b21c00a3bbd76db258d3cb
                                  • Instruction Fuzzy Hash: 383137E72491157FA692C08977BCBFE6B5FB7D77307308526BC87D6542E2840ACA013A
                                  Function 0501097B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 195 501097b-5010b77 219 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 195->219 221 5010b84-5010bd9 call 5010be3 219->221 221->219 225 5010bdb-5010bdd 221->225 225->219 226 5010bdf-5010be1 225->226
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: ]h
                                  • API String ID: 2104809126-3573960236
                                  • Opcode ID: 2c136399760b8769949a8dae2adf81b7719b8bbd1f9c7e8c423eb09931c4b2f8
                                  • Instruction ID: 163a64c7188b0865449157473f70335decf8cbb20c63a646b479c0b9e2cb0291
                                  • Opcode Fuzzy Hash: 2c136399760b8769949a8dae2adf81b7719b8bbd1f9c7e8c423eb09931c4b2f8
                                  • Instruction Fuzzy Hash: 1B3128EB249105BFA252D0857B78BFF675FB7D7730B304526BD87D6542D2840ACA013A
                                  Function 05010975 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 227 5010975-5010b77 252 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 227->252 254 5010b84-5010bd9 call 5010be3 252->254 254->252 258 5010bdb-5010bdd 254->258 258->252 259 5010bdf-5010be1 258->259
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: ]h
                                  • API String ID: 2104809126-3573960236
                                  • Opcode ID: 4c7a3a27e546711adb4b0c80f00c5dcd5184f1d0f89d62cfa577bc6e38e837b5
                                  • Instruction ID: 0ce45ac2f7f317c3e7ee796480c7c83b95f70c2079c71805172a7ea764dc728a
                                  • Opcode Fuzzy Hash: 4c7a3a27e546711adb4b0c80f00c5dcd5184f1d0f89d62cfa577bc6e38e837b5
                                  • Instruction Fuzzy Hash: DF31F5EB249105BFA252C089777CBFE675FB7D77307308426BD87D6642E2840ACA013A
                                  Function 00749789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 260 749789-7497ab 261 7497b1-7497b3 260->261 262 74999e 260->262 264 7497b5-7497d4 call 738be3 261->264 265 7497df-749802 261->265 263 7499a0-7499a4 262->263 271 7497d7-7497da 264->271 267 749804-749806 265->267 268 749808-74980e 265->268 267->268 270 749810-749821 267->270 268->264 268->270 272 749834-749844 call 7492ce 270->272 273 749823-749831 call 74263d 270->273 271->263 278 749846-74984c 272->278 279 74988d-74989f 272->279 273->272 282 749875-74988b call 748e9f 278->282 283 74984e-749851 278->283 280 7498f6-749916 WriteFile 279->280 281 7498a1-7498a7 279->281 284 749921 280->284 285 749918-74991e 280->285 287 7498e2-7498f4 call 74934b 281->287 288 7498a9-7498ac 281->288 301 74986e-749870 282->301 289 749853-749856 283->289 290 74985c-74986b call 749266 283->290 295 749924-74992f 284->295 285->284 308 7498c9-7498cc 287->308 296 7498ce-7498e0 call 74950f 288->296 297 7498ae-7498b1 288->297 289->290 291 749936-749939 289->291 290->301 305 74993c-74993e 291->305 302 749931-749934 295->302 303 749999-74999c 295->303 296->308 304 7498b7-7498c4 call 749426 297->304 297->305 301->295 302->291 303->263 304->308 310 749940-749945 305->310 311 74996c-749978 305->311 308->301 314 749947-749959 310->314 315 74995e-749967 call 7416c8 310->315 312 749982-749994 311->312 313 74997a-749980 311->313 312->271 313->262 313->312 314->271 315->271
                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0074990E
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: debddbb988c9b05502572a6514d3506d993c5f69782c50de23cfa24796fe6297
                                  • Instruction ID: 9b57ae5cd08c77de1e5a51a4200e5fcbc97c9b7f4548bacc8047f4b1286ffe8a
                                  • Opcode Fuzzy Hash: debddbb988c9b05502572a6514d3506d993c5f69782c50de23cfa24796fe6297
                                  • Instruction Fuzzy Hash: C16191B1D04119BFDF11DFA8C884AEFBBB9BF4A304F140149EA04A7246D73AD911CBA1
                                  Function 050109DA Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 318 50109da-50109e8 319 50109c9-50109d5 318->319 320 50109ea-50109ec 318->320 322 50109ee-5010b77 319->322 320->322 343 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 322->343 345 5010b84-5010bd9 call 5010be3 343->345 345->343 349 5010bdb-5010bdd 345->349 349->343 350 5010bdf-5010be1 349->350
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: cd664be1c0b772757745639e3559697c4ef57f31940f0d20bfe27be6ddfb0dea
                                  • Instruction ID: 011b1496774a0a3affd49aa2d6f11ccf5269ab4e6f03aa9b0b699fe2e468e9e0
                                  • Opcode Fuzzy Hash: cd664be1c0b772757745639e3559697c4ef57f31940f0d20bfe27be6ddfb0dea
                                  • Instruction Fuzzy Hash: 18313CE7149215AF9252C095777CBFE679FB7977307304426BD87C6542E2840AC9023B
                                  Function 050109CC Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 351 50109cc-5010b77 374 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 351->374 376 5010b84-5010bd9 call 5010be3 374->376 376->374 380 5010bdb-5010bdd 376->380 380->374 381 5010bdf-5010be1 380->381
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: fc1b995a221a018fe123dfba107bc5c6fa61eabb84110220fcd0d99dd546d378
                                  • Instruction ID: ea56fc74ba6f77353769a11e67a4bf770d8894a6b70d351d8a5b54d35473bfb1
                                  • Opcode Fuzzy Hash: fc1b995a221a018fe123dfba107bc5c6fa61eabb84110220fcd0d99dd546d378
                                  • Instruction Fuzzy Hash: 20213ADB24D115BFA252D08977B8BFE565FB7D77307304026BD87C6542D2840ACA013B
                                  Function 050109FE Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 382 50109fe-5010b77 402 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 382->402 404 5010b84-5010bd9 call 5010be3 402->404 404->402 408 5010bdb-5010bdd 404->408 408->402 409 5010bdf-5010be1 408->409
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 8935ff49197dca00b3fd88af2ad0712d182362b935ced73211df7c03266d6baf
                                  • Instruction ID: b8f9b84243562e793d3268561105e06c5e9407be7c021cc378ca791641a64745
                                  • Opcode Fuzzy Hash: 8935ff49197dca00b3fd88af2ad0712d182362b935ced73211df7c03266d6baf
                                  • Instruction Fuzzy Hash: 2821F7EB249105AFA252D08977B8BFE675FB7D77307708426BD87C6542E2840AC9013B
                                  Function 05010AA7 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 410 5010aa7-5010aab 411 5010a4a-5010aa2 410->411 412 5010aad-5010aaf 410->412 416 5010ab7-5010b77 411->416 412->411 414 5010ab1-5010ab5 412->414 414->416 428 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 416->428 430 5010b84-5010bd9 call 5010be3 428->430 430->428 434 5010bdb-5010bdd 430->434 434->428 435 5010bdf-5010be1 434->435
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: bfa6dc79b85bf1c4424836e6a127db70541377974411f1471a6016617552298b
                                  • Instruction ID: 5a1d50f6ff3ae72688b03cce1f126588dd27a02dfb51b4a7dc7691279a22dfbe
                                  • Opcode Fuzzy Hash: bfa6dc79b85bf1c4424836e6a127db70541377974411f1471a6016617552298b
                                  • Instruction Fuzzy Hash: AA2137AB24D2156F9652C0993B78EFF6B6FA7D7B307304536FC87C6142E28409CA0136
                                  Function 05010A0B Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 436 5010a0b-5010b77 455 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 436->455 457 5010b84-5010bd9 call 5010be3 455->457 457->455 461 5010bdb-5010bdd 457->461 461->455 462 5010bdf-5010be1 461->462
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 61481a55eb54e04762f5e90b9a57cad582c2155a8ac3162e32372e0ac2972706
                                  • Instruction ID: 6166232df7a893efbcd05e8c0cd48afacacdfa1bdeae172e6fe6e4c7f0ea3835
                                  • Opcode Fuzzy Hash: 61481a55eb54e04762f5e90b9a57cad582c2155a8ac3162e32372e0ac2972706
                                  • Instruction Fuzzy Hash: C321F8DB249115BFA252D08977B8AFE675FB7D77307708436BC87C6542E2844ACA013A
                                  Function 05010A28 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 463 5010a28-5010b77 481 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 463->481 483 5010b84-5010bd9 call 5010be3 481->483 483->481 487 5010bdb-5010bdd 483->487 487->481 488 5010bdf-5010be1 487->488
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: a1100144e779f56668e3f863c4aad31304d9defbf43637139b69da04b060814c
                                  • Instruction ID: 128369822faba15b7f7cbe5af3634f3ecbb09d1ebb1bf6eb3b93e3951e021002
                                  • Opcode Fuzzy Hash: a1100144e779f56668e3f863c4aad31304d9defbf43637139b69da04b060814c
                                  • Instruction Fuzzy Hash: 6C2128EB249105BFA652C0897BB8BFEA75FB7D67347304426BC87C2542E6800ACA0136
                                  Function 05010A3D Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 489 5010a3d-5010b77 504 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 489->504 506 5010b84-5010bd9 call 5010be3 504->506 506->504 510 5010bdb-5010bdd 506->510 510->504 511 5010bdf-5010be1 510->511
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: abb5a4f9437b394f49ab3506db0b4a8904664109b48f0193d4ceeb68f15aff67
                                  • Instruction ID: c34cb98628cbd94bb6a459edcabec878d1aabb5d29f7c41804d7e841ca34032e
                                  • Opcode Fuzzy Hash: abb5a4f9437b394f49ab3506db0b4a8904664109b48f0193d4ceeb68f15aff67
                                  • Instruction Fuzzy Hash: 672127E72482557F9652D0983BB8AFF6B6FABD77703304536FC47D6142E2850ACA0136
                                  Function 05010A20 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 512 5010a20-5010b77 531 5010b78-5010b7f GetCurrentHwProfileW call 5010b8f 512->531 533 5010b84-5010bd9 call 5010be3 531->533 533->531 537 5010bdb-5010bdd 533->537 537->531 538 5010bdf-5010be1 537->538
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f06a7bf0c4bc9153c59cbd4244645de42a6c937f87ca91382ec5d220a4427d9d
                                  • Instruction ID: 2dc1c1d5171a205af477516ea1bc51af4d2c8193ebcf6ab3b82e52893f0b6aa3
                                  • Opcode Fuzzy Hash: f06a7bf0c4bc9153c59cbd4244645de42a6c937f87ca91382ec5d220a4427d9d
                                  • Instruction Fuzzy Hash: 6E21F8EB249105AFA251D08977B8AFE675FB7D67307308426FC87C6142E2844ACA013A
                                  Function 05010A6F Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 6df16d2b60a510380a73f9f6decbc1c825bcc37d2b7dda25d027e2768c670523
                                  • Instruction ID: 88e9cf6585f491d2f833aad5cec6b301c3be44d630b3209ee69d0cf8222159d0
                                  • Opcode Fuzzy Hash: 6df16d2b60a510380a73f9f6decbc1c825bcc37d2b7dda25d027e2768c670523
                                  • Instruction Fuzzy Hash: 6F2138E7249105AF5652D09977B8AFF67AFA7DB7303304436F847C6142E6800ACA013A
                                  Function 05010A89 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 356a3bc5930d08cea2df36924622653009f230239d392512fd17c212c1c2918f
                                  • Instruction ID: 64f68637873a68cb68a3224fd3081f30b243c6e59d3e17171cf17c83e0531c24
                                  • Opcode Fuzzy Hash: 356a3bc5930d08cea2df36924622653009f230239d392512fd17c212c1c2918f
                                  • Instruction Fuzzy Hash: 291124AB249105AF9652D09977B8AFFAB9FB7C77303304526FC87C6542E28446CA013A
                                  Function 05010ADA Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: ea00a707a0a7b3e38b2ccaee3c5cbd0e7d756e2024bebd8f669b166a8d319129
                                  • Instruction ID: 1ce767016c229b4b6b296a98fd1b663bd3cd46e9a41039ea9f10f78bc7ddaef2
                                  • Opcode Fuzzy Hash: ea00a707a0a7b3e38b2ccaee3c5cbd0e7d756e2024bebd8f669b166a8d319129
                                  • Instruction Fuzzy Hash: CE113AA724D245AF9252D0987778EFF6B9FBB977343344466FC87C6542D2840ACA0126
                                  Function 05010ABF Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 8905929f652ab09c7d5b48250e118a7974985b58db05988dc1277f3c2e5d8a59
                                  • Instruction ID: 68dfcb86a42f5d60b7cbfd9f12dadba67ec71cc78948a364605ee442787d5a38
                                  • Opcode Fuzzy Hash: 8905929f652ab09c7d5b48250e118a7974985b58db05988dc1277f3c2e5d8a59
                                  • Instruction Fuzzy Hash: 3F113AE72481046F8652D09977B8AFFAB9FA7877347304566BC87D6542E2800ACA0126
                                  Function 05010AF8 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: fbaea91e90591215fba1917ac5a86bac5737a27d72898ac31d59d07bd581e84c
                                  • Instruction ID: b9792d33e8d209a726c3faa5de46ac7c04fc0c348fbc83f9e906a80702cc7383
                                  • Opcode Fuzzy Hash: fbaea91e90591215fba1917ac5a86bac5737a27d72898ac31d59d07bd581e84c
                                  • Instruction Fuzzy Hash: 421148E73482456F975295D93BA8EFEBB9FAAC7B30334057AE847C7543D280098A0132
                                  Function 05010B22 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 29526935562b079f82782e1255e24172fd31785867202824dc04755c2272abf8
                                  • Instruction ID: 742f5a38dc856a7ab2fab367147dbf4b24048e7dfb7e24ce9cbe84433c4a377e
                                  • Opcode Fuzzy Hash: 29526935562b079f82782e1255e24172fd31785867202824dc04755c2272abf8
                                  • Instruction Fuzzy Hash: 1E01F9DB2481456E555190D937BCAFEA79FA7C77743305836AC47C7542E28149CA1036
                                  Function 00748DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00748CE6,00000000,?,0087A178,0000000C,00748DA2,?,?,?), ref: 00748E55
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 536498d49ec86c6e2b95cfe8ccb3dc14c3e30f72aa650358f229d2a9e8886776
                                  • Instruction ID: 8a93e7be60c039976235b4924f86656230e3f4acc5f1f52f616892f469f7dd19
                                  • Opcode Fuzzy Hash: 536498d49ec86c6e2b95cfe8ccb3dc14c3e30f72aa650358f229d2a9e8886776
                                  • Instruction Fuzzy Hash: A6116B33645138A9D6A522349C45B7E27495F82B38F29065DFA189B1C3DF7CDC814253
                                  Function 05010B3D Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d8fbd1a62062d756ab7918821d3843ce6a99af0aad12d2791cc896abe19f870c
                                  • Instruction ID: dd0f94476a8b85320ae2bc274107c5c334daf79dc3625f9d67c49d0230b85fd6
                                  • Opcode Fuzzy Hash: d8fbd1a62062d756ab7918821d3843ce6a99af0aad12d2791cc896abe19f870c
                                  • Instruction Fuzzy Hash: 22F0F9EB2442452E565191D93768BFEA7DFAAC7B703305476E847C7542E28109CA0036
                                  Function 05010B4C Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: aff5a52a26ab11a46bffb16359168e18d508a8a34c1b28ac00a91ab2daac5afe
                                  • Instruction ID: b5db24eeb6e16ffbdb0d3748b4fde557d5435a530fa2b3770d6fd7d290555220
                                  • Opcode Fuzzy Hash: aff5a52a26ab11a46bffb16359168e18d508a8a34c1b28ac00a91ab2daac5afe
                                  • Instruction Fuzzy Hash: 5AF07DD73441053E566696DD7768AFEA79FAAC3B703345836E847C7542E681098A0131
                                  Function 0074251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00742626,?,?,?,?,?), ref: 00742558
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: a54e8fcdb1e433da01db46ba16628cba6b3c584538a9bfd27e388ed6c3222506
                                  • Instruction ID: 32c83be09749dbcc0109b8461a694c7f2eca3c25f5c3190ddc72c4bb74c896db
                                  • Opcode Fuzzy Hash: a54e8fcdb1e433da01db46ba16628cba6b3c584538a9bfd27e388ed6c3222506
                                  • Instruction Fuzzy Hash: 23012632640205AFDF09DF58CC1599E7B5AEF85334B740148F8009B2A2EB75EE628B90
                                  Function 007032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0070331F
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction ID: b0c8b54aa5119038eca5a3f40fd27af841f501c10120a90a989f32cce8d20edd
                                  • Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction Fuzzy Hash: DBF0B472100104DBDB246F64D45A9E9F3ECDF24362B500A7AF88DC7293EB2EDA518790
                                  Function 0074A65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00749FE0,00000001,00000364,00000001,00000006,000000FF,?,00734B3F,?,?,76A923A0,?), ref: 0074A69B
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: cb2551f1573546ded665d4f8036a8ae9fc540f2aadc1d23b0276159e3c1f9849
                                  • Instruction ID: 3837855a0291023b9a9bf71b7c1806b9148bdeebfa97ce22b5571a731702fdf0
                                  • Opcode Fuzzy Hash: cb2551f1573546ded665d4f8036a8ae9fc540f2aadc1d23b0276159e3c1f9849
                                  • Instruction Fuzzy Hash: B1F0E2322D1624BBDB216A66DC05A6A374DAF427A0F2F8121EC44EB080CF3CDC0086E7
                                  Function 05010B8F Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 05010B79
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655904541.0000000005010000.00000040.00001000.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5010000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: aa7629199adaf569408385286e38468d77a35679dc2d95c765451ca1c47d3485
                                  • Instruction ID: 6368df24fa6e32284978a28e3cb96be76947aad5397f4238f5703541c4120cda
                                  • Opcode Fuzzy Hash: aa7629199adaf569408385286e38468d77a35679dc2d95c765451ca1c47d3485
                                  • Instruction Fuzzy Hash: 63E055BB2882052F4A52A2DC33B8AFD6B8A5F86A71334083ADC43C7042E58148820066
                                  Function 0074B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00734B3F,?,?,76A923A0,?,?,00703522,?,?), ref: 0074B0C7
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 71e0f1aaf1fc3e1c52e3de70cebeaf19a73d8a893111046aa711551c2655875c
                                  • Instruction ID: ff54522689e4b6e0404aa64cd3400cc913fe423bf423cea89047968b592bf3e5
                                  • Opcode Fuzzy Hash: 71e0f1aaf1fc3e1c52e3de70cebeaf19a73d8a893111046aa711551c2655875c
                                  • Instruction Fuzzy Hash: AFE09231245625AAEF3136A59C15B6B764DAF423A2F994210EC35A61E1DF6CCC1082F6
                                  Function 05020215 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655956058.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5020000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28802a8de6452dbffcfe14cdd72ac9606faec8aaafcc1e6510cf5f9b0056a95b
                                  • Instruction ID: efd7f1d7f75291f411f6131b1623c5832b38878e33861bbead94f3bdda4bf1cf
                                  • Opcode Fuzzy Hash: 28802a8de6452dbffcfe14cdd72ac9606faec8aaafcc1e6510cf5f9b0056a95b
                                  • Instruction Fuzzy Hash: FC11E3E754C230BDF102C5613AB8AFE6B6EF6D2B30331886BF846C6606E15A594E5871
                                  Function 050201BA Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655956058.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5020000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32eb19bda7431e9e6ecb671fa70323d64f4385bb961008c279a37c0c38d71b5b
                                  • Instruction ID: 092707a3b5ad238c4059279dc6ee2a591f01c7a745e9d1717bde8c65c564587c
                                  • Opcode Fuzzy Hash: 32eb19bda7431e9e6ecb671fa70323d64f4385bb961008c279a37c0c38d71b5b
                                  • Instruction Fuzzy Hash: 5611C1F754C320AEF202D1617AB8AFE6BAFE6D6730331896BF442C6502D29A594E4534
                                  Function 050201DA Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655956058.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5020000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bd1bc6493d6de96afd22a31a853d9e99fb034fdfcb2dc26feb7c705ffb353f28
                                  • Instruction ID: a18a357c37f8b7bfd68f5e3302819c30f1f200018ae6585037d1a7e7ad16c1e5
                                  • Opcode Fuzzy Hash: bd1bc6493d6de96afd22a31a853d9e99fb034fdfcb2dc26feb7c705ffb353f28
                                  • Instruction Fuzzy Hash: 5611E7FB54C330ADB201D1613AB8AFE7B6FE5D6730331886BF846D6102D25A594D4874
                                  Function 0502019B Relevance: .1, Instructions: 82COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655956058.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5020000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03ddbd2d54fe6cae97931f30a49154ef19235cb2562adcc561b7b081f541e505
                                  • Instruction ID: ca814612d8c7cf4d1a56f43a241812e585c341f76a2541e2be1b9ad044431ccf
                                  • Opcode Fuzzy Hash: 03ddbd2d54fe6cae97931f30a49154ef19235cb2562adcc561b7b081f541e505
                                  • Instruction Fuzzy Hash: EC018BFB54C330BEB106C5927A789FE6B6FE6D6730330885BF807C2502D2A99A4D1834
                                  Function 050201F6 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655956058.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5020000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: acbb8d69e8312f9970f29bb821349ed68671327d3ec2bbbda34d650d29c5792d
                                  • Instruction ID: bfbd6a22fe3da04f03628079bfa3813f05fd0a6415deef9f65eea065187fb8c4
                                  • Opcode Fuzzy Hash: acbb8d69e8312f9970f29bb821349ed68671327d3ec2bbbda34d650d29c5792d
                                  • Instruction Fuzzy Hash: F201B5FB54C320BEF101D5513E78AFF67AEE2D2730731896BF846C2102D299594E5834
                                  Function 0502023A Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655956058.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5020000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b24de7ec6f52039e2cc2031cb75a94ae2de1e6e8af8a28c22cff12ecb9d8d8c6
                                  • Instruction ID: 2b3eafa5ff28141f9506aa290c5fd3494b27d4485145d61e56bb49dbaa3d91a5
                                  • Opcode Fuzzy Hash: b24de7ec6f52039e2cc2031cb75a94ae2de1e6e8af8a28c22cff12ecb9d8d8c6
                                  • Instruction Fuzzy Hash: BCF0C2FB24C3307EB105D5913A68AFFAB6EE5D2730331C86BF842C2503D699594D1434
                                  Function 05020252 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3655956058.0000000005020000.00000040.00001000.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5020000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af90cfe476125b76680fe22560c04392c802986cca9338203fb64bf12a809418
                                  • Instruction ID: 54d0787d3cae03f778fa7ed89fed00600a248e635f27a470f434c50bc27c748c
                                  • Opcode Fuzzy Hash: af90cfe476125b76680fe22560c04392c802986cca9338203fb64bf12a809418
                                  • Instruction Fuzzy Hash: 1EF0C8B764C2306FB204D5527A68AFF67AAE6D2730331847FF442C3106C61A995E5434

                                  Non-executed Functions

                                  Function 0073C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction ID: a3b7b9fd0d1b82f2c9f6240b838cbf48d578130d2754f3a5d9c04f6e5488bac0
                                  • Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction Fuzzy Hash: 6C023B71E012199BEF15CFA9C9806AEFBB1FF48314F248269E919F7341D735A941CB90
                                  Function 0071A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0071A09D
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0071A0BF
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0071A0E7
                                  • __Getctype.LIBCPMT ref: 0071A1C5
                                  • std::_Facet_Register.LIBCPMT ref: 0071A1F9
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0071A223
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID: PDp$PGp$Ep
                                  • API String ID: 1102183713-1397274705
                                  • Opcode ID: cecce58ad121800b8bc16797ad0b8871fe73ee9bd516f67570fc1d2f691aa78d
                                  • Instruction ID: db456769c6ff670067cd7d30ba1b5f659ee4502f9e269b6fb1b4c37fa38b398a
                                  • Opcode Fuzzy Hash: cecce58ad121800b8bc16797ad0b8871fe73ee9bd516f67570fc1d2f691aa78d
                                  • Instruction Fuzzy Hash: 1D51BBB0D01249EFDB10CF98C9457AEBBF0FB10710F148258D855AB392E778AE85CB92
                                  Function 007372D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00737307
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0073730F
                                  • _ValidateLocalCookies.LIBCMT ref: 00737398
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 007373C3
                                  • _ValidateLocalCookies.LIBCMT ref: 00737418
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: `-p$csm
                                  • API String ID: 1170836740-1528604419
                                  • Opcode ID: aa444dcea41644ab0e155018e3ac687948ea9e1877ca9f702021f2d130b610ea
                                  • Instruction ID: dcd07bd1f41f0ce05acd2b5c89e422495001d819e37028ee29f906b922224844
                                  • Opcode Fuzzy Hash: aa444dcea41644ab0e155018e3ac687948ea9e1877ca9f702021f2d130b610ea
                                  • Instruction Fuzzy Hash: B141D170A04249DBDF24DF68C885A9EBBA5FF05324F148055FC14AB353DB39EA15CB91
                                  Function 0071C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0071C45A
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0071C47C
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0071C4A4
                                  • std::_Facet_Register.LIBCPMT ref: 0071C59A
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0071C5C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID: Ep$PDp
                                  • API String ID: 459529453-1936355350
                                  • Opcode ID: c9a889b7cfaa2132e44a0de6192cb1ddad7c37b2fa00d58de874dffdbb54e4bb
                                  • Instruction ID: 901f1b06eeb6dbcc61c283b4a73c4069b4416178bd86934a34ba299860b6f841
                                  • Opcode Fuzzy Hash: c9a889b7cfaa2132e44a0de6192cb1ddad7c37b2fa00d58de874dffdbb54e4bb
                                  • Instruction Fuzzy Hash: 9551C0B0940299DFDB12DF9CD445BAEBBF0FB00314F244158E846AB382D779AE45CB91
                                  Function 0074BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction ID: 8b43c38b1da8c180fc17f08d95a24be19d0740e30fd19ea47d0696e2f565d762
                                  • Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction Fuzzy Hash: C8B12672E002A5DFDB158F68CC82BEE7BA5EF59310F1445A5E904AF282D778DD01CBA1
                                  Function 00732729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00732730
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0073273B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 007327A9
                                    • Part of subcall function 0073288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 007328A4
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 00732756
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                  • String ID: `-p
                                  • API String ID: 677527491-3350804961
                                  • Opcode ID: 91d894926f0e56141dd8bcf1139b1847ce3ab0d4eeba6e4329a0dab96490db17
                                  • Instruction ID: 4d3d98dcde64b0c22fcde46be1fde036348e5cb5a7f9287d0b7228e2a9ce8125
                                  • Opcode Fuzzy Hash: 91d894926f0e56141dd8bcf1139b1847ce3ab0d4eeba6e4329a0dab96490db17
                                  • Instruction Fuzzy Hash: A701BC75A00211DBEB0AEB24D8495BD7BB1FF84790F544009E81157393CF3CAE02CB81
                                  Function 00707350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0070750C
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00707522
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: )p$[json.exception.
                                  • API String ID: 4194217158-3132663411
                                  • Opcode ID: 3d57e618cc71cbfba58d894cfdf6283a02c9c1a7e36220c00abeee73f90acc70
                                  • Instruction ID: 4d17704e4d88e7a98c2d35d73eaad80d8fc811fd3228886ba081f2a785ff4a7a
                                  • Opcode Fuzzy Hash: 3d57e618cc71cbfba58d894cfdf6283a02c9c1a7e36220c00abeee73f90acc70
                                  • Instruction Fuzzy Hash: 2251BCB1D05648DBDB10DFA8C90AB9EBBB4EF11314F144259E850AB3C2E7B85A48C7A1
                                  Function 00704900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0070499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 323602529-1866435925
                                  • Opcode ID: df6351e3c59e3902678d7487d41b6f05886859086c11ab2d9090ce2e71a5e5e0
                                  • Instruction ID: 77e18022b6fbae2ec19d66e4703558513dff3908359a9cb4e7db221228f0dde9
                                  • Opcode Fuzzy Hash: df6351e3c59e3902678d7487d41b6f05886859086c11ab2d9090ce2e71a5e5e0
                                  • Instruction Fuzzy Hash: 6B1106B2914A48EBC710DB98DC06BAA73D8E705721F044769BF58D76C2EB3DA9048792
                                  Function 007036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00703819
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 007038F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: )p
                                  • API String ID: 2970364248-3545198885
                                  • Opcode ID: ba8e1a32c45ce6e8c5669b59a01214893058d1cad32ad68e5ea903c368664d8b
                                  • Instruction ID: ebec340246e471854b231da571580e7d7d8c92468d8cc6946db5f42d55d9a3df
                                  • Opcode Fuzzy Hash: ba8e1a32c45ce6e8c5669b59a01214893058d1cad32ad68e5ea903c368664d8b
                                  • Instruction Fuzzy Hash: E4617AB1C01648DFDB10CF98C849B9DFBB5FF18324F148259E824AB282D7B95A44CBA1
                                  Function 007047F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0070499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::failbit set
                                  • API String ID: 323602529-1240500531
                                  • Opcode ID: 62002893a2814e2ef0411259a54f3ec052d151585fec47ac9d962e831ca23cf5
                                  • Instruction ID: abae7e67593740b6a7d8b8044a44e1e7758f56fead20c2c6780ee6c194409ebf
                                  • Opcode Fuzzy Hash: 62002893a2814e2ef0411259a54f3ec052d151585fec47ac9d962e831ca23cf5
                                  • Instruction Fuzzy Hash: F84104B1801248EBDB04DF58C845BAEBBF8FB05710F148359FA54A73C2D779AA04CBA1
                                  Function 00704040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00704061
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 007040C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                  • String ID: bad locale name
                                  • API String ID: 3988782225-1405518554
                                  • Opcode ID: 67e06a9f303b7905680c5c49926e888001f3dfaee11546a3af7d0f308ec93c66
                                  • Instruction ID: 2ad1211e3405dbc273b893a12774b3a8bee0869fa82dce734be6797cb6f20d31
                                  • Opcode Fuzzy Hash: 67e06a9f303b7905680c5c49926e888001f3dfaee11546a3af7d0f308ec93c66
                                  • Instruction Fuzzy Hash: 9711E670805BC4EED721CF68C50474BBFF4AF15714F14869DD09597782D3B99A04CB91
                                  Function 00716590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 007165C9
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 007165FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: )p
                                  • API String ID: 2659868963-3545198885
                                  • Opcode ID: 630a6c79c938eb8d928773ed8b0c97b11c94cb266c961e10319d24db61b2f4fd
                                  • Instruction ID: 0e5bd00e04a788024648b20155c92e4d422f3bdd4b9ce78739d3ab3ada1d36d9
                                  • Opcode Fuzzy Hash: 630a6c79c938eb8d928773ed8b0c97b11c94cb266c961e10319d24db61b2f4fd
                                  • Instruction Fuzzy Hash: EA111CB1910749EBCB11CF99C980A86F7B9FB09720F10876AE924D7741E774A5448BA0
                                  Function 00707A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00707A5C
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00707A72
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3637104339.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 00000008.00000002.3636972290.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3637104339.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639571615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3639684463.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3644661506.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645069719.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3645245904.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: )p
                                  • API String ID: 4194217158-3545198885
                                  • Opcode ID: a959c2b73be5e78f721e260a98346c237df604ce76cf52bc12c8fcf291edd5d1
                                  • Instruction ID: 0596226daafd55dc6a774d47b60a711b51628e5f66f5493c6213f7918bf96e72
                                  • Opcode Fuzzy Hash: a959c2b73be5e78f721e260a98346c237df604ce76cf52bc12c8fcf291edd5d1
                                  • Instruction Fuzzy Hash: D5F06DB1804748EFD720DF98C90178DFBF8FB05724F50466AE824E3781E3B966088BA1

                                  Executed Functions

                                  Function 007C7B00 Relevance: 16.8, APIs: 11, Instructions: 284networksleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • setsockopt.WS2_32(000003E4,0000FFFF,00001006,?,00000008), ref: 007C7BA6
                                  • recv.WS2_32(?,00000004,00000002), ref: 007C7BC1
                                  • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 007C7C43
                                  • recv.WS2_32(00000000,0000000C,00000008), ref: 007C7C64
                                  • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?,00000000), ref: 007C7D00
                                    • Part of subcall function 007C8590: WSAStartup.WS2_32 ref: 007C85BA
                                    • Part of subcall function 007C8590: socket.WS2_32(?,?,?,?,?,?,00889328,?,?), ref: 007C865E
                                    • Part of subcall function 007C8590: connect.WS2_32(00000000,00859BFC,?,?,?,?,00889328,?,?), ref: 007C8672
                                    • Part of subcall function 007C8590: closesocket.WS2_32(00000000), ref: 007C867D
                                  • recv.WS2_32(00000000,?,00000008), ref: 007C7D1B
                                  • recv.WS2_32(?,00000004,00000008), ref: 007C7E23
                                  • __Xtime_get_ticks.LIBCPMT ref: 007C7E2A
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007C7E38
                                  • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 007C7EB1
                                  • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 007C7EB9
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: recv$Sleepsetsockopt$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsocket
                                  • String ID:
                                  • API String ID: 301102601-0
                                  • Opcode ID: 22ad193affe45841c9a9c3d8549fefaec1958e7011776eb2bfd3441f9f23921c
                                  • Instruction ID: 6f09d6a66ecf03ff71e90ecf2dbd4944e8bca054afcf78ab9ecdfb74a106aa69
                                  • Opcode Fuzzy Hash: 22ad193affe45841c9a9c3d8549fefaec1958e7011776eb2bfd3441f9f23921c
                                  • Instruction Fuzzy Hash: 02B19C71D04308DBEB24DBA8CC49BADBBB5BB54314F24425CE454AB2D2DBB85D84CB91
                                  Function 007C8590 Relevance: 6.1, APIs: 4, Instructions: 99networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 57 7c8590-7c85c2 WSAStartup 58 7c85c8-7c85f2 call 7ea420 * 2 57->58 59 7c8696-7c869f 57->59 64 7c85fe-7c8644 58->64 65 7c85f4-7c85f8 58->65 67 7c8646-7c864c 64->67 68 7c8690-7c8695 64->68 65->59 65->64 69 7c864e 67->69 70 7c86a4-7c86ae 67->70 68->59 71 7c8654-7c8668 socket 69->71 70->68 75 7c86b0-7c86b8 70->75 71->68 73 7c866a-7c867a connect 71->73 76 7c867c-7c8684 closesocket 73->76 77 7c86a0 73->77 76->71 78 7c8686-7c868a 76->78 77->70 78->68
                                  APIs
                                  • WSAStartup.WS2_32 ref: 007C85BA
                                  • socket.WS2_32(?,?,?,?,?,?,00889328,?,?), ref: 007C865E
                                  • connect.WS2_32(00000000,00859BFC,?,?,?,?,00889328,?,?), ref: 007C8672
                                  • closesocket.WS2_32(00000000), ref: 007C867D
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 03709401fa358d0295fcb52bb97f4f6a4e940db25f9d42b89dcb1570e120791f
                                  • Instruction ID: 395ffa538c814681ece10215ce6d846ab9318e02417a3233bd254cd5d1682f72
                                  • Opcode Fuzzy Hash: 03709401fa358d0295fcb52bb97f4f6a4e940db25f9d42b89dcb1570e120791f
                                  • Instruction Fuzzy Hash: 6A3104725053416BC7208E288C44B2FB7E4FB89328F015F1DFAA8A21E1E775980486A3
                                  Function 00709280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 79 709280-7092dd call 7163b0 82 709413-709521 call 702df0 call 7ea420 79->82 83 7092e3-7092e9 79->83 99 709523-709535 82->99 100 709537-70953f call 718dc0 82->100 85 7092f0-709313 83->85 87 709324-709331 85->87 88 709315-70931f 85->88 91 709342-70934f 87->91 92 709333-70933d 87->92 90 709403-709406 88->90 96 709409-70940d 90->96 93 709360-70936d 91->93 94 709351-70935b 91->94 92->90 97 70937e-70938b 93->97 98 70936f-709379 93->98 94->90 96->82 96->85 101 709399-7093a6 97->101 102 70938d-709397 97->102 98->90 103 709544-709597 call 7ea420 * 2 99->103 100->103 105 7093b4-7093c1 101->105 106 7093a8-7093b2 101->106 102->90 116 709599-7095c8 call 7ea420 call 735270 103->116 117 7095cb-7095e1 call 7ea420 103->117 108 7093c3-7093cd 105->108 109 7093cf-7093dc 105->109 106->90 108->90 111 7093ea-7093f4 109->111 112 7093de-7093e8 109->112 111->96 115 7093f6-7093ff 111->115 112->90 115->90 116->117 122 7096e2 117->122 123 7095e7-7095ed 117->123 127 7096e6-7096f0 122->127 126 7095f0-7096ce WSASend 123->126 145 7096d4-7096dc 126->145 146 70975f-709763 126->146 128 7096f2-7096fe 127->128 129 70971e-70973d 127->129 133 709700-70970e 128->133 134 709714-70971b call 7338f3 128->134 130 70976f-709796 129->130 131 70973f-70974b 129->131 136 709765-70976c call 7338f3 131->136 137 70974d-70975b 131->137 133->134 138 709797-7097fe call 738c70 call 702df0 * 2 133->138 134->129 136->130 137->138 140 70975d 137->140 140->136 145->122 145->126 146->127
                                  APIs
                                  • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0084D15C,00000000,76A923A0,-00889880), ref: 007096C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Send
                                  • String ID: Ws2_32.dll
                                  • API String ID: 121738739-3093949381
                                  • Opcode ID: 545565180ca59419fbb7bf9bcaf87a2e8aa25a3570951e431b143868da0ca9eb
                                  • Instruction ID: 82b5d2ead416b43b37e42330c5b134c6cd3520a4a148f7b2ceed63358f45af75
                                  • Opcode Fuzzy Hash: 545565180ca59419fbb7bf9bcaf87a2e8aa25a3570951e431b143868da0ca9eb
                                  • Instruction Fuzzy Hash: 1802CE70D04298DFDF25CFA8C8947ADBBB0EF59304F244289E4856B2C7D7781986CB92
                                  Function 00749789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 152 749789-7497ab 153 7497b1-7497b3 152->153 154 74999e 152->154 156 7497b5-7497d4 call 738be3 153->156 157 7497df-749802 153->157 155 7499a0-7499a4 154->155 165 7497d7-7497da 156->165 159 749804-749806 157->159 160 749808-74980e 157->160 159->160 162 749810-749821 159->162 160->156 160->162 163 749834-749844 call 7492ce 162->163 164 749823-749831 call 74263d 162->164 170 749846-74984c 163->170 171 74988d-74989f 163->171 164->163 165->155 174 749875-74988b call 748e9f 170->174 175 74984e-749851 170->175 172 7498f6-749916 WriteFile 171->172 173 7498a1-7498a7 171->173 180 749921 172->180 181 749918-74991e 172->181 176 7498e2-7498f4 call 74934b 173->176 177 7498a9-7498ac 173->177 191 74986e-749870 174->191 178 749853-749856 175->178 179 74985c-74986b call 749266 175->179 203 7498c9-7498cc 176->203 184 7498ce-7498e0 call 74950f 177->184 185 7498ae-7498b1 177->185 178->179 186 749936-749939 178->186 179->191 183 749924-74992f 180->183 181->180 192 749931-749934 183->192 193 749999-74999c 183->193 184->203 194 7498b7-7498c4 call 749426 185->194 195 74993c-74993e 185->195 186->195 191->183 192->186 193->155 194->203 200 749940-749945 195->200 201 74996c-749978 195->201 204 749947-749959 200->204 205 74995e-749967 call 7416c8 200->205 206 749982-749994 201->206 207 74997a-749980 201->207 203->191 204->165 205->165 206->165 207->154 207->206
                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0074990E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: e0fba05bcae9207652d16eedc8fc18c663470152c436f3362940d7c37b8b7a7d
                                  • Instruction ID: 5f74562eed470f83f570b102daee3e3a2b70dc1630ef5a43dc17cfc84e313a1b
                                  • Opcode Fuzzy Hash: e0fba05bcae9207652d16eedc8fc18c663470152c436f3362940d7c37b8b7a7d
                                  • Instruction Fuzzy Hash: 98619371D04119BFDF11DFA8C884AEFBBB9BF4A304F140149EA04A7256D73AD951CBA1
                                  Function 04FA09D9 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 210 4fa09d9-4fa0ad3 call 4fa0adb 221 4fa0b26-4fa0b2f 210->221 222 4fa0ad5-4fa0ada 210->222 223 4fa0ba8-4fa0bc0 221->223 224 4fa0b31-4fa0ba5 call 4fa0ba7 221->224 225 4fa0bd7-4fa0bff GetCurrentHwProfileW 223->225 224->223 229 4fa0c18-4fa0c6c call 4fa0c64 225->229 237 4fa0c72-4fa0c74 229->237 238 4fa0c6d call 4fa0c80 229->238 239 4fa0c7b-4fa0c7e 237->239 240 4fa0c76-4fa0c7a 237->240 238->237 240->239
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f2253642320090ea4e10be3a5ae27872dc9742ea4261867ca7c91de018bad808
                                  • Instruction ID: bce37532b2db7d523b95450236acea2f013a3a7315272d4e795e969c40b9d6ea
                                  • Opcode Fuzzy Hash: f2253642320090ea4e10be3a5ae27872dc9742ea4261867ca7c91de018bad808
                                  • Instruction Fuzzy Hash: 3D3116E734D1107DB14289917B50AFA67AEE6C67307308466F407C6602FA942E6F2132
                                  Function 04FA0ADB Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 241 4fa0adb-4fa0bc0 call 4fa0ba7 250 4fa0bd7-4fa0bff GetCurrentHwProfileW 241->250 252 4fa0c18-4fa0c6c call 4fa0c64 250->252 257 4fa0c72-4fa0c74 252->257 258 4fa0c6d call 4fa0c80 252->258 259 4fa0c7b-4fa0c7e 257->259 260 4fa0c76-4fa0c7a 257->260 258->257 260->259
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 625944ab36e2c6f19d1801724d660f626c01c042f0b29ff5827f61bd2c3413a0
                                  • Instruction ID: af223df9119e8b72327df361c811d804032c8a29f961a7ea5b2e513f904a46f2
                                  • Opcode Fuzzy Hash: 625944ab36e2c6f19d1801724d660f626c01c042f0b29ff5827f61bd2c3413a0
                                  • Instruction Fuzzy Hash: 6C214BEB30D2157DB20298913F60EFAA3ADD6C5774730886AF802C6505EB941E9F6132
                                  Function 04FA0AEE Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 261 4fa0aee-4fa0bc0 call 4fa0ba7 270 4fa0bd7-4fa0bff GetCurrentHwProfileW 261->270 272 4fa0c18-4fa0c6c call 4fa0c64 270->272 277 4fa0c72-4fa0c74 272->277 278 4fa0c6d call 4fa0c80 272->278 279 4fa0c7b-4fa0c7e 277->279 280 4fa0c76-4fa0c7a 277->280 278->277 280->279
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f30b2ae58062cad5133a73a3cc66f77b0b44ab99243e401a35bef05b1c8ddf3d
                                  • Instruction ID: 6f265279cddcf77e9ab3bee013fa9d01d23698b42e4d86f954ef8a45f085ed98
                                  • Opcode Fuzzy Hash: f30b2ae58062cad5133a73a3cc66f77b0b44ab99243e401a35bef05b1c8ddf3d
                                  • Instruction Fuzzy Hash: 82215CEB30D2257D720295923F60EFBA36DD6C5774730886AF807C6506EB842E9F2132
                                  Function 04FA0B23 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 281 4fa0b23-4fa0b2f 283 4fa0ba8-4fa0bc0 281->283 284 4fa0b31-4fa0ba5 call 4fa0ba7 281->284 285 4fa0bd7-4fa0bff GetCurrentHwProfileW 283->285 284->283 289 4fa0c18-4fa0c6c call 4fa0c64 285->289 297 4fa0c72-4fa0c74 289->297 298 4fa0c6d call 4fa0c80 289->298 299 4fa0c7b-4fa0c7e 297->299 300 4fa0c76-4fa0c7a 297->300 298->297 300->299
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04FA0BEE
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 5afddca91f2bdf10ae89c127b645149314f092d6527fdda5fde19bbbda1c6f5e
                                  • Instruction ID: 87b327d3ac8f026bba574bcde474dbd1c5d7bc74b660c77cfdbfff6f8cdb3c6f
                                  • Opcode Fuzzy Hash: 5afddca91f2bdf10ae89c127b645149314f092d6527fdda5fde19bbbda1c6f5e
                                  • Instruction Fuzzy Hash: A221D1FB30D2507DB20295513F60EFAB76DDAC673473088AAF802C6101EB952E5F5132
                                  Function 04FA0B0F Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 301 4fa0b0f-4fa0bc0 call 4fa0ba7 308 4fa0bd7-4fa0bff GetCurrentHwProfileW 301->308 310 4fa0c18-4fa0c6c call 4fa0c64 308->310 315 4fa0c72-4fa0c74 310->315 316 4fa0c6d call 4fa0c80 310->316 317 4fa0c7b-4fa0c7e 315->317 318 4fa0c76-4fa0c7a 315->318 316->315 318->317
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 7013d719818df52fcb67ab3fe0af9d0d336416034c550ec13a51d3a6feae89b2
                                  • Instruction ID: 2b93cd4349b2efa4f5f1041975ca1a77148e7d5bc547a47487e320908bd513a1
                                  • Opcode Fuzzy Hash: 7013d719818df52fcb67ab3fe0af9d0d336416034c550ec13a51d3a6feae89b2
                                  • Instruction Fuzzy Hash: 6F215EFB30D2157D720295913F60EFAA3ADD6C67707308866F806C6501EB856E9F5172
                                  Function 04FA0B7B Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 319 4fa0b7b-4fa0b99 320 4fa0ba1-4fa0bc0 319->320 321 4fa0b9c call 4fa0ba7 319->321 323 4fa0bd7-4fa0bff GetCurrentHwProfileW 320->323 321->320 325 4fa0c18-4fa0c6c call 4fa0c64 323->325 330 4fa0c72-4fa0c74 325->330 331 4fa0c6d call 4fa0c80 325->331 332 4fa0c7b-4fa0c7e 330->332 333 4fa0c76-4fa0c7a 330->333 331->330 333->332
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 81d5636a3eeae68dee0ee649eb079e413386bec4225e0f38a0ef9236d5ecdc03
                                  • Instruction ID: d25c4bc618c32e5b71e76f93e431e8d389d7dc9673ff1f40d246d58100077944
                                  • Opcode Fuzzy Hash: 81d5636a3eeae68dee0ee649eb079e413386bec4225e0f38a0ef9236d5ecdc03
                                  • Instruction Fuzzy Hash: DF11A0FB30D2157EB20299513FA0AFBB3ACDAC57307308476F942C6205EB542E5B5271
                                  Function 04FA0B66 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 334 4fa0b66-4fa0bc0 call 4fa0ba7 340 4fa0bd7-4fa0bff GetCurrentHwProfileW 334->340 342 4fa0c18-4fa0c6c call 4fa0c64 340->342 347 4fa0c72-4fa0c74 342->347 348 4fa0c6d call 4fa0c80 342->348 349 4fa0c7b-4fa0c7e 347->349 350 4fa0c76-4fa0c7a 347->350 348->347 350->349
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: daf2c3fe81f633070ce603fcbed568424e92a854b9b1a6e830a7e7f2918b135d
                                  • Instruction ID: 7712ad6fd03f2ad56f79859c2bc22e53dfb86b5f057a56dda27c26755b474015
                                  • Opcode Fuzzy Hash: daf2c3fe81f633070ce603fcbed568424e92a854b9b1a6e830a7e7f2918b135d
                                  • Instruction Fuzzy Hash: 5D1170E734D2517DB20295613F60EFAA76DDAC5730730846AF803C6205EB446D5F5271
                                  Function 04FA0BA7 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 351 4fa0ba7-4fa0bc0 353 4fa0bd7-4fa0bff GetCurrentHwProfileW 351->353 355 4fa0c18-4fa0c6c call 4fa0c64 353->355 360 4fa0c72-4fa0c74 355->360 361 4fa0c6d call 4fa0c80 355->361 362 4fa0c7b-4fa0c7e 360->362 363 4fa0c76-4fa0c7a 360->363 361->360 363->362
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04FA0BEE
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f9b97642e3d0d06e2fc950e9ab22ea16f443cae94b3e0c2899de46668d7f9eea
                                  • Instruction ID: 3da16663d1c9b87fd80013f6b8931a28f29cd58512eef5a85225eb9085125515
                                  • Opcode Fuzzy Hash: f9b97642e3d0d06e2fc950e9ab22ea16f443cae94b3e0c2899de46668d7f9eea
                                  • Instruction Fuzzy Hash: 36014BF730D2157D720199523F60EFA636CDAC5730730886AF807C6205EB542E5B2132
                                  Function 00748DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 364 748dff-748e13 call 74e940 367 748e15-748e17 364->367 368 748e19-748e21 364->368 369 748e67-748e87 call 74e8af 367->369 370 748e23-748e2a 368->370 371 748e2c-748e2f 368->371 381 748e99 369->381 382 748e89-748e97 call 7416c8 369->382 370->371 373 748e37-748e4b call 74e940 * 2 370->373 374 748e31-748e35 371->374 375 748e4d-748e5d call 74e940 FindCloseChangeNotification 371->375 373->367 373->375 374->373 374->375 375->367 385 748e5f-748e65 375->385 383 748e9b-748e9e 381->383 382->383 385->369
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00748CE6,00000000,?,0087A178,0000000C,00748DA2,?,?,?), ref: 00748E55
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 842e4bf3b9112a4be26abc66523de50bc6222d1762278162730521a27fa69cbb
                                  • Instruction ID: 50be0e9a6ee7a204f5d9b5ffa7e7eea63ab446f1a39afafeb4c527351d9156c2
                                  • Opcode Fuzzy Hash: 842e4bf3b9112a4be26abc66523de50bc6222d1762278162730521a27fa69cbb
                                  • Instruction Fuzzy Hash: 79112B33645138AAD6A522349845B7E27495B82B38F29065DF9189B1C3DF7DDC814253
                                  Function 04FA0BDD Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 390 4fa0bdd-4fa0bea 391 4fa0bcb-4fa0bd8 390->391 392 4fa0bec 390->392 394 4fa0bee-4fa0bff GetCurrentHwProfileW 391->394 392->394 395 4fa0c18-4fa0c6c call 4fa0c64 394->395 400 4fa0c72-4fa0c74 395->400 401 4fa0c6d call 4fa0c80 395->401 402 4fa0c7b-4fa0c7e 400->402 403 4fa0c76-4fa0c7a 400->403 401->400 403->402
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04FA0BEE
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 905fc52dc95b408667ab7f09a3025a6e27a10655b1c6b5631f74ff05609177ef
                                  • Instruction ID: 689ba92917fcbe9a4a1f5425ee42cc609600a0626d731511a1073dca751670db
                                  • Opcode Fuzzy Hash: 905fc52dc95b408667ab7f09a3025a6e27a10655b1c6b5631f74ff05609177ef
                                  • Instruction Fuzzy Hash: 7D01D6F2309315AEA3119D613B50AFA73A8EBC5730B208479E406C7204FF507D5B1536
                                  Function 0074251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 404 74251c-742534 call 74e940 407 742536-74253d 404->407 408 74254a-742560 SetFilePointerEx 404->408 409 742544-742548 407->409 410 742575-74257f 408->410 411 742562-742573 call 7416c8 408->411 412 74259b-74259e 409->412 410->409 413 742581-742596 410->413 411->409 413->412
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00742626,?,?,?,?,?), ref: 00742558
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 6ace1fc92d52ad9316f8127ec2fd593be373721d8ffb4500e58b7f267905a781
                                  • Instruction ID: defb5f97ed042c217765bdcd415aae3db3c9f84ab561d46ce2d6cbe1f7be8858
                                  • Opcode Fuzzy Hash: 6ace1fc92d52ad9316f8127ec2fd593be373721d8ffb4500e58b7f267905a781
                                  • Instruction Fuzzy Hash: 41012632640104AFCF099F58CC1599E7B59EB85334B340148F8109B2A2EB75ED628B90
                                  Function 04FA0BC7 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04FA0BEE
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655698634.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fa0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d20b4b197c510768f8f60e736abfff685e6e002e96c14d6c79ca6e26fd47b1ef
                                  • Instruction ID: 0a90178f7ff9ec9ce05be69827fa596bd29970a6c9b9e1aeae4e5cd42eead8b8
                                  • Opcode Fuzzy Hash: d20b4b197c510768f8f60e736abfff685e6e002e96c14d6c79ca6e26fd47b1ef
                                  • Instruction Fuzzy Hash: C2F0F6F730D2156EB3029A213E60AFAB36CDAC5720B308465F807CB200FF506D5B5532
                                  Function 007032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0070331F
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction ID: b0c8b54aa5119038eca5a3f40fd27af841f501c10120a90a989f32cce8d20edd
                                  • Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                  • Instruction Fuzzy Hash: DBF0B472100104DBDB246F64D45A9E9F3ECDF24362B500A7AF88DC7293EB2EDA518790
                                  Function 0074A65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00749FE0,00000001,00000364,00000001,00000006,000000FF,?,00734B3F,?,?,76A923A0,?), ref: 0074A69C
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 6579fe915f2cd0672075ebb751da3f22c9db951e87fd6714a52fabf83de92e2b
                                  • Instruction ID: 857077a5cc11fb44b06c7e91c3bae2072b1520b46ed4af100436ccdbcecbff23
                                  • Opcode Fuzzy Hash: 6579fe915f2cd0672075ebb751da3f22c9db951e87fd6714a52fabf83de92e2b
                                  • Instruction Fuzzy Hash: 2AF08232691625BFDB216A669C05A6A774DAF427A0F1F8161EC44EA180DF3CDC0086E7
                                  Function 0074B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00734B3F,?,?,76A923A0,?,?,00703522,?,?), ref: 0074B0C6
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 760ba64607baea4f73bdc427d5fa22c20294988743279f6215ede2484df37c29
                                  • Instruction ID: df97458739eeb35bd67a80caea119111ab79e39fd86ac76232dc69a28884a293
                                  • Opcode Fuzzy Hash: 760ba64607baea4f73bdc427d5fa22c20294988743279f6215ede2484df37c29
                                  • Instruction Fuzzy Hash: 75E09B312456245AEF3136A59C15B6B764D9F413A2F994210EC75A61F1DF6CCC1082B6
                                  Function 04FB0216 Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ecbb3fd82d6ebd8b18780d7b0799b32e4a6418d847adeadf4aa5210c0bfb6cf
                                  • Instruction ID: 48caa68f09ec9c6e6a67b3e56194400e0eedf69b730a6a849f4ca3a87882c6bc
                                  • Opcode Fuzzy Hash: 3ecbb3fd82d6ebd8b18780d7b0799b32e4a6418d847adeadf4aa5210c0bfb6cf
                                  • Instruction Fuzzy Hash: 6531E5EB24C214BEB14296926F199F77B3DE6C3730334C536F882D6502E6981B4F61B1
                                  Function 04FB01F6 Relevance: .2, Instructions: 154COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 159d38f4d39e07b6b48e7eb59fc72668524bbb3a5af734a8f9c3fafe7b87d73e
                                  • Instruction ID: 62c10aea871ad6276150d1d1c5be566c1db85c514d0b1b24f5bc83e28dba0b78
                                  • Opcode Fuzzy Hash: 159d38f4d39e07b6b48e7eb59fc72668524bbb3a5af734a8f9c3fafe7b87d73e
                                  • Instruction Fuzzy Hash: C831B0EB24C214BEB14291826B189F77B2DE6C37303318536F886D6502FA941A4F61B1
                                  Function 04FB020C Relevance: .2, Instructions: 153COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e485632a01d960f9e8cb6dd287a23744b8e3b95ebfa25a7b3b0724da711c43c
                                  • Instruction ID: 743a4f1cbef9dbcca844c02cdf3051b32ee7bd754c020d03067aefca6f7be3bd
                                  • Opcode Fuzzy Hash: 6e485632a01d960f9e8cb6dd287a23744b8e3b95ebfa25a7b3b0724da711c43c
                                  • Instruction Fuzzy Hash: CE31D1EB24C214BEB14292926F18AF77B3DE6C3730330C536F882D6502F6941A4F61B2
                                  Function 04FB02A6 Relevance: .1, Instructions: 141COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9cf443bda3be81fff9be7a574b072e228f8bdcd8504a40bf7bc1768abc1e1c27
                                  • Instruction ID: a6256493c7db14f72ec15e8cfcc909099373bc9185d45b17683bf91cb7325447
                                  • Opcode Fuzzy Hash: 9cf443bda3be81fff9be7a574b072e228f8bdcd8504a40bf7bc1768abc1e1c27
                                  • Instruction Fuzzy Hash: 9731E8EB24C2147EB24292922B1CAF76B2DE6C3730730C537F886D5442F6D51E4E6172
                                  Function 04FB0248 Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c53e1e8480ae0d4389115e0fb9a068e7f60cd50e0b8142c056caca7bfe67c7d
                                  • Instruction ID: 0054c74babc50221f1ced12f763c1bbbfd1d1fd47bb022a9c4d47bced8e4866c
                                  • Opcode Fuzzy Hash: 1c53e1e8480ae0d4389115e0fb9a068e7f60cd50e0b8142c056caca7bfe67c7d
                                  • Instruction Fuzzy Hash: C921B6FB24C2147EB24192922B1CAF7AB6DE6C7730730C937F842D5442F6D51A4E61B2
                                  Function 04FB02CD Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1db770bea799ea89b802b42b52d3cd9adbea3c5014af9c774793614f2f987ce
                                  • Instruction ID: f078d08fe6d9f719d30b36366990d40ce49f944dcdd08fc4fcf034977cf0c52a
                                  • Opcode Fuzzy Hash: d1db770bea799ea89b802b42b52d3cd9adbea3c5014af9c774793614f2f987ce
                                  • Instruction Fuzzy Hash: 612192EB2482157D750296926B1CEFB6B2DE2C3770331C93BF886D4442F6981E4F6171
                                  Function 04FB0275 Relevance: .1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d935f524d7f1936509029f95dd83f94c8910c059aea6513de065d023b8289cf
                                  • Instruction ID: cc9ca53620113975823e9d61f26beca65afdc52a6a0d8f44db005856e792b16a
                                  • Opcode Fuzzy Hash: 9d935f524d7f1936509029f95dd83f94c8910c059aea6513de065d023b8289cf
                                  • Instruction Fuzzy Hash: 4B217FEB2482157EB54191922F18AFB6B3DE1C3730334C53AF882D5542E6951B4F6172
                                  Function 04FB0269 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44ad2f7a2aa0314d2caf90849a4a78f35e33876311e9f6aaa64b43463c5cd733
                                  • Instruction ID: 942debde924cd8d27bd934029e2a970eec050c1bfc89f4d6829e69a056ec4777
                                  • Opcode Fuzzy Hash: 44ad2f7a2aa0314d2caf90849a4a78f35e33876311e9f6aaa64b43463c5cd733
                                  • Instruction Fuzzy Hash: 7E213DEB24C2147EB14291922B18EFB6B2DE6C3730334C936F886D5942F6D91A4E6172
                                  Function 04FB028E Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e71b327c28e684708ef8594f1d14f505f051c70b1cd55511dec0b728f73deba
                                  • Instruction ID: ee2bc3b4f2f55760896468da7d353d1c80529fca1f4ddd2cc07b3699409c51a3
                                  • Opcode Fuzzy Hash: 7e71b327c28e684708ef8594f1d14f505f051c70b1cd55511dec0b728f73deba
                                  • Instruction Fuzzy Hash: 822130EB2482147E714191922F1CEFB6B2DE1C3B70335C936F846D5842F6D55A4E6172
                                  Function 04FB0308 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b3f993597bc8e7f49ce8fc9804162400e3be5f0d06346430ea945bb8f43ba38
                                  • Instruction ID: 8a9935c85a12c328306c4c0e2b3946684962a4bebcce3f1e44a338720bd20871
                                  • Opcode Fuzzy Hash: 7b3f993597bc8e7f49ce8fc9804162400e3be5f0d06346430ea945bb8f43ba38
                                  • Instruction Fuzzy Hash: 950144EB28C2157E7141A1922B6CAF7A76DE2C37303348567F882E5442F5C91A4F6071
                                  Function 04FB031A Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e6767c55e3800f8c967d1ba76002947553c75530d536471b942632fd7f12298
                                  • Instruction ID: 93520701fb9b82d80374055376b070d9a1fe85404769854a5909590d4fb015b9
                                  • Opcode Fuzzy Hash: 4e6767c55e3800f8c967d1ba76002947553c75530d536471b942632fd7f12298
                                  • Instruction Fuzzy Hash: AE0184FB64C3156EB141A1922B6CAFB77ADE6C3730330852AF882D5442E6991A4A6071
                                  Function 04FB03F5 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59a1ff4173da102986e4dac38cf0b1d1a8450892bf4c59ea3336ae94ab36b82c
                                  • Instruction ID: e738403a2dcb709c2eed25adae91c3829d3350bfd04b388e2611d0669f85589d
                                  • Opcode Fuzzy Hash: 59a1ff4173da102986e4dac38cf0b1d1a8450892bf4c59ea3336ae94ab36b82c
                                  • Instruction Fuzzy Hash: 7DF086EB28C214EEA110A6877B186FB7B2DF6C37313318527F493C8842F694564F65B1
                                  Function 04FB0335 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 790e2ccc0080fabc1e4e106194fb13384a792f4479cdf4574cd8f1de5dacef73
                                  • Instruction ID: 22583f861b334753e9ccac3eedcdecf079a214a33f1b357e0c69a14504e7e106
                                  • Opcode Fuzzy Hash: 790e2ccc0080fabc1e4e106194fb13384a792f4479cdf4574cd8f1de5dacef73
                                  • Instruction Fuzzy Hash: 85F0C8FB248318BF7141A1922B6CAFB676DE6C3730331C567F882D5542E6890A4E61B1
                                  Function 04FB035F Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4460ac463df648136bbe02a8fcffa22d7fe401ed19a1cf23bbf6ee30a7a733bf
                                  • Instruction ID: 9ed419b2af8eb9146a5e8cf80c995953e56cdd7d0eb41eac6e69d6f8f952da50
                                  • Opcode Fuzzy Hash: 4460ac463df648136bbe02a8fcffa22d7fe401ed19a1cf23bbf6ee30a7a733bf
                                  • Instruction Fuzzy Hash: 4BF02BAB58C744AFB10053A2261D6FABB6DEBD3334334852AE4C297102D5640516A1B1
                                  Function 04FB0399 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3655789594.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3738fdf1bda99de331c168c962baf6413ea3eb35721a98580183a1b4c7c27095
                                  • Instruction ID: ea92a59feed07eced591a3b1464b348f6e8bb780e7c96ade9f3d1724c62f1820
                                  • Opcode Fuzzy Hash: 3738fdf1bda99de331c168c962baf6413ea3eb35721a98580183a1b4c7c27095
                                  • Instruction Fuzzy Hash: 7BD09EAF288114AD708191D2371C5BAA738E2D37303348563F482D0441E5945A1E7071

                                  Non-executed Functions

                                  Function 0073C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction ID: a3b7b9fd0d1b82f2c9f6240b838cbf48d578130d2754f3a5d9c04f6e5488bac0
                                  • Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                  • Instruction Fuzzy Hash: 6C023B71E012199BEF15CFA9C9806AEFBB1FF48314F248269E919F7341D735A941CB90
                                  Function 0071A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0071A09D
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0071A0BF
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0071A0E7
                                  • __Getctype.LIBCPMT ref: 0071A1C5
                                  • std::_Facet_Register.LIBCPMT ref: 0071A1F9
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0071A223
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID: PDp$PGp$Ep
                                  • API String ID: 1102183713-1397274705
                                  • Opcode ID: cecce58ad121800b8bc16797ad0b8871fe73ee9bd516f67570fc1d2f691aa78d
                                  • Instruction ID: db456769c6ff670067cd7d30ba1b5f659ee4502f9e269b6fb1b4c37fa38b398a
                                  • Opcode Fuzzy Hash: cecce58ad121800b8bc16797ad0b8871fe73ee9bd516f67570fc1d2f691aa78d
                                  • Instruction Fuzzy Hash: 1D51BBB0D01249EFDB10CF98C9457AEBBF0FB10710F148258D855AB392E778AE85CB92
                                  Function 007372D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00737307
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0073730F
                                  • _ValidateLocalCookies.LIBCMT ref: 00737398
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 007373C3
                                  • _ValidateLocalCookies.LIBCMT ref: 00737418
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: `-p$csm
                                  • API String ID: 1170836740-1528604419
                                  • Opcode ID: aa444dcea41644ab0e155018e3ac687948ea9e1877ca9f702021f2d130b610ea
                                  • Instruction ID: dcd07bd1f41f0ce05acd2b5c89e422495001d819e37028ee29f906b922224844
                                  • Opcode Fuzzy Hash: aa444dcea41644ab0e155018e3ac687948ea9e1877ca9f702021f2d130b610ea
                                  • Instruction Fuzzy Hash: B141D170A04249DBDF24DF68C885A9EBBA5FF05324F148055FC14AB353DB39EA15CB91
                                  Function 0071C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0071C45A
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0071C47C
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0071C4A4
                                  • std::_Facet_Register.LIBCPMT ref: 0071C59A
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0071C5C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID: Ep$PDp
                                  • API String ID: 459529453-1936355350
                                  • Opcode ID: c9a889b7cfaa2132e44a0de6192cb1ddad7c37b2fa00d58de874dffdbb54e4bb
                                  • Instruction ID: 901f1b06eeb6dbcc61c283b4a73c4069b4416178bd86934a34ba299860b6f841
                                  • Opcode Fuzzy Hash: c9a889b7cfaa2132e44a0de6192cb1ddad7c37b2fa00d58de874dffdbb54e4bb
                                  • Instruction Fuzzy Hash: 9551C0B0940299DFDB12DF9CD445BAEBBF0FB00314F244158E846AB382D779AE45CB91
                                  Function 0074BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: _strrchr
                                  • String ID:
                                  • API String ID: 3213747228-0
                                  • Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction ID: 8b43c38b1da8c180fc17f08d95a24be19d0740e30fd19ea47d0696e2f565d762
                                  • Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                  • Instruction Fuzzy Hash: C8B12672E002A5DFDB158F68CC82BEE7BA5EF59310F1445A5E904AF282D778DD01CBA1
                                  Function 00732729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00732730
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0073273B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 007327A9
                                    • Part of subcall function 0073288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 007328A4
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 00732756
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                  • String ID: `-p
                                  • API String ID: 677527491-3350804961
                                  • Opcode ID: 91d894926f0e56141dd8bcf1139b1847ce3ab0d4eeba6e4329a0dab96490db17
                                  • Instruction ID: 4d3d98dcde64b0c22fcde46be1fde036348e5cb5a7f9287d0b7228e2a9ce8125
                                  • Opcode Fuzzy Hash: 91d894926f0e56141dd8bcf1139b1847ce3ab0d4eeba6e4329a0dab96490db17
                                  • Instruction Fuzzy Hash: A701BC75A00211DBEB0AEB24D8495BD7BB1FF84790F544009E81157393CF3CAE02CB81
                                  Function 00707350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0070750C
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00707522
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: )p$[json.exception.
                                  • API String ID: 4194217158-3132663411
                                  • Opcode ID: 3d57e618cc71cbfba58d894cfdf6283a02c9c1a7e36220c00abeee73f90acc70
                                  • Instruction ID: 4d17704e4d88e7a98c2d35d73eaad80d8fc811fd3228886ba081f2a785ff4a7a
                                  • Opcode Fuzzy Hash: 3d57e618cc71cbfba58d894cfdf6283a02c9c1a7e36220c00abeee73f90acc70
                                  • Instruction Fuzzy Hash: 2251BCB1D05648DBDB10DFA8C90AB9EBBB4EF11314F144259E850AB3C2E7B85A48C7A1
                                  Function 00704900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0070499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 323602529-1866435925
                                  • Opcode ID: df6351e3c59e3902678d7487d41b6f05886859086c11ab2d9090ce2e71a5e5e0
                                  • Instruction ID: 77e18022b6fbae2ec19d66e4703558513dff3908359a9cb4e7db221228f0dde9
                                  • Opcode Fuzzy Hash: df6351e3c59e3902678d7487d41b6f05886859086c11ab2d9090ce2e71a5e5e0
                                  • Instruction Fuzzy Hash: 6B1106B2914A48EBC710DB98DC06BAA73D8E705721F044769BF58D76C2EB3DA9048792
                                  Function 007036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00703819
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 007038F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: )p
                                  • API String ID: 2970364248-3545198885
                                  • Opcode ID: ba8e1a32c45ce6e8c5669b59a01214893058d1cad32ad68e5ea903c368664d8b
                                  • Instruction ID: ebec340246e471854b231da571580e7d7d8c92468d8cc6946db5f42d55d9a3df
                                  • Opcode Fuzzy Hash: ba8e1a32c45ce6e8c5669b59a01214893058d1cad32ad68e5ea903c368664d8b
                                  • Instruction Fuzzy Hash: E4617AB1C01648DFDB10CF98C849B9DFBB5FF18324F148259E824AB282D7B95A44CBA1
                                  Function 007047F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0070499F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::failbit set
                                  • API String ID: 323602529-1240500531
                                  • Opcode ID: 5d90170d8e8870d9a8c89d992fd6d2beabd54258609ae0d6938f4579b1b40766
                                  • Instruction ID: abae7e67593740b6a7d8b8044a44e1e7758f56fead20c2c6780ee6c194409ebf
                                  • Opcode Fuzzy Hash: 5d90170d8e8870d9a8c89d992fd6d2beabd54258609ae0d6938f4579b1b40766
                                  • Instruction Fuzzy Hash: F84104B1801248EBDB04DF58C845BAEBBF8FB05710F148359FA54A73C2D779AA04CBA1
                                  Function 00704040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00704061
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 007040C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                  • String ID: bad locale name
                                  • API String ID: 3988782225-1405518554
                                  • Opcode ID: 67e06a9f303b7905680c5c49926e888001f3dfaee11546a3af7d0f308ec93c66
                                  • Instruction ID: 2ad1211e3405dbc273b893a12774b3a8bee0869fa82dce734be6797cb6f20d31
                                  • Opcode Fuzzy Hash: 67e06a9f303b7905680c5c49926e888001f3dfaee11546a3af7d0f308ec93c66
                                  • Instruction Fuzzy Hash: 9711E670805BC4EED721CF68C50474BBFF4AF15714F14869DD09597782D3B99A04CB91
                                  Function 00716590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 007165C9
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 007165FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: )p
                                  • API String ID: 2659868963-3545198885
                                  • Opcode ID: 630a6c79c938eb8d928773ed8b0c97b11c94cb266c961e10319d24db61b2f4fd
                                  • Instruction ID: 0e5bd00e04a788024648b20155c92e4d422f3bdd4b9ce78739d3ab3ada1d36d9
                                  • Opcode Fuzzy Hash: 630a6c79c938eb8d928773ed8b0c97b11c94cb266c961e10319d24db61b2f4fd
                                  • Instruction Fuzzy Hash: EA111CB1910749EBCB11CF99C980A86F7B9FB09720F10876AE924D7741E774A5448BA0
                                  Function 00707A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00707A5C
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00707A72
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3636873038.0000000000701000.00000040.00000001.01000000.00000006.sdmp, Offset: 00700000, based on PE: true
                                  • Associated: 0000000A.00000002.3636797458.0000000000700000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3636873038.0000000000885000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639383615.000000000088A000.00000008.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.000000000088D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000A0D000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000AEF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B2C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B34000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3639511163.0000000000B42000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3644544074.0000000000B43000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645392207.0000000000CD9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3645494287.0000000000CDB000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_700000_RageMP131.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: )p
                                  • API String ID: 4194217158-3545198885
                                  • Opcode ID: a959c2b73be5e78f721e260a98346c237df604ce76cf52bc12c8fcf291edd5d1
                                  • Instruction ID: 0596226daafd55dc6a774d47b60a711b51628e5f66f5493c6213f7918bf96e72
                                  • Opcode Fuzzy Hash: a959c2b73be5e78f721e260a98346c237df604ce76cf52bc12c8fcf291edd5d1
                                  • Instruction Fuzzy Hash: D5F06DB1804748EFD720DF98C90178DFBF8FB05724F50466AE824E3781E3B966088BA1