Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
D44CPdpkNk.exe

Overview

General Information

Sample name:D44CPdpkNk.exe
renamed because original name is a hash value
Original sample name:093bda46f4ebe927a99cc0e120d50d8c.exe
Analysis ID:1459954
MD5:093bda46f4ebe927a99cc0e120d50d8c
SHA1:1312d8e21c7ac0fcf1f64067690151a86738c856
SHA256:ffd113a300e84aa5e0f426f711104fb6f6ac411a5c02f620433a0bd76e30b141
Tags:exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • D44CPdpkNk.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\D44CPdpkNk.exe" MD5: 093BDA46F4EBE927A99CC0E120D50D8C)
    • schtasks.exe (PID: 7392 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7440 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • MPGPH131.exe (PID: 7524 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 093BDA46F4EBE927A99CC0E120D50D8C)
          • WerFault.exe (PID: 4936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7524 -s 1896 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 632 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 7500 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 093BDA46F4EBE927A99CC0E120D50D8C)
    • WerFault.exe (PID: 3244 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 1920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 7600 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 093BDA46F4EBE927A99CC0E120D50D8C)
    • WerFault.exe (PID: 7792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 1900 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 7924 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 093BDA46F4EBE927A99CC0E120D50D8C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Sfn1YyGgu6CGTeBtRcADBVG.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\UWUWkzI6iEQD6XYchYfKNkl.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      C:\Users\user\AppData\Local\Temp\O2ikhRyQ71SvrRUjZ9MvGf7.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        C:\Users\user\AppData\Local\Temp\hOyPUaIJ5lfWhg1CogD2H0Y.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000003.2506747814.0000000005660000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            0000000B.00000003.2632498657.00000000057A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              0000000B.00000002.2667670233.00000000057AA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                00000005.00000002.2704555272.0000000005760000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                  00000006.00000003.2474706662.00000000057B1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                    Click to see the 24 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\D44CPdpkNk.exe, ProcessId: 7344, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                    Snort Signatures

                    Timestamp:06/20/24-10:18:18.266820
                    SID:2046269
                    Source Port:49732
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:18:12.891833
                    SID:2046269
                    Source Port:49731
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:18:36.172836
                    SID:2046269
                    Source Port:49747
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:06.155610
                    SID:2049060
                    Source Port:49731
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:34.165292
                    SID:2046267
                    Source Port:58709
                    Destination Port:49747
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:10.831103
                    SID:2046266
                    Source Port:58709
                    Destination Port:49732
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:18:27.329405
                    SID:2046269
                    Source Port:49734
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:26.653501
                    SID:2046266
                    Source Port:58709
                    Destination Port:49747
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:18.297909
                    SID:2046266
                    Source Port:58709
                    Destination Port:49734
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:06.743077
                    SID:2046266
                    Source Port:58709
                    Destination Port:49731
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:10.864562
                    SID:2046266
                    Source Port:58709
                    Destination Port:49733
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:18:18.313506
                    SID:2046269
                    Source Port:49733
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:23.519101
                    SID:2046267
                    Source Port:58709
                    Destination Port:49731
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:23.729447
                    SID:2046267
                    Source Port:58709
                    Destination Port:49732
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:23.804516
                    SID:2046267
                    Source Port:58709
                    Destination Port:49733
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-10:17:28.105368
                    SID:2046267
                    Source Port:58709
                    Destination Port:49734
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://77.91.77.81/mine/amadka.exeroAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: malware
                    Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: malware
                    Source: http://77.91.77.81/cost/lenin.exeinAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/cost/go.exeOAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/mine/amadka.exeAAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/cost/go.exe?~Avira URL Cloud: Label: malware
                    Source: http://77.91.77.81/cost/lenin.exeisepro_botAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/cost/go.exesAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/mine/amadka.exe0.1Avira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/cost/lenin.exectrumAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/mine/amadka.exes.binrAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/cost/lenin.exec176afAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/cost/lenin.exemAvira URL Cloud: Label: phishing
                    Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: http://77.91.77.81/mine/amadka.exeVirustotal: Detection: 23%Perma Link
                    Source: http://77.91.77.81/cost/go.exeVirustotal: Detection: 23%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 50%
                    Multi AV Scanner detection for submitted file
                    Source: D44CPdpkNk.exeReversingLabs: Detection: 50%
                    Source: D44CPdpkNk.exeVirustotal: Detection: 56%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: D44CPdpkNk.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004C6B00
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,5_2_004C6B00
                    Source: D44CPdpkNk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49744 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49746 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49751 version: TLS 1.2
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004C6000
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,5_2_004E6770
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,5_2_00493F40
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,5_2_004DFF00
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError,5_2_00431F9C
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,5_2_00432022
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004938D0

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49734
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49734 -> 77.91.77.66:58709
                    Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49731
                    Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49732
                    Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49733
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49747
                    Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49734
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49747 -> 77.91.77.66:58709
                    Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49747
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                    Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                    Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
                    Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: unknownDNS query: name: ipinfo.io
                    Source: unknownDNS query: name: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004C8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,0_2_004C8590
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                    Source: global trafficDNS traffic detected: DNS query: db-ip.com
                    Source: D44CPdpkNk.exe, 00000000.00000003.2465875391.0000000000D3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2721397992.0000000005787000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2581535637.000000000565C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2581253200.0000000005659000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2733371360.000000000565D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2667457557.000000000577B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
                    Source: RageMP131.exe, 00000007.00000003.2581535637.000000000565C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2581253200.0000000005659000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2733371360.000000000565D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe?~
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exeO
                    Source: RageMP131.exe, 0000000B.00000002.2667457557.000000000577B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exes
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exec176af
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exectrum
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exein
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exeisepro_bot
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exem
                    Source: RageMP131.exe, 0000000B.00000002.2667608529.00000000057A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe0.1
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exeA
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exero
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exes.binr
                    Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
                    Source: D44CPdpkNk.exe, 00000000.00000003.1720099706.0000000002860000.00000004.00001000.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2701725233.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1767157197.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2717586552.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1767470994.0000000002880000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2730516267.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1846027883.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1927997441.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2665087041.000000000055D000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                    Source: D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                    Source: RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/;8H
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/Kht
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/Q
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33L
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33X
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33dJ6
                    Source: RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33p3
                    Source: RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/e8RH(
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
                    Source: D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EB0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/)
                    Source: D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169296486.0000000000D28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/N
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/S
                    Source: D44CPdpkNk.exe, 00000000.00000003.1720099706.0000000002860000.00000004.00001000.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2701725233.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1767157197.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2717586552.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1767470994.0000000002880000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2730516267.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1846027883.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1927997441.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2665087041.000000000055D000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000CD7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000E5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33d-
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33o5
                    Source: D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169296486.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
                    Source: D44CPdpkNk.exe, 00000000.00000003.2469734911.0000000005660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.microsoft.
                    Source: D44CPdpkNk.exe, 00000000.00000003.2469734911.0000000005660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.microsoft..
                    Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://support.mozilla.org
                    Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                    Source: D44CPdpkNk.exe, 00000000.00000003.2465949048.000000000569A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2464648872.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2535985521.0000000005699000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666934296.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2632992763.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, lsAFEDVzYJlMHistory.6.dr, aSLZ4Feg28S4History.0.dr, v9460BEWAmo6History.6.dr, J7Touhh5YhR_History.0.dr, _1TNl_23bSjIHistory.11.dr, 8cbHFLCQ6whQHistory.7.dr, 5QPDGmo5G4k0History.11.dr, O9ahXmBQyGuqHistory.7.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: lsAFEDVzYJlMHistory.6.dr, aSLZ4Feg28S4History.0.dr, v9460BEWAmo6History.6.dr, J7Touhh5YhR_History.0.dr, _1TNl_23bSjIHistory.11.dr, 8cbHFLCQ6whQHistory.7.dr, 5QPDGmo5G4k0History.11.dr, O9ahXmBQyGuqHistory.7.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: RageMP131.exe, 0000000B.00000002.2666934296.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2632992763.0000000000F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016zy
                    Source: D44CPdpkNk.exe, 00000000.00000003.2465949048.000000000569A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2464648872.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2535985521.0000000005699000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, lsAFEDVzYJlMHistory.6.dr, aSLZ4Feg28S4History.0.dr, v9460BEWAmo6History.6.dr, J7Touhh5YhR_History.0.dr, _1TNl_23bSjIHistory.11.dr, 8cbHFLCQ6whQHistory.7.dr, 5QPDGmo5G4k0History.11.dr, O9ahXmBQyGuqHistory.7.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: lsAFEDVzYJlMHistory.6.dr, aSLZ4Feg28S4History.0.dr, v9460BEWAmo6History.6.dr, J7Touhh5YhR_History.0.dr, _1TNl_23bSjIHistory.11.dr, 8cbHFLCQ6whQHistory.7.dr, 5QPDGmo5G4k0History.11.dr, O9ahXmBQyGuqHistory.7.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17oinR6
                    Source: RageMP131.exe, 00000007.00000002.2733173056.0000000005624000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2632498657.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2667670233.00000000057AA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2632832669.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, Sfn1YyGgu6CGTeBtRcADBVG.zip.7.dr, UWUWkzI6iEQD6XYchYfKNkl.zip.11.dr, hOyPUaIJ5lfWhg1CogD2H0Y.zip.6.dr, O2ikhRyQ71SvrRUjZ9MvGf7.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
                    Source: MPGPH131.exe, 00000005.00000003.2478743277.00000000057C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTVgpSODDpgWGzlwXVCLTXRkn.exe
                    Source: D44CPdpkNk.exe, 00000000.00000003.2506747814.0000000005660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTx&$
                    Source: D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387635709.0000000000F29000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.7.dr, passwords.txt.0.dr, passwords.txt.11.dr, passwords.txt.6.drString found in binary or memory: https://t.me/risepro_bot
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot.46.123.33
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot;
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botcAw
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlaterH
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bots
                    Source: RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.p
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.z
                    Source: D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: D44CPdpkNk.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                    Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org
                    Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                    Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000E47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                    Source: D44CPdpkNk.exe, 00000000.00000003.2506747814.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2467560501.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2465674401.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466972371.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2460883690.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2463567446.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2460461316.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2461292656.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466047727.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2464354748.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2469734911.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2463104595.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2459932544.0000000005660000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464250347.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2469251142.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467642669.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2470234298.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2460795598.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2474580731.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2465546710.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464797041.00000000057B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/~
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/~2
                    Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000E47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/7)_1
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000E47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/PPORT
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
                    Source: D44CPdpkNk.exe, 00000000.00000003.2506747814.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2467560501.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2465674401.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466972371.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2460883690.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2463567446.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2460461316.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2461292656.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466047727.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2464354748.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2469734911.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2463104595.0000000005660000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2459932544.0000000005660000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464250347.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2469251142.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467642669.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2470234298.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2460795598.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2474580731.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2465546710.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464797041.00000000057B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ss_1
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/topc
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/xdex
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49744 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49746 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49751 version: TLS 1.2
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004E5FF0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,735274A0,DeleteObject,DeleteObject,ReleaseDC,0_2_004E5FF0

                    System Summary

                    barindex
                    PE file contains section with special chars
                    Source: D44CPdpkNk.exeStatic PE information: section name:
                    Source: D44CPdpkNk.exeStatic PE information: section name:
                    Source: D44CPdpkNk.exeStatic PE information: section name:
                    Source: D44CPdpkNk.exeStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0044002D0_2_0044002D
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DF0300_2_004DF030
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0049F0D00_2_0049F0D0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004AA2000_2_004AA200
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0049D3A00_2_0049D3A0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004963B00_2_004963B0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004904400_2_00490440
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DE4300_2_004DE430
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0053F5500_2_0053F550
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004D76000_2_004D7600
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004986B00_2_004986B0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0040B8E00_2_0040B8E0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00481C100_2_00481C10
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004FAD000_2_004FAD00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00493F400_2_00493F40
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0049AF600_2_0049AF60
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DFF000_2_004DFF00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004930800_2_00493080
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004371A00_2_004371A0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0044036F0_2_0044036F
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004A43200_2_004A4320
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_005DF4B00_2_005DF4B0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004845E00_2_004845E0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0042F5800_2_0042F580
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004A36100_2_004A3610
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_005486C00_2_005486C0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_005477600_2_00547760
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004E77E00_2_004E77E0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004547BF0_2_004547BF
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0043C9600_2_0043C960
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0043A9280_2_0043A928
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0044DA860_2_0044DA86
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00458BB00_2_00458BB0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004EEC400_2_004EEC40
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004EFC400_2_004EFC40
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00534D400_2_00534D40
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00546D200_2_00546D20
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00545DE00_2_00545DE0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00458E300_2_00458E30
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00541F000_2_00541F00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004F2FD00_2_004F2FD0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0044002D5_2_0044002D
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DF0305_2_004DF030
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0049F0D05_2_0049F0D0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004AA2005_2_004AA200
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0049D3A05_2_0049D3A0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004963B05_2_004963B0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004904405_2_00490440
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DE4305_2_004DE430
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0053F5505_2_0053F550
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004D76005_2_004D7600
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004986B05_2_004986B0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0040B8E05_2_0040B8E0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00481C105_2_00481C10
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004FAD005_2_004FAD00
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F405_2_00493F40
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0049AF605_2_0049AF60
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DFF005_2_004DFF00
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004930805_2_00493080
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004371A05_2_004371A0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0044036F5_2_0044036F
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004A43205_2_004A4320
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004845E05_2_004845E0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0042F5805_2_0042F580
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004A36105_2_004A3610
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005486C05_2_005486C0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005477605_2_00547760
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004E77E05_2_004E77E0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004547BF5_2_004547BF
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0043C9605_2_0043C960
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0043A9285_2_0043A928
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0044DA865_2_0044DA86
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00458BB05_2_00458BB0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004EEC405_2_004EEC40
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004EFC405_2_004EFC40
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00534D405_2_00534D40
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00546D205_2_00546D20
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00545DE05_2_00545DE0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00458E305_2_00458E30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00541F005_2_00541F00
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004F2FD05_2_004F2FD0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: String function: 0041ACE0 appears 86 times
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0041ACE0 appears 86 times
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 632
                    Source: D44CPdpkNk.exeBinary or memory string: OriginalFilename vs D44CPdpkNk.exe
                    Source: D44CPdpkNk.exe, 00000000.00000000.1717759698.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs D44CPdpkNk.exe
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs D44CPdpkNk.exe
                    Source: D44CPdpkNk.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs D44CPdpkNk.exe
                    Source: D44CPdpkNk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: D44CPdpkNk.exeStatic PE information: Section: ZLIB complexity 0.999139195505171
                    Source: D44CPdpkNk.exeStatic PE information: Section: ZLIB complexity 0.994404957706767
                    Source: D44CPdpkNk.exeStatic PE information: Section: ZLIB complexity 0.99169921875
                    Source: D44CPdpkNk.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
                    Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.999139195505171
                    Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.994404957706767
                    Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99169921875
                    Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                    Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.999139195505171
                    Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.994404957706767
                    Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99169921875
                    Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/106@2/3
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7344
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7600
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7524
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7500
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: D44CPdpkNk.exe, 00000000.00000003.1720099706.0000000002860000.00000004.00001000.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2701725233.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1767157197.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2717586552.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1767470994.0000000002880000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2730516267.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1846027883.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1927997441.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2665087041.000000000055D000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: D44CPdpkNk.exe, 00000000.00000003.1720099706.0000000002860000.00000004.00001000.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2701725233.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1767157197.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2717586552.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1767470994.0000000002880000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2730516267.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1846027883.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1927997441.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2665087041.000000000055D000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: D44CPdpkNk.exe, 00000000.00000003.2460461316.0000000005657000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2461292656.0000000005657000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2462471705.00000000057AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2460795598.00000000057AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2462910382.00000000057AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460044350.0000000005797000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461213005.0000000005797000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2462821569.00000000057A3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2463173746.00000000057B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461282873.00000000057AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: D44CPdpkNk.exeReversingLabs: Detection: 50%
                    Source: D44CPdpkNk.exeVirustotal: Detection: 56%
                    Source: D44CPdpkNk.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                    Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile read: C:\Users\user\Desktop\D44CPdpkNk.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\D44CPdpkNk.exe "C:\Users\user\Desktop\D44CPdpkNk.exe"
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 632
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7524 -s 1896
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 1920
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 1900
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: D44CPdpkNk.exeStatic file information: File size 3285520 > 1048576
                    Source: D44CPdpkNk.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x26aa00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                    Source: D44CPdpkNk.exeStatic PE information: section name:
                    Source: D44CPdpkNk.exeStatic PE information: section name:
                    Source: D44CPdpkNk.exeStatic PE information: section name:
                    Source: D44CPdpkNk.exeStatic PE information: section name:
                    Source: D44CPdpkNk.exeStatic PE information: section name: .themida
                    Source: D44CPdpkNk.exeStatic PE information: section name: .boot
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name: .themida
                    Source: RageMP131.exe.0.drStatic PE information: section name: .boot
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
                    Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00433F59 push ecx; ret 5_2_00433F6C
                    Source: D44CPdpkNk.exeStatic PE information: section name: entropy: 7.986055415037788
                    Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.986055415037788
                    Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.986055415037788
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Found stalling execution ending in API Sleep call
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeStalling execution: Execution stalls by calling Sleepgraph_0-53652
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                    Tries to detect sandboxes / dynamic malware analysis system (registry check)
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-53666
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-53765
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exe TID: 7348Thread sleep count: 148 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exe TID: 7488Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exe TID: 7348Thread sleep count: 43 > 30Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7504Thread sleep count: 113 > 30Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7548Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7504Thread sleep count: 61 > 30Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7528Thread sleep count: 112 > 30Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7544Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7528Thread sleep count: 61 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7604Thread sleep count: 85 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7604Thread sleep count: 68 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7604Thread sleep count: 76 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7928Thread sleep count: 67 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7928Thread sleep count: 77 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7928Thread sleep count: 154 > 30
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004C6000
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,5_2_004E6770
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,5_2_00493F40
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,5_2_004DFF00
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError,5_2_00431F9C
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,5_2_00432022
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004938D0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                    Source: Amcache.hve.17.drBinary or memory string: VMware
                    Source: D44CPdpkNk.exe, 00000000.00000003.1742890450.0000000000CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
                    Source: D44CPdpkNk.exe, 00000000.00000002.2691142764.0000000005656000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Dk&Ven_VMware&P
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}{x
                    Source: MPGPH131.exe, 00000005.00000003.2476797753.00000000057BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}C
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}=
                    Source: Amcache.hve.17.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},n.pl,o.pl,p.pl,q.pl,r.pl,s.pl,t.pl,u.pl,v.pl,w.pl,x.pl,y.pl,z.pl,a.ar,b.ar,c.ar,d.ar,e.ar,f.ar,g.ar,h.ar,tz
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Pes\o4pultasehissqlAw
                    Source: RageMP131.exe, 0000000B.00000003.1941752635.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Amcache.hve.17.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: RageMP131.exe, 00000007.00000002.2733173056.0000000005624000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_63FDBA29og
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000D0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_63FDBA29!
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                    Source: Amcache.hve.17.drBinary or memory string: vmci.sys
                    Source: D44CPdpkNk.exe, 00000000.00000003.2473537817.0000000005695000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*#
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*B
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000CB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&>&
                    Source: Amcache.hve.17.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.17.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.17.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.17.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.17.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.17.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.17.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.17.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: RageMP131.exe, 0000000B.00000003.2631426477.00000000057BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_63FDBA29+l
                    Source: MPGPH131.exe, 00000006.00000002.2719758553.0000000000D24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                    Source: Amcache.hve.17.drBinary or memory string: VMware Virtual USB Mouse
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                    Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.
                    Source: RageMP131.exe, 0000000B.00000002.2666318959.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Amcache.hve.17.drBinary or memory string: VMware20,1hbin@
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000C50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&*
                    Source: Amcache.hve.17.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: RageMP131.exe, 0000000B.00000003.2631426477.00000000057BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_63FDBA29
                    Source: Amcache.hve.17.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.17.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.17.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.17.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.17.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.17.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.17.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: RageMP131.exe, 0000000B.00000002.2667457557.000000000577B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsww
                    Source: Amcache.hve.17.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP"
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                    Source: RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWmpN
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeProcess queried: DebugPortJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]0_2_004C6D80
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00493F40 mov eax, dword ptr fs:[00000030h]0_2_00493F40
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6D80 mov eax, dword ptr fs:[00000030h]5_2_004C6D80
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F40 mov eax, dword ptr fs:[00000030h]5_2_00493F40
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,0_2_004E9A70
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0043451D
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00438A64

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to inject threads in other processes
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,5_2_004CF280
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: GetLocaleInfoW,0_2_004531CA
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: GetLocaleInfoW,0_2_004533F9
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: GetLocaleInfoW,0_2_0044B734
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: GetLocaleInfoW,0_2_00452D5F
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: EnumSystemLocalesW,0_2_00452E51
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: EnumSystemLocalesW,0_2_00452E06
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: EnumSystemLocalesW,0_2_00452EEC
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,5_2_004DFF00
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_004531CA
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_0044B1B1
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004532F3
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_004533F9
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_004534CF
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_0044B734
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,5_2_00452B5A
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_00452D5F
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_00452E51
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_00452E06
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_00452EEC
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00452F77
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformationJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RisePro Stealer
                    Source: Yara matchFile source: 00000000.00000003.2506747814.0000000005660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2632498657.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2667670233.00000000057AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2704555272.0000000005760000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2474706662.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2731573576.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2581253200.0000000005621000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2632832669.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.2478743277.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2733173056.0000000005624000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2632657858.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2475226109.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2691142764.0000000005660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: D44CPdpkNk.exe PID: 7344, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7500, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7524, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7924, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Sfn1YyGgu6CGTeBtRcADBVG.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\UWUWkzI6iEQD6XYchYfKNkl.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\O2ikhRyQ71SvrRUjZ9MvGf7.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hOyPUaIJ5lfWhg1CogD2H0Y.zip, type: DROPPED
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: iberty.jaxx
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsonP
                    Source: MPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsns(
                    Source: MPGPH131.exe, 00000005.00000002.2703864542.0000000000D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \user\AppData\Roaming\MultiDoge\multidoge.wallet
                    Source: D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger LiveO
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\D44CPdpkNk.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Yara matchFile source: 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: D44CPdpkNk.exe PID: 7344, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7500, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7524, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7924, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RisePro Stealer
                    Source: Yara matchFile source: 00000000.00000003.2506747814.0000000005660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2632498657.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2667670233.00000000057AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2704555272.0000000005760000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2474706662.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2731573576.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2581253200.0000000005621000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2632832669.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.2478743277.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2733173056.0000000005624000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2632657858.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000003.2475226109.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2691142764.0000000005660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: D44CPdpkNk.exe PID: 7344, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7500, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7524, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7924, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Sfn1YyGgu6CGTeBtRcADBVG.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\UWUWkzI6iEQD6XYchYfKNkl.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\O2ikhRyQ71SvrRUjZ9MvGf7.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\hOyPUaIJ5lfWhg1CogD2H0Y.zip, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		3
                    Obfuscated Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		2
                    Software Packing                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Screen Capture                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		NTDS35
                    System Information Discovery                    		Distributed Component Object Model1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets351
                    Security Software Discovery                    		SSHKeylogging13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials13
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Process Injection                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    System Owner/User Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    System Network Configuration Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1459954 Sample: D44CPdpkNk.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 58 ipinfo.io 2->58 60 db-ip.com 2->60 68 Snort IDS alert for network traffic 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Antivirus detection for URL or domain 2->72 74 6 other signatures 2->74 10 D44CPdpkNk.exe 1 62 2->10         started        15 MPGPH131.exe 51 2->15         started        17 RageMP131.exe 2->17         started        19 RageMP131.exe 2->19         started        signatures3 process4 dnsIp5 62 77.91.77.66, 49731, 49732, 49733 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 10->62 64 ipinfo.io 34.117.186.192, 443, 49741, 49742 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 10->64 66 db-ip.com 104.26.4.15, 443, 49744, 49745 CLOUDFLARENETUS United States 10->66 46 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 10->46 dropped 48 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 10->48 dropped 50 C:\Users\user\...\O2ikhRyQ71SvrRUjZ9MvGf7.zip, Zip 10->50 dropped 56 2 other malicious files 10->56 dropped 82 Query firmware table information (likely to detect VMs) 10->82 84 Tries to steal Mail credentials (via file / registry access) 10->84 86 Found many strings related to Crypto-Wallets (likely being stolen) 10->86 98 2 other signatures 10->98 21 schtasks.exe 1 10->21         started        23 WerFault.exe 10->23         started        26 schtasks.exe 1 10->26         started        88 Multi AV Scanner detection for dropped file 15->88 90 Machine Learning detection for dropped file 15->90 92 Found stalling execution ending in API Sleep call 15->92 28 WerFault.exe 15->28         started        52 C:\Users\user\...\Sfn1YyGgu6CGTeBtRcADBVG.zip, Zip 17->52 dropped 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->94 30 WerFault.exe 17->30         started        54 C:\Users\user\...\UWUWkzI6iEQD6XYchYfKNkl.zip, Zip 19->54 dropped 96 Tries to harvest and steal browser information (history, passwords, etc) 19->96 file6 signatures7 process8 file9 32 conhost.exe 21->32         started        44 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->44 dropped 34 conhost.exe 26->34         started        process10 process11 36 MPGPH131.exe 5 54 32->36         started        file12 42 C:\Users\user\...\hOyPUaIJ5lfWhg1CogD2H0Y.zip, Zip 36->42 dropped 76 Query firmware table information (likely to detect VMs) 36->76 78 Tries to steal Mail credentials (via file / registry access) 36->78 80 Tries to detect sandboxes / dynamic malware analysis system (registry check) 36->80 40 WerFault.exe 36->40         started        signatures13 process14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    D44CPdpkNk.exe50%ReversingLabsWin32.Trojan.RiseProStealer
                    D44CPdpkNk.exe56%VirustotalBrowse
                    D44CPdpkNk.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
                    C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                    C:\ProgramData\MPGPH131\MPGPH131.exe50%ReversingLabsWin32.Trojan.RiseProStealer
                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe50%ReversingLabsWin32.Trojan.RiseProStealer

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    ipinfo.io0%VirustotalBrowse
                    db-ip.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    https://ipinfo.io/0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    http://77.91.77.81/mine/amadka.exero100%Avira URL Cloudphishing
                    http://77.91.77.81/mine/amadka.exe100%Avira URL Cloudmalware
                    https://ipinfo.io:443/widget/demo/8.46.123.330%Avira URL Cloudsafe
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    http://77.91.77.81/mine/amadka.exe23%VirustotalBrowse
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    http://77.91.77.81/cost/go.exe100%Avira URL Cloudmalware
                    https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                    http://77.91.77.81/cost/lenin.exein100%Avira URL Cloudphishing
                    https://db-ip.com/0%Avira URL Cloudsafe
                    https://ipinfo.io/widget/demo/8.46.123.33d-0%Avira URL Cloudsafe
                    https://t.p0%Avira URL Cloudsafe
                    https://t.me/RiseProSUPPORTVgpSODDpgWGzlwXVCLTXRkn.exe0%Avira URL Cloudsafe
                    http://77.91.77.81/cost/go.exe23%VirustotalBrowse
                    https://db-ip.com/demo/home.php?s=8.46.123.33X0%Avira URL Cloudsafe
                    https://db-ip.com/0%VirustotalBrowse
                    https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%Avira URL Cloudsafe
                    https://db-ip.com/demo/home.php?s=8.46.123.33L0%Avira URL Cloudsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016zy0%Avira URL Cloudsafe
                    https://t.me/risepro0%Avira URL Cloudsafe
                    https://t.z0%Avira URL Cloudsafe
                    https://db-ip.com/e8RH(0%Avira URL Cloudsafe
                    https://support.microsoft..0%Avira URL Cloudsafe
                    https://ipinfo.io/widget/demo/8.46.123.330%Avira URL Cloudsafe
                    https://t.me/risepro0%VirustotalBrowse
                    http://77.91.77.81/cost/go.exeO100%Avira URL Cloudphishing
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%Avira URL Cloudsafe
                    https://support.microsoft..0%VirustotalBrowse
                    https://db-ip.com:443/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
                    https://ipinfo.io/widget/demo/8.46.123.33o50%Avira URL Cloudsafe
                    https://t.me/risepro_botisepro_bot0%Avira URL Cloudsafe
                    https://t.me/risepro_bot;0%Avira URL Cloudsafe
                    https://db-ip.com/Q0%Avira URL Cloudsafe
                    http://77.91.77.81/mine/amadka.exeA100%Avira URL Cloudphishing
                    http://77.91.77.81/cost/go.exe?~100%Avira URL Cloudmalware
                    https://db-ip.com/;8H0%Avira URL Cloudsafe
                    https://t.me/risepro_bot.46.123.330%Avira URL Cloudsafe
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17oinR60%Avira URL Cloudsafe
                    https://t.me/risepro_botisepro_bot0%VirustotalBrowse
                    https://t.me/risepro_bot;0%VirustotalBrowse
                    https://db-ip.com/demo/home.php?s=8.46.123.33dJ60%Avira URL Cloudsafe
                    https://t.me/risepro_botlaterH0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://support.microsoft.0%Avira URL Cloudsafe
                    https://db-ip.com/Q0%VirustotalBrowse
                    http://77.91.77.81/cost/lenin.exeisepro_bot100%Avira URL Cloudphishing
                    https://db-ip.com/Kht0%Avira URL Cloudsafe
                    https://ipinfo.io/S0%Avira URL Cloudsafe
                    https://support.microsoft.0%VirustotalBrowse
                    http://77.91.77.81/cost/go.exes100%Avira URL Cloudphishing
                    https://t.me/risepro_botlaterH0%VirustotalBrowse
                    https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%Avira URL Cloudsafe
                    https://ipinfo.io/N0%Avira URL Cloudsafe
                    https://ipinfo.io/Mozilla/5.00%Avira URL Cloudsafe
                    https://t.me/risepro_bot0%Avira URL Cloudsafe
                    https://t.me/RiseProSUPPORTx&$0%Avira URL Cloudsafe
                    http://77.91.77.81/mine/amadka.exe0.1100%Avira URL Cloudphishing
                    https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
                    https://t.me/risepro_botcAw0%Avira URL Cloudsafe
                    http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
                    https://ipinfo.io/)0%Avira URL Cloudsafe
                    http://77.91.77.81/cost/lenin.exectrum100%Avira URL Cloudphishing
                    http://77.91.77.81/mine/amadka.exes.binr100%Avira URL Cloudphishing
                    https://support.mozilla.org0%Avira URL Cloudsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe
                    http://77.91.77.81/cost/lenin.exec176af100%Avira URL Cloudphishing
                    http://77.91.77.81/cost/lenin.exem100%Avira URL Cloudphishing
                    https://db-ip.com/demo/home.php?s=8.46.123.33p30%Avira URL Cloudsafe
                    https://t.me/risepro_bots0%Avira URL Cloudsafe
                    https://db-ip.com/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
                    http://77.91.77.81/cost/lenin.exe100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ipinfo.io
                    		34.117.186.192
                    		truefalseunknown
                    db-ip.com
                    		104.26.4.15
                    		truefalseunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/widget/demo/8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/false
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://77.91.77.81/mine/amadka.exeRageMP131.exe, 0000000B.00000002.2667608529.00000000057A1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 23%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://77.91.77.81/mine/amadka.exeroMPGPH131.exe, 00000005.00000002.2703127000.0000000000C57000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://duckduckgo.com/chrome_newtabD44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io:443/widget/demo/8.46.123.33D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169296486.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF3b6N2Xdh3CYwplaces.sqlite.11.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/go.exeD44CPdpkNk.exe, 00000000.00000003.2465875391.0000000000D3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2721397992.0000000005787000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2581535637.000000000565C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2581253200.0000000005659000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2733371360.000000000565D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2667457557.000000000577B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 23%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://77.91.77.81/cost/lenin.exeinMPGPH131.exe, 00000006.00000002.2719758553.0000000000D32000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://db-ip.com/D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33d-RageMP131.exe, 0000000B.00000002.2666318959.0000000000E90000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.pRageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTVgpSODDpgWGzlwXVCLTXRkn.exeMPGPH131.exe, 00000005.00000003.2478743277.00000000057C4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33XD44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17D44CPdpkNk.exe, 00000000.00000003.2465949048.000000000569A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2464648872.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2535985521.0000000005699000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, lsAFEDVzYJlMHistory.6.dr, aSLZ4Feg28S4History.0.dr, v9460BEWAmo6History.6.dr, J7Touhh5YhR_History.0.dr, _1TNl_23bSjIHistory.11.dr, 8cbHFLCQ6whQHistory.7.dr, 5QPDGmo5G4k0History.11.dr, O9ahXmBQyGuqHistory.7.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33LD44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016zyRageMP131.exe, 0000000B.00000002.2666934296.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2632992763.0000000000F33000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.zMPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/riseproD44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.microsoft..D44CPdpkNk.exe, 00000000.00000003.2469734911.0000000005660000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/e8RH(RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/go.exeOMPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstalllsAFEDVzYJlMHistory.6.dr, aSLZ4Feg28S4History.0.dr, v9460BEWAmo6History.6.dr, J7Touhh5YhR_History.0.dr, _1TNl_23bSjIHistory.11.dr, 8cbHFLCQ6whQHistory.7.dr, 5QPDGmo5G4k0History.11.dr, O9ahXmBQyGuqHistory.7.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchD44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33o5D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com:443/demo/home.php?s=8.46.123.33D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botisepro_botMPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_bot;D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/mine/amadka.exeAD44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://db-ip.com/QRageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/go.exe?~RageMP131.exe, 00000007.00000003.2581535637.000000000565C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2581253200.0000000005659000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2733371360.000000000565D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://db-ip.com/;8HRageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_bot.46.123.33RageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17oinR6RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33dJ6RageMP131.exe, 00000007.00000002.2731573576.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D43000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botlaterHRageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoD44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.microsoft.D44CPdpkNk.exe, 00000000.00000003.2469734911.0000000005660000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exeisepro_botD44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://db-ip.com/KhtMPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/SMPGPH131.exe, 00000006.00000002.2719758553.0000000000D0F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/go.exesRageMP131.exe, 0000000B.00000002.2667457557.000000000577B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllD44CPdpkNk.exe, 00000000.00000003.1720099706.0000000002860000.00000004.00001000.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2701725233.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1767157197.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2717586552.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1767470994.0000000002880000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2730516267.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1846027883.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1927997441.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2665087041.000000000055D000.00000002.00000001.01000000.00000005.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.17.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/RiseProSUPPORTRageMP131.exe, 00000007.00000002.2733173056.0000000005624000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2632498657.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2667670233.00000000057AA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2632832669.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, Sfn1YyGgu6CGTeBtRcADBVG.zip.7.dr, UWUWkzI6iEQD6XYchYfKNkl.zip.11.dr, hOyPUaIJ5lfWhg1CogD2H0Y.zip.6.dr, O2ikhRyQ71SvrRUjZ9MvGf7.zip.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016D44CPdpkNk.exe, 00000000.00000003.2465949048.000000000569A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2464648872.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2535985521.0000000005699000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666934296.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2632992763.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, lsAFEDVzYJlMHistory.6.dr, aSLZ4Feg28S4History.0.dr, v9460BEWAmo6History.6.dr, J7Touhh5YhR_History.0.dr, _1TNl_23bSjIHistory.11.dr, 8cbHFLCQ6whQHistory.7.dr, 5QPDGmo5G4k0History.11.dr, O9ahXmBQyGuqHistory.7.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/NRageMP131.exe, 00000007.00000002.2731573576.0000000000D28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169296486.0000000000D28000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ipinfo.io/Mozilla/5.0D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2169164175.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2731573576.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387506788.0000000000EBB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br3b6N2Xdh3CYwplaces.sqlite.11.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/risepro_botRageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2387635709.0000000000F29000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.7.dr, passwords.txt.0.dr, passwords.txt.11.dr, passwords.txt.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTx&$D44CPdpkNk.exe, 00000000.00000003.2506747814.0000000005660000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/mine/amadka.exe0.1MPGPH131.exe, 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://www.maxmind.com/en/locate-my-ip-addressD44CPdpkNk.exe, MPGPH131.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botcAwMPGPH131.exe, 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.winimage.com/zLibDllD44CPdpkNk.exe, 00000000.00000003.1720099706.0000000002860000.00000004.00001000.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2701725233.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1767157197.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2717586552.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1767470994.0000000002880000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2730516267.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1846027883.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1927997441.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2665087041.000000000055D000.00000002.00000001.01000000.00000005.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/)MPGPH131.exe, 00000005.00000002.2703127000.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exectrumD44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    http://77.91.77.81/mine/amadka.exes.binrMPGPH131.exe, 00000006.00000002.2719758553.0000000000D32000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://support.mozilla.org3b6N2Xdh3CYwplaces.sqlite.11.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExampleslsAFEDVzYJlMHistory.6.dr, aSLZ4Feg28S4History.0.dr, v9460BEWAmo6History.6.dr, J7Touhh5YhR_History.0.dr, _1TNl_23bSjIHistory.11.dr, 8cbHFLCQ6whQHistory.7.dr, 5QPDGmo5G4k0History.11.dr, O9ahXmBQyGuqHistory.7.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exec176afMPGPH131.exe, 00000006.00000002.2719758553.0000000000CD7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    http://77.91.77.81/cost/lenin.exemRageMP131.exe, 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33p3RageMP131.exe, 0000000B.00000003.2387506788.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botsD44CPdpkNk.exe, 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2076042690.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=D44CPdpkNk.exe, 00000000.00000003.2462949812.000000000569A000.00000004.00000020.00020000.00000000.sdmp, D44CPdpkNk.exe, 00000000.00000003.2466769777.00000000056AC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2464115255.00000000057DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2467965125.00000000057FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2461510506.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2465499374.00000000057DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2460474928.00000000057AE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2536129410.000000000568C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2537025525.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.2541983157.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2627048906.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2623929888.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, u1bz9SOgrSepWeb Data.7.dr, 8K3NvYKoF0DKWeb Data.0.dr, CW09Q1VnvrXtWeb Data.6.dr, X4w8fLfloerdWeb Data.11.dr, TGgMbIm7Fwe7Web Data.6.dr, owf9GshuzJ25Web Data.11.dr, qZ4vtdSQrsMXWeb Data.11.dr, t1K7aC5iYP_kWeb Data.7.dr, JiGBQplW34HlWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exeRageMP131.exe, 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    34.117.186.192
                    		ipinfo.ioUnited States
                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                    104.26.4.15
                    		db-ip.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    77.91.77.66
                    		unknownRussian Federation
                    		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1459954
                    Start date and time:2024-06-20 10:16:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 13s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:24
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:D44CPdpkNk.exe
                    renamed because original name is a hash value
                    Original Sample Name:093bda46f4ebe927a99cc0e120d50d8c.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@15/106@2/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 67%
                    • Number of executed functions: 50
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 52.182.143.212
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    04:18:39API Interceptor4x Sleep call for process: WerFault.exe modified
                    09:17:06Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                    09:17:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                    09:17:07Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                    09:17:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    34.117.186.192HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                    • ipinfo.io/
                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                    • ipinfo.io/
                    w.shGet hashmaliciousXmrigBrowse
                    • /ip
                    Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    104.26.4.15#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exeGet hashmaliciousNemty, XmrigBrowse
                    • api.db-ip.com/v2/free/102.129.152.212/countryName
                    77.91.77.66WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                      2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                        T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ipinfo.io1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                          • 34.117.186.192
                          WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          http://telegliam.icu/Get hashmaliciousUnknownBrowse
                          • 34.117.186.192
                          https://ingresar-365-msn.glitch.me/Get hashmaliciousUnknownBrowse
                          • 34.117.186.192
                          Jr7B1jZMaT.exeGet hashmaliciousNovaSentinelBrowse
                          • 34.117.186.192
                          file.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          win6.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                          • 34.117.186.192
                          4Ip0IVHqJ3.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          db-ip.com1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                          • 104.26.4.15
                          WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                          • 104.26.4.15
                          2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                          • 104.26.5.15
                          T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                          • 172.67.75.166
                          file.exeGet hashmaliciousRisePro StealerBrowse
                          • 172.67.75.166
                          https://curious-kringle-id4964-024b3b3.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
                          • 104.26.5.15
                          https://glist43-dase23-ac9ae33.netlify.app/dev.html/Get hashmaliciousUnknownBrowse
                          • 104.26.5.15
                          4Ip0IVHqJ3.exeGet hashmaliciousRisePro StealerBrowse
                          • 172.67.75.166
                          eIbDy5M3wa.exeGet hashmaliciousRisePro StealerBrowse
                          • 104.26.5.15
                          file.exeGet hashmaliciousRisePro StealerBrowse
                          • 104.26.4.15

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUhttps://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                          • 77.91.77.5
                          https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                          • 77.91.77.5
                          WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                          • 77.91.77.66
                          2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                          • 77.91.77.66
                          T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                          • 77.91.77.66
                          2022and2023TaxDocuments.zipGet hashmaliciousRemcosBrowse
                          • 77.91.77.107
                          https://securityzones.blob.core.windows.net/app/qb.html?k0q2g%5Cu0026sa%5Cu003dD%5Cu0026source%5Cu003dapps-viewer-frontend%5Cu0026ust%5Cu003d1718848253213951%5Cu0026usg%5Cu003dAOvVaw07eeibWUO-ccHOx9vz-oGet hashmaliciousUnknownBrowse
                          • 77.91.77.5
                          AgHiy5gaGp.exeGet hashmaliciousAmadey, PureLog StealerBrowse
                          • 77.91.77.80
                          http://u.to/Tr_9IAGet hashmaliciousUnknownBrowse
                          • 77.91.66.92
                          https://drive.google.com/file/d/1JwMEh9AmJIvZiNdqJh4RUnTkYVtbznuJ/view?ts=666b8066Get hashmaliciousUnknownBrowse
                          • 77.91.77.5
                          GOOGLE-AS-APGoogleAsiaPacificPteLtdSG1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                          • 34.117.186.192
                          WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          http://h3200457.wixsite.com/my-site-1/Get hashmaliciousUnknownBrowse
                          • 34.117.60.144
                          http://telegliam.icu/Get hashmaliciousUnknownBrowse
                          • 34.117.186.192
                          https://riprogramma.consegna.3-76-125-238.cprapid.com/dpd/update.phpGet hashmaliciousUnknownBrowse
                          • 34.117.77.79
                          http://3-76-125-238.cprapid.com/dpd/update.phpGet hashmaliciousUnknownBrowse
                          • 34.117.77.79
                          https://ingresar-365-msn.glitch.me/Get hashmaliciousUnknownBrowse
                          • 34.117.186.192
                          http://underarmour.caGet hashmaliciousUnknownBrowse
                          • 34.117.202.77
                          CLOUDFLARENETUShttp://tinyurI.com/bn229tanGet hashmaliciousUnknownBrowse
                          • 172.64.151.101
                          IMPS_transaction_error_details_account-900192_xls.jsGet hashmaliciousWSHRATBrowse
                          • 188.114.96.3
                          IMPS_transaction_error_details_account-900192_xls.jsGet hashmaliciousUnknownBrowse
                          • 172.67.154.165
                          https://cssa.evlink2.net/servlet/link/855/184352/1637605/1648475Get hashmaliciousUnknownBrowse
                          • 104.18.21.157
                          NEW ORDER.docx.docGet hashmaliciousUnknownBrowse
                          • 104.21.83.128
                          Purchase Order 0030520574.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 104.26.13.205
                          NEW ORDER.docx.docGet hashmaliciousUnknownBrowse
                          • 104.21.83.128
                          https://whateveryourdose.comGet hashmaliciousUnknownBrowse
                          • 104.26.4.143
                          https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                          • 1.1.1.1
                          https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                          • 1.1.1.1

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          a0e9f5d64349fb13191bc781f81f42e1NEW ORDER.docx.docGet hashmaliciousUnknownBrowse
                          • 34.117.186.192
                          • 104.26.4.15
                          1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                          • 34.117.186.192
                          • 104.26.4.15
                          WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          • 104.26.4.15
                          2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          • 104.26.4.15
                          RobloxPlayerInstaller.exeGet hashmaliciousLummaCBrowse
                          • 34.117.186.192
                          • 104.26.4.15
                          T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                          • 34.117.186.192
                          • 104.26.4.15
                          http://voice-100740.weeblysite.com/Get hashmaliciousUnknownBrowse
                          • 34.117.186.192
                          • 104.26.4.15
                          fortnitewhv5.exeGet hashmaliciousLummaCBrowse
                          • 34.117.186.192
                          • 104.26.4.15
                          DyEmdWLfg4.exeGet hashmaliciousLummaCBrowse
                          • 34.117.186.192
                          • 104.26.4.15
                          f5tZjE2iHW.exeGet hashmaliciousLummaCBrowse
                          • 34.117.186.192
                          • 104.26.4.15

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\MPGPH131\MPGPH131.exe

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3285520
                          Entropy (8bit):7.9670682991434125
                          Encrypted:false
                          SSDEEP:49152:YQqdyW2QvYnYuHn2XYMGpokbLH+WYbIloN32VjGFbNNv9sCLBfqKtt/LBs3r7G8b:YQCyrmYnYiLlPbL2MVQYCVXLOaxc
                          MD5:093BDA46F4EBE927A99CC0E120D50D8C
                          SHA1:1312D8E21C7AC0FCF1F64067690151A86738C856
                          SHA-256:FFD113A300E84AA5E0F426F711104FB6F6AC411A5C02F620433A0BD76E30B141
                          SHA-512:83C2E93B5DDCA444391AFCB7229EC2EE2ED40F1637C05C4984F907D00643D8023B7EC344AE17410114CB123FB05A8F693866349318AFB3844C39FEBABE06A475
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 50%
                          Reputation:low
                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@...........................~.......2......................................a..........8.....................~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot.....&...X...&..x..............`..`.reloc........~......"2................@................................................................

                          C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_D44CPdpkNk.exe_ca452f225a5bfbfa4899462b03597b9e382c87a_da5453f1_eb289314-d05a-4b54-8b62-645a63860303\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0506085940821464
                          Encrypted:false
                          SSDEEP:192:5eOCizT+0kYqtEjyZrosLZuzuiFUZ24IO81:RCizTlkYqKjyuzuiFUY4IO81
                          MD5:E911ED2344EBC5AA8AB3BC6CF3211250
                          SHA1:9DE3C62D2B474D015928EEC77B5F1C5688FEAB88
                          SHA-256:DCE8FAFAE058461429075260EB4177706C7C4F98DE937273F1EC8EB4D7F05B99
                          SHA-512:731BC8CFBB345D29E713DE9C35B9DCA0AEA798DFD5AC5F600ED19A1F586A305BF5DC528A46B7B292F696A2D3B54B52EB7A9A3687CE062D38FDCB756D688AB80D
                          Malicious:true
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.4.5.1.0.2.3.0.9.2.7.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.4.5.1.0.5.1.5.2.9.6.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.2.8.9.3.1.4.-.d.0.5.a.-.4.b.5.4.-.8.b.6.2.-.6.4.5.a.6.3.8.6.0.3.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.9.6.b.2.5.7.-.2.7.d.6.-.4.e.4.0.-.8.f.2.5.-.c.d.c.2.e.e.9.2.e.2.0.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.4.4.C.P.d.p.k.N.k...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.0.-.0.0.0.1.-.0.0.1.4.-.6.2.1.b.-.c.e.3.a.e.a.c.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.1.3.1.2.d.8.e.2.1.c.7.a.c.0.f.c.f.1.f.6.4.0.6.7.6.9.0.1.5.1.a.8.6.7.3.8.c.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_2699415f5fdb1b8726d39a1517f1ac2e93897fae_f4fd270f_91cbe5a9-858b-41b9-933d-561fbdab6283\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0492858128431617
                          Encrypted:false
                          SSDEEP:192:8NzlUaizN8Sm0M8rr6E6jjyZrofxjPzuiFUZ24IO8q6t:yp32N/NM8rCjrPzuiFUY4IO81
                          MD5:D247D20603556694B71F4367A68B272D
                          SHA1:9421AB2B219DB3F93BCBBD4B7FAA2F1B5625A1F8
                          SHA-256:E40011E4C5794EEA41350075BEF58C156DED567E19FD70924C0875D5599D826C
                          SHA-512:F026CC85387EFD9A695E9B90B37082FF6BCF0FB08A77917B547B4F722504115B4D631E17E219C474D02886FF017E29ECF2F8DF8CF2F8BFCA4E6F25FB29C75EBC
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.4.5.1.0.2.7.8.8.1.1.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.4.5.1.0.5.2.8.8.1.1.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.c.b.e.5.a.9.-.8.5.8.b.-.4.1.b.9.-.9.3.3.d.-.5.6.1.f.b.d.a.b.6.2.8.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.a.c.1.c.c.a.-.1.9.c.1.-.4.d.6.f.-.9.0.c.d.-.9.9.b.c.3.c.d.3.d.3.5.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.4.c.-.0.0.0.1.-.0.0.1.4.-.2.1.7.a.-.6.2.3.d.e.a.c.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.1.3.1.2.d.8.e.2.1.c.7.a.c.0.f.c.f.1.f.6.4.0.6.7.6.9.0.1.5.1.a.8.6.7.3.8.c.8.5.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_2699415f5fdb1b8726d39a1517f1ac2e93897fae_f4fd270f_cbd5ed6f-f1b1-46e2-ae61-8477867d2156\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0422345584921138
                          Encrypted:false
                          SSDEEP:192:sWnlCaizB8Sm0M8rr6E6jj/ZrUUJcUzuiFUZ24IO8q6t:VB2B/NM8rCjqUzuiFUY4IO81
                          MD5:C0431A2587EB820FB4A4C20BC036784C
                          SHA1:C33FB2409D94FB73BB9898BC566DC6896691D741
                          SHA-256:BA92B9ABA9F5AD9994A0FF2EA18A3628B63294D000E9CA71CB2C988A98556FED
                          SHA-512:E1D69160A2C80F6539A562EBC7DE7F111A60C75DCD7B5F608C7B0DD43EADA52BE65C9F52447F28EFDABBCB6134771335F927D348D5E2B7C6222726A8BD3293E0
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.4.5.1.0.2.4.9.2.2.9.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.4.5.1.0.5.1.7.9.7.8.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.d.5.e.d.6.f.-.f.1.b.1.-.4.6.e.2.-.a.e.6.1.-.8.4.7.7.8.6.7.d.2.1.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.7.f.4.e.f.f.-.7.6.e.d.-.4.d.f.2.-.9.5.d.1.-.a.6.e.8.7.2.6.7.4.a.d.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.4.-.0.0.0.1.-.0.0.1.4.-.6.6.6.1.-.a.d.3.d.e.a.c.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.1.3.1.2.d.8.e.2.1.c.7.a.c.0.f.c.f.1.f.6.4.0.6.7.6.9.0.1.5.1.a.8.6.7.3.8.c.8.5.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_7c9841f9f13651f5ded4f2d68b2cd516a5a13a6c_2a26eb84_b7177fe9-08e6-4125-bc00-27f903d61e18\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.055244816918044
                          Encrypted:false
                          SSDEEP:192:I/fIPg05d0HBuY/FjyZrofxjPzuiFUZ24IO8+:gIg05eHYY/FjLPzuiFUY4IO8+
                          MD5:F462139BA8B8262A78B6E86F4E0983F7
                          SHA1:DC751ED0AE1443AAEEC3216DE7D6BB4A247DFE8A
                          SHA-256:45DBC5A81BC16F60F1375CE80EF0395EF92B1DF12F7F8BAB779BE008A3AD62AD
                          SHA-512:991B049C19ED47FBA9D781BEF54E88A3DAE0E6E0C47DAF557317C57942CD73CB9873BC3E2CA886D7662B8C9BB164550F85DD6D9E05A91C71A0357F1719669B11
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.4.5.1.0.9.4.3.0.8.0.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.4.5.1.0.9.9.7.7.6.7.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.1.7.7.f.e.9.-.0.8.e.6.-.4.1.2.5.-.b.c.0.0.-.2.7.f.9.0.3.d.6.1.e.1.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.8.4.7.d.9.b.-.a.7.3.3.-.4.8.e.8.-.a.f.c.c.-.9.8.8.7.b.a.1.8.0.e.d.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.b.0.-.0.0.0.1.-.0.0.1.4.-.8.1.7.4.-.5.9.4.2.e.a.c.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.1.3.1.2.d.8.e.2.1.c.7.a.c.0.f.c.f.1.f.6.4.0.6.7.6.9.0.1.5.1.a.8.6.7.3.8.c.8.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER494.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 08:18:29 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):98526
                          Entropy (8bit):2.0831236419327768
                          Encrypted:false
                          SSDEEP:384:Zk8OxBg7hqFtvPTAQfQOf1O3Zsg6xelJ+vVkTCz5JqCpWC7h:ZkDS0FtvPBfH+YkGz5pWC7h
                          MD5:0D2228D47F7D055CB76F78858CA36155
                          SHA1:3523BDADD73CC422D64C4DB7AB83F8A98AFDCD23
                          SHA-256:1B63EECA3612F39E712499028F29B66BEFFA37370B713C2D0630B776EB3795D1
                          SHA-512:5516B86640489AEEB8C8B463F31BACACA95CB4CD2B9E7CEBC5E16D4CE3668857E77EF43AF4C8DBE26CFC47C666FBCBE7EEC72F66E0A08A891D829A6713ECFA62
                          Malicious:false
                          Preview:MDMP..a..... .........sf....................................l...`#...........J..........`.......8...........T........... J...6...........#...........%..............................................................................eJ......P&......GenuineIntel............T.............sf............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER541.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8390
                          Entropy (8bit):3.6998819399942935
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJXj6HaM6OZ6Y9dSUPgmfpJJduxpr3q89boEsfTYm:R6lXJz6HwOZ6YXSUPgmfpJJMvo3fp
                          MD5:E3EE40DFB3F629C3F4B1FD534269FA72
                          SHA1:F8C34C666589CB75E6F4F304DFA61BE8FA89CEEF
                          SHA-256:8B88941566B141B70677064864EB2F65937342A12157F60D99BE8F8F3EF3EB34
                          SHA-512:3FC0E0C1C2A38BEEBF6F07CAFCE50497BFE110A1FD7B0D7801F6813504463B66676846AB2B6F9D1883B0DF4DA40695681E9B019D12091F980F347DD3568C3603
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.0.0.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER59F.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4708
                          Entropy (8bit):4.508252469030146
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zs+Jg77aI9fcWpW8VYw5Ym8M4JliFp+q8xV28OL7sd:uIjf0I79V7VGJ038k7sd
                          MD5:2056FC5DF7974687E92345E3921CB1F8
                          SHA1:2BEEC10B22843AC239D573A378607216BEEF6673
                          SHA-256:65A4C7CE7C8F360CCB060A9678447C0836AFAE5C3B9DDD26E01B7F2F4B1A392A
                          SHA-512:DAD4F5C0432941795833471913B2FACFE43A93348E2595F4FA5876DE4AD1411B7D68D49FD83F147AA2A8B77668D5CD36EC79B893B243FDB8344C82F9B79B3211
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="375801" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8A0.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 08:18:22 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):98864
                          Entropy (8bit):2.0846357366111814
                          Encrypted:false
                          SSDEEP:384:4wIoE4E0GFtvzQbuPU5e3iLEYE9zMd6sm8XqIcycHo:fgJ/FtvOtE5vN8YHo
                          MD5:137E470ABCC6544E378959E5C773B350
                          SHA1:0F12E4CAE9323EDDDB0F6DD66F4A30E776E23F8B
                          SHA-256:068C76CA6E6AF56493261596817BF9F33F413D5FE8E17D5B4B7C8A876AD206AB
                          SHA-512:AF5CC2A0737239AA68F224899FE1A34E7DD7615A93C41B70B3F3159A6D1B6AB35636462ADD424D610DBC7146280C62E5683E136F0F62A4A8C8E36CF31E16970F
                          Malicious:false
                          Preview:MDMP..a..... .........sf....................................l...`#...........J..........`.......8...........T............J...7...........#...........%..............................................................................eJ......P&......GenuineIntel............T...........~.sf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE97A.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 08:18:22 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):103516
                          Entropy (8bit):2.043898384250572
                          Encrypted:false
                          SSDEEP:384:QADS1xtVRtvEldfxRiwOHx247vFzOb+WikEXD4TATJMd5GZGh+zm:j27DRtvkOP1OiW3EA+zm
                          MD5:1A01510DB1D339605758F6BB1F0ACC08
                          SHA1:DAD958A0B384CE596C1E7B7298ED885EF0567C2C
                          SHA-256:277FE08018C33D9687599F4AB8BBCE3A0AF17262C0BDC071EF8B018B6FB16843
                          SHA-512:B589C540C50F03D2CB3A551E36B90C8993828EB680F381AE56D28677741C847B7E934B0F03CD279AB2B85D8066A76DABFBA1AB8A1B0286909443438A908C1554
                          Malicious:false
                          Preview:MDMP..a..... .........sf........................,...........l...$#..........rL..........`.......8...........T............H...K...........#..........|%..............................................................................eJ.......&......GenuineIntel............T.......d.....sf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAE2.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 08:18:23 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):104256
                          Entropy (8bit):2.0522571941441634
                          Encrypted:false
                          SSDEEP:384:t2WK1jrDFtvWhoA0mG8z3MVBykpwS26tuHX/T18S0KQ7jmXGvjJ9KVONXxc:M9xDFtvMSgS2UaL18nKqc
                          MD5:EC19B1A25DF96C50AD9E1899807776D9
                          SHA1:F11C99B9DB9C2A2320342E15A025B921EDE94FE6
                          SHA-256:2F42515435085A1EE00DA246283E93CB0FCF90F8F11AB96A59F426AE2D954495
                          SHA-512:D1BFC3187E667FF2CC2E09D7907DD64D3851F40F2ADA063D975E8CA2D4691B881CFF036C390419E2C7F52DC1BC9A012E73902F55947644CF5A1400063555C206
                          Malicious:false
                          Preview:MDMP..a..... .........sf....................................l....#...........L..........`.......8...........T...........HJ...L...........#...........%..............................................................................eJ.......&......GenuineIntel............T.......L.....sf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB9E.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8394
                          Entropy (8bit):3.706538928850102
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJ4h6ByQ6Y9+SUXgmfWJJBcprA89biwsfFWm:R6lXJ26ByQ6YUSUXgmfWJJyiDfN
                          MD5:23DC57D9775B7B7F4C4BEED3C6AFFF45
                          SHA1:FEA73A31F392E0CEBC8C15B15E5AA59F11037953
                          SHA-256:EF375401190AB4102D85603D34BBB6EE6BCA2D49B2B8C23C459130FF92D945AB
                          SHA-512:49115D51255047E1B0880DDBC931F54344167A9008578EE831FD2134142B4C16A2BEB43129657FCD4887C3009580B7C70DB39EE6D104FA775F068CB8EDA41A27
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.4.4.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBAE.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):6366
                          Entropy (8bit):3.7266181533990443
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJFuK6gbYYiJJJysprs89biWsfJWm:R6lXJp6gbYYaJJri1fR
                          MD5:E4683DC54324929BCB52F197193A4F84
                          SHA1:5A0B83AC8A42B29184F9219705349948DCFD1D83
                          SHA-256:B2B000614E02CBC0BCB8616DD523C0AC550B73D497BD7E67B6E8F3B3C22C035C
                          SHA-512:DF06ADA8D9D7F4C0E649E8ACCC34381F8769CE7C724EE2CFB234B4AAF4A7F7F6C86D97D981847C5E0E742F8C73AFBB59E3985C8762E24E5EE112C7EDBDF7CA10
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.2.4.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERED16.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4713
                          Entropy (8bit):4.521788315529
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zs+Jg77aI9fcWpW8VYCYm8M4JYQVFJ+q8W1i8QF7d:uIjf0I79V7VqJYoli8QF7d
                          MD5:220B5143E7163DC9F3772A0C3074B5FE
                          SHA1:EDE0C7465787EEC8D8B065FD0544132B91262CA3
                          SHA-256:9FF99BC2B6FE96A1695AB0A2C2FF1F6019F3628767023585DEC4CBDA676BA131
                          SHA-512:0EDD89EA1C21338DD6AEB31908922FCCF0804679207FE88619D81F4A46461204C3D17438CCD08970881D435EEB35DE80F7BF5364F4051A63F946B1857AC07B2B
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="375801" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF052.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4703
                          Entropy (8bit):4.51522517502716
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zs+Jg77aI9fcWpW8VYfYm8M4JHjFm+q8i18qPn9d:uIjf0I79V7VvJAl8qP9d
                          MD5:095D3E11F5E7B7E3FA3EB146FC6552C4
                          SHA1:ED01E88719D45C38057110D95D03F74ADC98AE80
                          SHA-256:BFBBB96F7CA0B735209BE34014DC450242CA1EDA3EB2581C23935906AC001D4C
                          SHA-512:77F3A9A72DF6652D90E935F9E61854EAFC52F3A1FE9EC9C8103378998C72CB35611D5AAD03856CA9E378AA36B4FEC608697DBB23AA767D55D99D272C11B8B133
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="375801" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1C8.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):6366
                          Entropy (8bit):3.7290748840292607
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJDu96dp67NYiJJJysprY89bdJsf6L/m:R6lXJI6dp67NYaJJ3dif66
                          MD5:1BA563DC145FECEBC2A1E153192D6FD5
                          SHA1:820597A1481060E03F8F1B404C2A3D460EECFE7B
                          SHA-256:37BE97297320864C8B94F3BB898D470419A92DDB317832840EB8125153FA4B06
                          SHA-512:5934FD053A43B0911E696AB2DDD79343E62AA0E05DEC083184710A26FFDD3BDAF9DC940A5859CFD0BA789C11114123D630C4AD1F62233F7F1E70ACD117DD5225
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.0.0.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2D3.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4703
                          Entropy (8bit):4.514496948397311
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zs+Jg77aI9fcWpW8VY/4Ym8M4JHjF4+q8in8qPn2d:uIjf0I79V7V8JGX8qP2d
                          MD5:CA632631A820F65324A68064A9CC9642
                          SHA1:92CE6A7DEA31381F8AF2DB7E73DFA271BFFF0930
                          SHA-256:01D27A71DDFFACAC17664768CCB74793E903FCA74F67C3017F23D54C84E0579A
                          SHA-512:E8DC9A20B03DB225949562354106A2760588E81E94366DFF99A5993919D14589CB554B6107DFE2B3D97E8A5EB8A43A96AB775637C5DF3B45FECB10D871FA5AAE
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="375801" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3285520
                          Entropy (8bit):7.9670682991434125
                          Encrypted:false
                          SSDEEP:49152:YQqdyW2QvYnYuHn2XYMGpokbLH+WYbIloN32VjGFbNNv9sCLBfqKtt/LBs3r7G8b:YQCyrmYnYiLlPbL2MVQYCVXLOaxc
                          MD5:093BDA46F4EBE927A99CC0E120D50D8C
                          SHA1:1312D8E21C7AC0FCF1F64067690151A86738C856
                          SHA-256:FFD113A300E84AA5E0F426F711104FB6F6AC411A5C02F620433A0BD76E30B141
                          SHA-512:83C2E93B5DDCA444391AFCB7229EC2EE2ED40F1637C05C4984F907D00643D8023B7EC344AE17410114CB123FB05A8F693866349318AFB3844C39FEBABE06A475
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 50%
                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@...........................~.......2......................................a..........8.....................~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot.....&...X...&..x..............`..`.reloc........~......"2................@................................................................

                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          C:\Users\user\AppData\Local\Temp\O2ikhRyQ71SvrRUjZ9MvGf7.zip

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                          Category:modified
                          Size (bytes):5547
                          Entropy (8bit):7.904251445531728
                          Encrypted:false
                          SSDEEP:96:5WGzqeAoMq+YK0KF8cAJiI2i+u2YTFu/pIw9jV1/saPsR9UY3KJv:NqASpF8wFiTk/pICjVXERmY6Jv
                          MD5:9C2E6B1161B0B928F024CF6EECF5B795
                          SHA1:038DC3D47E04ACEDD0EEEA4C6D7CEC82E2A05071
                          SHA-256:7E0E3FB84B11F73614F68BCB4EC0B34B5AE4D1183AC9B2C1440084CC561B66AF
                          SHA-512:FDE6993F968607F8268FD5EF9F8EB6311BF6D9032244BE28459557882A32050A48AEFFEC553476D26A7F77137FB14BE2804816F17001B42B836CB7C11E520FED
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\O2ikhRyQ71SvrRUjZ9MvGf7.zip, Author: Joe Security
                          Preview:PK........I".X................Cookies\..PK........I".XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                          C:\Users\user\AppData\Local\Temp\Sfn1YyGgu6CGTeBtRcADBVG.zip

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                          Category:dropped
                          Size (bytes):5599
                          Entropy (8bit):7.90321279480738
                          Encrypted:false
                          SSDEEP:96:5WGzqeAoMq+YK0KF8cAJiI2i+u3RyIKpJKCNCeoLgN3naw3KJH:NqASpF8wFmcosNXaw6JH
                          MD5:B19D322AE5AF30EB3B37F6298A29FB8D
                          SHA1:D84112EEE08B2D0BB311AA4C62C632CFE943C128
                          SHA-256:A74F49AD0C72BC36C3853C2B9A72CDFCC3FA501F1E54B57D2A4F2DF83A3236E3
                          SHA-512:EE343D44CD7D6AC366434649E5ED32EA389332615D4F64D2819687A66CDCF229A0ED396734747E16638B0CE11BA162DDA9C1308B7DE424419C117DB09FE10031
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\Sfn1YyGgu6CGTeBtRcADBVG.zip, Author: Joe Security
                          Preview:PK........L".X................Cookies\..PK........L".XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                          C:\Users\user\AppData\Local\Temp\UWUWkzI6iEQD6XYchYfKNkl.zip

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                          Category:dropped
                          Size (bytes):5609
                          Entropy (8bit):7.903050173225737
                          Encrypted:false
                          SSDEEP:96:5WGzqeAoMq+YK0KF8cAJiI2i+uL9OhH5iWrkCD7Tz2zHih3KJM5s:NqASpF8wFHH5iW/D7Tz6Ch6JMS
                          MD5:C70246219F3EB47BEF8D51C67C322F15
                          SHA1:D6444F3CDB26F625ED06CF816DCC93663ACE65A1
                          SHA-256:8734306A8019687546910ACC4427FB0EAF2C2ED4231E91FA0719D88941570FBC
                          SHA-512:577851C396552ABEEFA1199115A7909BB715E16FB1A35CEEB2DFC764B7647D6A4B9B204D4EEB906FF52C37AD40E8955E8722FD632A4AF0546079B06A9F1F3B11
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\UWUWkzI6iEQD6XYchYfKNkl.zip, Author: Joe Security
                          Preview:PK........P".X................Cookies\..PK........P".XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                          C:\Users\user\AppData\Local\Temp\hOyPUaIJ5lfWhg1CogD2H0Y.zip

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                          Category:modified
                          Size (bytes):5625
                          Entropy (8bit):7.894707877322794
                          Encrypted:false
                          SSDEEP:96:LUT29vHz9WQBavDziBP1Pe4McobRHSIL0cR7MpsFFv1v6lsm1b3KJc:LUT29Hz9WGFh1Pe4q48R7MOFBwb6Jc
                          MD5:A78D9E07F8D39828E1F6CD104ED8D674
                          SHA1:FFD9F92409FE3661E1D68FA72CBBE68F86052BD7
                          SHA-256:E28BE53A32D01484816BA3FA59B325FFD2E9778F7AA2D7D52BB0387AAEAF5317
                          SHA-512:36D8B337D8299752EE224191FFCE90B9C021AD92D7D47485590FC1352771ADF712BC4035A38D6DA1DC4B2874876B1EC78B64E07380D4D7958FBA578D0DAC22AF
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\hOyPUaIJ5lfWhg1CogD2H0Y.zip, Author: Joe Security
                          Preview:PK........I".X................Cookies\..PK........I".X..s@..../......Cookies\Chrome_Default.txt.G.....5..G.BMx.....%.M...{...?.LH..71.t.....:y3..s./.0.m.%......../. ..!..A.C.........;...x...........!.2.....Z..<....*<.h8..<.q;.....9....gK.}.R.#f...A.E...1...?lR....b.....nS=l.%E&'...>x......h.......E)C..t..'.2<Z_@.........&Lk......0..B.mqk.9M1lf.-e@....E.v..R&..|..-....C.w.Y.K... ...*.....k..3..2W5.!vs.....S.~.......0._.*..e.....U...).....>...g+;...z[Ks....Z..d...|.".v..(...I....+.7.y.X@.H....eV.............Y..c..x...Kw.'S>.d|.....B..k.p..|C|F.......O52....`f.3W..../....i..E...7..c.Kwv..,]..C..j.2.T..+............t.2....6.M>..s..K.M...VJ..>;.......n.<f;]s.K..5...n....~$ ....%......Z#.....Q5...<n...I&......0<:..>..I.K)g.)..KX.H.(Y!..j4W.j..1.V..d\.T..,p...D...T..>z...,.....L.....Mh.t..!....A...!?.U...x..[a7j.N;#..t.\.#.Z.-)f...v_.<..?..`.D0..?......).vX.#...Lw.j...1.....M.#...+.W....h....U.W....G.w......'.Y?.....;.....`...X...C..w..

                          C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):13
                          Entropy (8bit):2.8731406795131336
                          Encrypted:false
                          SSDEEP:3:L0jSVce:wjSB
                          MD5:D2EADC1CA1E58B14C6FB7DF4CE546369
                          SHA1:5AB70200971C9214B6028BE4BF05825085863D33
                          SHA-256:9AF77243567403FBC8F44AFE386B07904F54970D2C6211F2885C6440E5644DA5
                          SHA-512:7FB0F29436831B8F2480CBEB3505FF7744813C7E6D9567BCB05DFFF141CD336EE8A423EF0AECF277FDC06196156A7BFAA3B245F0F242DB3C09786BC7DF086AE7
                          Malicious:false
                          Preview:1718875709649

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\02zdBXl47cvzcookies.sqlite

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):98304
                          Entropy (8bit):0.08235737944063153
                          Encrypted:false
                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\3b6N2Xdh3CYwplaces.sqlite

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):5242880
                          Entropy (8bit):0.037963276276857943
                          Encrypted:false
                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                          Malicious:false
                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\8K3NvYKoF0DKWeb Data

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\AYzHdFopxO75Login Data

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):0.8553638852307782
                          Encrypted:false
                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                          MD5:28222628A3465C5F0D4B28F70F97F482
                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\D87fZN3R3jFeplaces.sqlite

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):5242880
                          Entropy (8bit):0.037963276276857943
                          Encrypted:false
                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                          Malicious:false
                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\EqhKO9P2ECIWHistory

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):126976
                          Entropy (8bit):0.47147045728725767
                          Encrypted:false
                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\FpFVBgo7dSgCHistory

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):126976
                          Entropy (8bit):0.47147045728725767
                          Encrypted:false
                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\J7Touhh5YhR_History

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                          Category:dropped
                          Size (bytes):159744
                          Entropy (8bit):0.7873599747470391
                          Encrypted:false
                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                          Malicious:false
                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\JiGBQplW34HlWeb Data

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\Lchq51g992ItWeb Data

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\QmUB95Fj8NtJLogin Data For Account

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):0.8553638852307782
                          Encrypted:false
                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                          MD5:28222628A3465C5F0D4B28F70F97F482
                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\UKIb9BrpbElGCookies

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                          Category:dropped
                          Size (bytes):28672
                          Entropy (8bit):2.5793180405395284
                          Encrypted:false
                          SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                          MD5:41EA9A4112F057AE6BA17E2838AEAC26
                          SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                          SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                          SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\ZKqDW00W89j6Login Data

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):49152
                          Entropy (8bit):0.8180424350137764
                          Encrypted:false
                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                          MD5:349E6EB110E34A08924D92F6B334801D
                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\aSLZ4Feg28S4History

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                          Category:dropped
                          Size (bytes):159744
                          Entropy (8bit):0.7873599747470391
                          Encrypted:false
                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                          Malicious:false
                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\alNN5XcPfXotWeb Data

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\qSDPuLBbQcS_Web Data

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span3x9gJBcQfMeS\r2pCRkIRP3etWeb Data

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\02zdBXl47cvzcookies.sqlite

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):98304
                          Entropy (8bit):0.08235737944063153
                          Encrypted:false
                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\3b6N2Xdh3CYwplaces.sqlite

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):5242880
                          Entropy (8bit):0.037963276276857943
                          Encrypted:false
                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                          Malicious:false
                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\5QPDGmo5G4k0History

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                          Category:dropped
                          Size (bytes):159744
                          Entropy (8bit):0.7873599747470391
                          Encrypted:false
                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                          Malicious:false
                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\Aefi8eaYARX2Cookies

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                          Category:dropped
                          Size (bytes):28672
                          Entropy (8bit):2.5793180405395284
                          Encrypted:false
                          SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                          MD5:41EA9A4112F057AE6BA17E2838AEAC26
                          SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                          SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                          SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\B1BYGVK1v4aYWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\D87fZN3R3jFeplaces.sqlite

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):5242880
                          Entropy (8bit):0.037963276276857943
                          Encrypted:false
                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                          Malicious:false
                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\NR3m_g5fQLPvWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\Qwkc0_mnr5I_Login Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):49152
                          Entropy (8bit):0.8180424350137764
                          Encrypted:false
                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                          MD5:349E6EB110E34A08924D92F6B334801D
                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\RQPZpHTwFV2JWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\X4w8fLfloerdWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\_1TNl_23bSjIHistory

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                          Category:dropped
                          Size (bytes):159744
                          Entropy (8bit):0.7873599747470391
                          Encrypted:false
                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                          Malicious:false
                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\_cSHk0g_fG60Login Data For Account

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):0.8553638852307782
                          Encrypted:false
                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                          MD5:28222628A3465C5F0D4B28F70F97F482
                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\b5K2F8rC2qaQLogin Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):0.8553638852307782
                          Encrypted:false
                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                          MD5:28222628A3465C5F0D4B28F70F97F482
                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\j9CgRYxfLi1HHistory

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):126976
                          Entropy (8bit):0.47147045728725767
                          Encrypted:false
                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\owf9GshuzJ25Web Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\qZ4vtdSQrsMXWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\span6Nuw1ORO26gR\ziYYSl1GQLDDHistory

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):126976
                          Entropy (8bit):0.47147045728725767
                          Encrypted:false
                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\02zdBXl47cvzcookies.sqlite

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):98304
                          Entropy (8bit):0.08235737944063153
                          Encrypted:false
                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\3b6N2Xdh3CYwplaces.sqlite

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):5242880
                          Entropy (8bit):0.037963276276857943
                          Encrypted:false
                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                          Malicious:false
                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\9CGOzYIsW4fKLogin Data For Account

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):0.8553638852307782
                          Encrypted:false
                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                          MD5:28222628A3465C5F0D4B28F70F97F482
                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\CW09Q1VnvrXtWeb Data

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\D87fZN3R3jFeplaces.sqlite

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):5242880
                          Entropy (8bit):0.037963276276857943
                          Encrypted:false
                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                          Malicious:false
                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\H1q59R1WsqBZLogin Data

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):49152
                          Entropy (8bit):0.8180424350137764
                          Encrypted:false
                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                          MD5:349E6EB110E34A08924D92F6B334801D
                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\MqnEX1xeniHjHistory

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):126976
                          Entropy (8bit):0.47147045728725767
                          Encrypted:false
                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\P6vnPkfjmSpEWeb Data

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\TGgMbIm7Fwe7Web Data

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\XA9cbBY_htD9History

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):126976
                          Entropy (8bit):0.47147045728725767
                          Encrypted:false
                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\bpSr9MYCACnDWeb Data

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\fYwqiU7DWIRUCookies

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                          Category:dropped
                          Size (bytes):28672
                          Entropy (8bit):2.5793180405395284
                          Encrypted:false
                          SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                          MD5:41EA9A4112F057AE6BA17E2838AEAC26
                          SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                          SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                          SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\iAtg3fYFpooiWeb Data

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\kAef6Yh1mDgwWeb Data

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\lsAFEDVzYJlMHistory

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                          Category:dropped
                          Size (bytes):159744
                          Entropy (8bit):0.7873599747470391
                          Encrypted:false
                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                          Malicious:false
                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\qUtwXB6UhnVfLogin Data

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):0.8553638852307782
                          Encrypted:false
                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                          MD5:28222628A3465C5F0D4B28F70F97F482
                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanJkYygiW7iXux\v9460BEWAmo6History

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                          Category:dropped
                          Size (bytes):159744
                          Entropy (8bit):0.7873599747470391
                          Encrypted:false
                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                          Malicious:false
                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\02zdBXl47cvzcookies.sqlite

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):98304
                          Entropy (8bit):0.08235737944063153
                          Encrypted:false
                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\3b6N2Xdh3CYwplaces.sqlite

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):5242880
                          Entropy (8bit):0.037963276276857943
                          Encrypted:false
                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                          Malicious:false
                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\5T3tgwNhpORwLogin Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):0.8553638852307782
                          Encrypted:false
                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                          MD5:28222628A3465C5F0D4B28F70F97F482
                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\6SFuLgzL4qkfHistory

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):126976
                          Entropy (8bit):0.47147045728725767
                          Encrypted:false
                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\8cbHFLCQ6whQHistory

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                          Category:dropped
                          Size (bytes):159744
                          Entropy (8bit):0.7873599747470391
                          Encrypted:false
                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                          Malicious:false
                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\9t19K0e5OKG7Login Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):49152
                          Entropy (8bit):0.8180424350137764
                          Encrypted:false
                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                          MD5:349E6EB110E34A08924D92F6B334801D
                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\D87fZN3R3jFeplaces.sqlite

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):5242880
                          Entropy (8bit):0.037963276276857943
                          Encrypted:false
                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                          Malicious:false
                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\JiEe34kl27_ALogin Data For Account

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):0.8553638852307782
                          Encrypted:false
                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                          MD5:28222628A3465C5F0D4B28F70F97F482
                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\O9ahXmBQyGuqHistory

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                          Category:dropped
                          Size (bytes):159744
                          Entropy (8bit):0.7873599747470391
                          Encrypted:false
                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                          Malicious:false
                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\Xv5tHsOHXMC8Cookies

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                          Category:dropped
                          Size (bytes):28672
                          Entropy (8bit):2.5793180405395284
                          Encrypted:false
                          SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                          MD5:41EA9A4112F057AE6BA17E2838AEAC26
                          SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                          SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                          SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\dfNgOBp6eddkWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\ewz6Vx4jFnkiWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\rQNWv9vcSm3gHistory

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):126976
                          Entropy (8bit):0.47147045728725767
                          Encrypted:false
                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\t1K7aC5iYP_kWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\u1bz9SOgrSepWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\vNEEDJhgXMN9Web Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1358696453229276
                          Encrypted:false
                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                          Malicious:false
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\spanglx2UtLzqYTr\z4FoeE1bFFHiWeb Data

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):114688
                          Entropy (8bit):0.9746603542602881
                          Encrypted:false
                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                          Malicious:false
                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\trixy3x9gJBcQfMeS\Cookies\Chrome_Default.txt

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:ASCII text, with very long lines (769), with CRLF line terminators
                          Category:dropped
                          Size (bytes):6085
                          Entropy (8bit):6.038274200863744
                          Encrypted:false
                          SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                          MD5:ACB5AD34236C58F9F7D219FB628E3B58
                          SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                          SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                          SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                          Malicious:false
                          Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                          C:\Users\user\AppData\Local\Temp\trixy3x9gJBcQfMeS\information.txt

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:ASCII text, with CRLF, LF line terminators
                          Category:dropped
                          Size (bytes):7103
                          Entropy (8bit):5.53465291656448
                          Encrypted:false
                          SSDEEP:96:xPsktORhfcT4Aisph+9hcBtNllfANUbg3x:xCvfvAtphWhcBtWB
                          MD5:29450A486ACCDC544B361C13A2947730
                          SHA1:D7D2665D7195FD6119F4F0ADE3A9357B25D0D6D7
                          SHA-256:A2B8E9025306D94A99F3F4691D035C2026A995C7CC97EA417E006C94490B5E2D
                          SHA-512:D87BA1DCF2695B4BBEA69EDA10CDB9CA7DBEF930BD06A099276985FA06DAF54777F0C4920AB7B93CCD3A37F1E25418EF00001C9C1BA4FD3CFE2D63CFEA642F9B
                          Malicious:false
                          Preview:Build: lamer..Version: 2.0....Date: Thu Jun 20 04:18:18 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: c81a725b497df1b73001a45a9a951bf2....Path: C:\Users\user\Desktop\D44CPdpkNk.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy3x9gJBcQfMeS....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 226533 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 4:18:18..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe

                          C:\Users\user\AppData\Local\Temp\trixy3x9gJBcQfMeS\passwords.txt

                          Download File
                          Process:C:\Users\user\Desktop\D44CPdpkNk.exe
                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                          Category:dropped
                          Size (bytes):4897
                          Entropy (8bit):2.518316437186352
                          Encrypted:false
                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                          Malicious:false
                          Preview:................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\trixy6Nuw1ORO26gR\Cookies\Chrome_Default.txt

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:ASCII text, with very long lines (769), with CRLF line terminators
                          Category:dropped
                          Size (bytes):6085
                          Entropy (8bit):6.038274200863744
                          Encrypted:false
                          SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                          MD5:ACB5AD34236C58F9F7D219FB628E3B58
                          SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                          SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                          SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                          Malicious:false
                          Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                          C:\Users\user\AppData\Local\Temp\trixy6Nuw1ORO26gR\information.txt

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:ASCII text, with CRLF, LF line terminators
                          Category:dropped
                          Size (bytes):7327
                          Entropy (8bit):5.5430166033760795
                          Encrypted:false
                          SSDEEP:96:xP9kKORhYcT4Aisph+9hcBtNllUTdANUbg3x:xgvYvAtphWhcBtK+B
                          MD5:A58E786FEC098052EEB73121A1C594B3
                          SHA1:EA6863AFECF3B6D1BAF9C818B207D5FF3B552C0B
                          SHA-256:ECD40204FFFCB894021C73BD1F62BE33CEBE9809E30C2BB460995FFB584F034B
                          SHA-512:8F03C188F3824E8B1FAAE6CF72E7AD56678E7AF0BCCFC5E914506096F17AA152B4A789EE8B229242B7689AA3309BE9759C861F4F33CBEE07FB4ACE997A152BC9
                          Malicious:false
                          Preview:Build: lamer..Version: 2.0....Date: Thu Jun 20 04:18:33 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: c81a725b497df1b73001a45a9a951bf2....Path: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy6Nuw1ORO26gR....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 226533 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 4:18:33..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..

                          C:\Users\user\AppData\Local\Temp\trixy6Nuw1ORO26gR\passwords.txt

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                          Category:dropped
                          Size (bytes):4897
                          Entropy (8bit):2.518316437186352
                          Encrypted:false
                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                          Malicious:false
                          Preview:................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\trixyJkYygiW7iXux\Cookies\Chrome_Default.txt

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:ASCII text, with very long lines (769), with CRLF line terminators
                          Category:dropped
                          Size (bytes):12170
                          Entropy (8bit):6.038274200863744
                          Encrypted:false
                          SSDEEP:192:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WhHGYUnOTNC5IcXkWFXZQHRFJ5Pts7c3aP:gwsPbtKvCpqq40wsPbtKvCpqq47
                          MD5:B6F52D24FC4333CE4C66DDA3C3735C85
                          SHA1:5B69F1D66E95EFE2CF1710E9F58526B2AAEC67E4
                          SHA-256:0FEE1A764F541EC6733DB89C823296650F6E581CD7D812D5A142B5A0AD9BC9B6
                          SHA-512:CD2C6D64083061D7C7A7E89CF9C9F7D2B66301C73CFB56D2CCD94D1B810DE42774DAE5B77DB2E567A26FC54989C04D8A60D76225E6F3F91FCD2AE4D2E01F3C4C
                          Malicious:false
                          Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                          C:\Users\user\AppData\Local\Temp\trixyJkYygiW7iXux\information.txt

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:ASCII text, with CRLF, LF line terminators
                          Category:dropped
                          Size (bytes):7102
                          Entropy (8bit):5.537254411985812
                          Encrypted:false
                          SSDEEP:96:xPskAORhfcT4Aisph+9hcBtNllfANUbg3x:x9vfvAtphWhcBtWB
                          MD5:F83F1CE2B27BF3673BB2332124BFA7B7
                          SHA1:5B556820EA0BB70EE0F02F7CB713507D66AC2321
                          SHA-256:10F09287B2F470ECDBF8202315E648F25A8CB426ADD8C532E9DF7998458B8C58
                          SHA-512:25AE7A44087F8330E7F12AB751706D5CE08697B0D76117D1B24379D9723DD01EF530EB84603C68CF7308DED449EE08BFF4D93E448398388933BBA06E8BD841B0
                          Malicious:false
                          Preview:Build: lamer..Version: 2.0....Date: Thu Jun 20 04:18:18 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: c81a725b497df1b73001a45a9a951bf2....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyJkYygiW7iXux....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 226533 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 4:18:18..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe

                          C:\Users\user\AppData\Local\Temp\trixyJkYygiW7iXux\passwords.txt

                          Download File
                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                          Category:dropped
                          Size (bytes):4897
                          Entropy (8bit):2.518316437186352
                          Encrypted:false
                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                          Malicious:false
                          Preview:................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\trixyglx2UtLzqYTr\Cookies\Chrome_Default.txt

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:ASCII text, with very long lines (769), with CRLF line terminators
                          Category:dropped
                          Size (bytes):6085
                          Entropy (8bit):6.038274200863744
                          Encrypted:false
                          SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                          MD5:ACB5AD34236C58F9F7D219FB628E3B58
                          SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                          SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                          SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                          Malicious:false
                          Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                          C:\Users\user\AppData\Local\Temp\trixyglx2UtLzqYTr\information.txt

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:ASCII text, with CRLF, LF line terminators
                          Category:dropped
                          Size (bytes):7284
                          Entropy (8bit):5.54318683492064
                          Encrypted:false
                          SSDEEP:96:xPQkSORhbrcT4Aisph+9hcBtNllUT8ANUbg3x:xTvbrvAtphWhcBtKFB
                          MD5:C5CC1CD51714674CC8EB98BF8E44D115
                          SHA1:1714B04A3347B8C223A4B64A0C3FD703EFE2B344
                          SHA-256:E7582754EC26F02A290ADF1182AD4E188B6BD54DCB338BC0FD8857DCE52C4C4F
                          SHA-512:969B6FF3E05524D9E7E2D030CFE6B6CFF393A8D0849915486C27CC38C6EB1948075AFE5C4E202E0C39CCC50152E9FB4DF27BABDDC279C4ACF1396AD4EC0A3153
                          Malicious:false
                          Preview:Build: lamer..Version: 2.0....Date: Thu Jun 20 04:18:25 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: c81a725b497df1b73001a45a9a951bf2....Path: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyglx2UtLzqYTr....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 226533 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 4:18:25..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..

                          C:\Users\user\AppData\Local\Temp\trixyglx2UtLzqYTr\passwords.txt

                          Download File
                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                          Category:dropped
                          Size (bytes):4897
                          Entropy (8bit):2.518316437186352
                          Encrypted:false
                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                          Malicious:false
                          Preview:................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\appcompat\Programs\Amcache.hve

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):1835008
                          Entropy (8bit):4.4690784072787455
                          Encrypted:false
                          SSDEEP:6144:DIXfpi67eLPU9skLmb0b4bWSPKaJG8nAgejZMMhA2gX4WABl0uNmdwBCswSbr:UXD94bWlLZMM6YFHo+r
                          MD5:0DFD191D267AB13AA7A021C64CD48CC4
                          SHA1:626A5B8AC78E735ED7686E82CAD6BA08E4A0D53D
                          SHA-256:D57123BB043CB19A0657B94E68A3D1303F953FA986F125CA8ECAF665F57AA93A
                          SHA-512:880349C4B2664EDFF1B5A2696B339DFAB806E8EB0F742791B00F22EB1E44234CD091AC699012885EDB76958A5B7DBEFFCB426F2CE5BD1742C773CE52A4E2E7B8
                          Malicious:false
                          Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..(j..................................................................................................................................................................................................................................................................................................................................................?^........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.9670682991434125
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:D44CPdpkNk.exe
                          File size:3'285'520 bytes
                          MD5:093bda46f4ebe927a99cc0e120d50d8c
                          SHA1:1312d8e21c7ac0fcf1f64067690151a86738c856
                          SHA256:ffd113a300e84aa5e0f426f711104fb6f6ac411a5c02f620433a0bd76e30b141
                          SHA512:83c2e93b5ddca444391afcb7229ec2ee2ed40f1637c05c4984f907d00643d8023b7ec344ae17410114cb123fb05a8f693866349318afb3844c39febabe06a475
                          SSDEEP:49152:YQqdyW2QvYnYuHn2XYMGpokbLH+WYbIloN32VjGFbNNv9sCLBfqKtt/LBs3r7G8b:YQCyrmYnYiLlPbL2MVQYCVXLOaxc
                          TLSH:7FE5337788A06FD0E428D4376E128DA52D4CB708EF171A7CF81F6EBD87092AC1379599
                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                          File Icon

                          Icon Hash:8596a1a0a1a1b171

                          Static PE Info

                          General

                          Entrypoint:0x980058
                          Entrypoint Section:.boot
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:TERMINAL_SERVER_AWARE
                          Time Stamp:0x664C6914 [Tue May 21 09:27:48 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:0
                          File Version Major:6
                          File Version Minor:0
                          Subsystem Version Major:6
                          Subsystem Version Minor:0
                          Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                          Entrypoint Preview

                          Instruction
                          call 00007F4271116190h
                          push ebx
                          mov ebx, esp
                          push ebx
                          mov esi, dword ptr [ebx+08h]
                          mov edi, dword ptr [ebx+10h]
                          cld
                          mov dl, 80h
                          mov al, byte ptr [esi]
                          inc esi
                          mov byte ptr [edi], al
                          inc edi
                          mov ebx, 00000002h
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          jnc 00007F427111602Ch
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          jnc 00007F4271116093h
                          xor eax, eax
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          jnc 00007F4271116127h
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          adc eax, eax
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          adc eax, eax
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          adc eax, eax
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          adc eax, eax
                          je 00007F427111604Ah
                          push edi
                          mov eax, eax
                          sub edi, eax
                          mov al, byte ptr [edi]
                          pop edi
                          mov byte ptr [edi], al
                          inc edi
                          mov ebx, 00000002h
                          jmp 00007F4271115FDBh
                          mov eax, 00000001h
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          adc eax, eax
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          jc 00007F427111602Ch
                          sub eax, ebx
                          mov ebx, 00000001h
                          jne 00007F427111606Ah
                          mov ecx, 00000001h
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          adc ecx, ecx
                          add dl, dl
                          jne 00007F4271116047h
                          mov dl, byte ptr [esi]
                          inc esi
                          adc dl, dl
                          jc 00007F427111602Ch
                          push esi
                          mov esi, edi
                          sub esi, ebp

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x19618b0x184.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000x1638.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7eb0000x10.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x1970180x18.tls
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x15bbc80x9d20052c8d8736a0729eed939fe5f4f1a45c2False0.999139195505171data7.986055415037788IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          0x15d0000x27e320x10a00dd142d0c89c8a53e3b197f2810bb5b10False0.994404957706767data7.955133990446104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          0x1850000x49300x800b400e9aeb9cc9bd7a33c5117ab327465False0.99169921875data7.7930001205455435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x18a0000x16380x1800fe6f3fdb9e7e97cba92d8ce4e4fcc95bFalse0.7220052083333334data6.54017046361188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          0x18c0000x98580x7200743c250778d161bdd0f0493fe8e22716False0.9791666666666666OpenPGP Public Key7.932641354500357IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .idata0x1960000x10000x4001b20e07443fa333ff9692026d1e6c6c2False0.3984375data3.42439969016873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .tls0x1970000x10000x20054a50a058e0f3b6aa2fe1b22e2033106False0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .themida0x1980000x3e80000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .boot0x5800000x26aa000x26aa008703c0bc81f9324d71aa69e65c797ce7unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .reloc0x7eb0000x10000x10f5bc99b71bad9e8a775cc32747e3ca58False1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0x18a4400x1060PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.8838263358778626
                          RT_GROUP_ICON0x18b4a00x14dataRussianRussia1.05
                          RT_VERSION0x18a1300x310dataRussianRussia0.45408163265306123
                          RT_MANIFEST0x18b4b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                          Imports

                          DLLImport
                          kernel32.dllGetModuleHandleA
                          USER32.dllwsprintfA
                          GDI32.dllCreateCompatibleBitmap
                          ADVAPI32.dllRegQueryValueExA
                          SHELL32.dllShellExecuteA
                          ole32.dllCoInitialize
                          WS2_32.dllWSAStartup
                          CRYPT32.dllCryptUnprotectData
                          SHLWAPI.dllPathFindExtensionA
                          gdiplus.dllGdipGetImageEncoders
                          SETUPAPI.dllSetupDiEnumDeviceInfo
                          ntdll.dllRtlUnicodeStringToAnsiString
                          RstrtMgr.DLLRmStartSession

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          RussianRussia
                          EnglishUnited States

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          06/20/24-10:18:18.266820TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973258709192.168.2.477.91.77.66
                          06/20/24-10:18:12.891833TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.477.91.77.66
                          06/20/24-10:18:36.172836TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974758709192.168.2.477.91.77.66
                          06/20/24-10:17:06.155610TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973158709192.168.2.477.91.77.66
                          06/20/24-10:17:34.165292TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094974777.91.77.66192.168.2.4
                          06/20/24-10:17:10.831103TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973277.91.77.66192.168.2.4
                          06/20/24-10:18:27.329405TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973458709192.168.2.477.91.77.66
                          06/20/24-10:17:26.653501TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094974777.91.77.66192.168.2.4
                          06/20/24-10:17:18.297909TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973477.91.77.66192.168.2.4
                          06/20/24-10:17:06.743077TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973177.91.77.66192.168.2.4
                          06/20/24-10:17:10.864562TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973377.91.77.66192.168.2.4
                          06/20/24-10:18:18.313506TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973358709192.168.2.477.91.77.66
                          06/20/24-10:17:23.519101TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973177.91.77.66192.168.2.4
                          06/20/24-10:17:23.729447TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973277.91.77.66192.168.2.4
                          06/20/24-10:17:23.804516TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973377.91.77.66192.168.2.4
                          06/20/24-10:17:28.105368TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973477.91.77.66192.168.2.4

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 20, 2024 10:17:06.099227905 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:06.104626894 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:06.104809046 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:06.155610085 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:06.160589933 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:06.743077040 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:06.797854900 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:09.876025915 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:09.881118059 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:10.208444118 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:10.210933924 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:10.213643074 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:10.213826895 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:10.215905905 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:10.216223955 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:10.225145102 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:10.226917982 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:10.230117083 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:10.232111931 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:10.831103086 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:10.864562035 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:10.875714064 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:10.907047033 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:13.954024076 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:13.959162951 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:13.985280037 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:13.990236044 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:17.661423922 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:17.666717052 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:17.666903973 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:17.677304983 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:17.682183981 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:18.297909021 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:18.344558954 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:21.438500881 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:21.443624973 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:23.519100904 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:23.563210964 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:23.664916039 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:23.664949894 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:23.665041924 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:23.666436911 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:23.666454077 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:23.729446888 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:23.781990051 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:23.793968916 CEST49742443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:23.794006109 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:23.794178963 CEST49742443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:23.794912100 CEST49742443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:23.794929981 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:23.804516077 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:23.860070944 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:23.891184092 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:23.891211987 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:23.891320944 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:23.893042088 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:23.893054962 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.175169945 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.175244093 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.179012060 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.179023027 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.179442883 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.219439030 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.229125023 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.276508093 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.304908991 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.304984093 CEST49742443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.306015015 CEST49742443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.306020021 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.306523085 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.357347965 CEST49742443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.365065098 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.365209103 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.365422010 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.368325949 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.368338108 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.368347883 CEST49741443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.368352890 CEST4434974134.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.376141071 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.376281977 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.379287958 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.379300117 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.379633904 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.380201101 CEST49744443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.380237103 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:24.380402088 CEST49744443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.380763054 CEST49744443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.380785942 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:24.404511929 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.422576904 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.492448092 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.492783070 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.493145943 CEST49742443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.493418932 CEST49742443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.493423939 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.493446112 CEST49742443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.493448973 CEST4434974234.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.505783081 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.510359049 CEST49745443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.510428905 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:24.510499001 CEST49745443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.510838032 CEST49745443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.510875940 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:24.552504063 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.636881113 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.637011051 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.637125015 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.639661074 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.639678001 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.639714003 CEST49743443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:24.639723063 CEST4434974334.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:24.641890049 CEST49746443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.641938925 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:24.642030001 CEST49746443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.642402887 CEST49746443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.642436028 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:24.915111065 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:24.915205956 CEST49744443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.918688059 CEST49744443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.918720961 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:24.919152021 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:24.929496050 CEST49744443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:24.972548962 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.000758886 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.000839949 CEST49745443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.003671885 CEST49745443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.003691912 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.004045963 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.011781931 CEST49745443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.052520990 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.072599888 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.072779894 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.072983980 CEST49744443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.075156927 CEST49744443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.075191975 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.075222969 CEST49744443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.075239897 CEST44349744104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.075511932 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:25.080528021 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:25.130089045 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.130166054 CEST49746443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.131689072 CEST49746443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.131705999 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.132056952 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.139875889 CEST49746443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.175170898 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.175409079 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.175479889 CEST49745443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.176538944 CEST49745443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.176572084 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.176599026 CEST49745443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.176614046 CEST44349745104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.177027941 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:25.180529118 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.182739019 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:25.300304890 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.300393105 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.300565004 CEST49746443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.300645113 CEST49746443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.300664902 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.300693989 CEST49746443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:25.300705910 CEST44349746104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:25.300890923 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:25.305720091 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:26.012569904 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:26.018178940 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:26.018457890 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:26.037734985 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:26.042701960 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:26.653501034 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:26.703984976 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:27.770447016 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:27.813350916 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:27.923660040 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:27.969573975 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:27.970293045 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:28.016474009 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:28.105367899 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:28.156949997 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:28.218394995 CEST49748443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:28.218441963 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.218523979 CEST49748443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:28.219547033 CEST49748443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:28.219582081 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.746645927 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.746773958 CEST49748443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:28.747967005 CEST49748443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:28.747998953 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.749087095 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.797795057 CEST49748443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:28.844578028 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.930932999 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.931258917 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.931345940 CEST49748443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:28.938054085 CEST49748443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:28.938055038 CEST49748443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:28.938124895 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.938160896 CEST4434974834.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:28.941462040 CEST49749443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:28.941520929 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:28.941581964 CEST49749443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:28.941940069 CEST49749443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:28.941951990 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:29.437264919 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:29.437448978 CEST49749443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:29.438594103 CEST49749443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:29.438605070 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:29.439559937 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:29.440668106 CEST49749443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:29.488500118 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:29.596760988 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:29.597060919 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:29.598628044 CEST49749443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:29.598777056 CEST49749443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:29.598777056 CEST49749443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:29.598798990 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:29.598809958 CEST44349749104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:29.599154949 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:29.604096889 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:29.784321070 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:29.792171001 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:30.255444050 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:30.297633886 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:30.329090118 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:30.334436893 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:32.637208939 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:32.688419104 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:32.719985008 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:32.724347115 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:32.727488995 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:32.750978947 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:32.756269932 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:32.830621004 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:32.875724077 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:34.165292025 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:34.219520092 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:34.265665054 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.265752077 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.265990019 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.267189026 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.267225981 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.764332056 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.764460087 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.770678997 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.770694971 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.771761894 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.813246012 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.836679935 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.884510994 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.970978975 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.971282959 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.971365929 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.971630096 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.971648932 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.971676111 CEST49750443192.168.2.434.117.186.192
                          Jun 20, 2024 10:17:34.971683979 CEST4434975034.117.186.192192.168.2.4
                          Jun 20, 2024 10:17:34.974781036 CEST49751443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:34.974884987 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:34.974973917 CEST49751443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:34.975333929 CEST49751443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:34.975373983 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:35.475207090 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:35.475342035 CEST49751443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:35.476944923 CEST49751443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:35.476980925 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:35.477910995 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:35.479497910 CEST49751443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:35.524539948 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:35.629148960 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:35.629384995 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:35.629489899 CEST49751443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:35.629904032 CEST49751443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:35.629904032 CEST49751443192.168.2.4104.26.4.15
                          Jun 20, 2024 10:17:35.629941940 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:35.629967928 CEST44349751104.26.4.15192.168.2.4
                          Jun 20, 2024 10:17:35.630155087 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:35.634969950 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:37.469476938 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:37.516508102 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:37.563514948 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:37.568661928 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:37.683934927 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:37.710232973 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:37.735217094 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:37.750757933 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:37.766654968 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:37.771889925 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:37.782234907 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:37.787170887 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:37.818434954 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:37.860143900 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:37.907545090 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:37.912900925 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:38.145900965 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:38.188437939 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.323869944 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.323921919 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.323960066 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.323997021 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.324006081 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.324031115 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.324073076 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.324193001 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.324193001 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.324255943 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.324285984 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.324346066 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.324578047 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.324636936 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.324687958 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.324898005 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.324928045 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.324984074 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.325697899 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.325788975 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.325824022 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.325848103 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.329014063 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.329054117 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.329078913 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.375827074 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.437634945 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.437731981 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.437764883 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.437802076 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.437812090 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.437894106 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.437994957 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.438025951 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.438076019 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.438448906 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.438504934 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.438539982 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.438560009 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.438595057 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.438647032 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.439078093 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.439229012 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.439281940 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.439397097 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.439425945 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.439479113 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.439488888 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.443254948 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.443311930 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.443314075 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.443350077 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.443404913 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.451544046 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.451652050 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.451689005 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.451723099 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.451864958 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.451900005 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.452016115 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.484015942 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484074116 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484103918 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484131098 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.484159946 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484208107 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484241009 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484297037 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484328985 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484344006 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.484344959 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.484380007 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.484656096 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484711885 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484745026 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.484767914 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.484981060 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.485009909 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.485038996 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.485181093 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.485232115 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.485239983 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.489218950 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.489274025 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.489305973 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.489325047 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.489362001 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.500735998 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.547780991 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.552778006 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.557132006 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.557208061 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.557241917 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.557266951 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.557313919 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.557348013 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.557380915 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.557384014 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.557437897 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.571293116 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.610033989 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.610141039 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.610198975 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.610235929 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.610271931 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.610300064 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.610300064 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.625726938 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.625910044 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.630855083 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.657082081 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.657298088 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.657299042 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:39.662439108 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:39.662530899 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:42.594738960 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:42.599802017 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:45.031604052 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:45.078937054 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:45.103651047 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:45.109045029 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:45.844744921 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:45.849870920 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:45.891428947 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:45.896718979 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:46.393040895 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:46.423686981 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:46.428916931 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:46.483315945 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:46.514405966 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:46.532289982 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:46.532310963 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:46.532311916 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:46.537578106 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:46.537622929 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.638257027 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.638315916 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.638354063 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.638376951 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.638458967 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.638499022 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.638516903 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.638534069 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.638591051 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.639236927 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.639296055 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.639329910 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.639352083 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.639441013 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.639496088 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.639499903 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.639659882 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.639715910 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.639715910 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.639899969 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.639955044 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.639955997 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.643439054 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.643520117 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.763221025 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.763264894 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.763328075 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.763345003 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.763364077 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.763405085 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.763422012 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.763436079 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:48.763515949 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.844674110 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:48.851754904 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:51.922765017 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:51.927807093 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:52.156202078 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:17:52.203933001 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:52.223114014 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:17:52.228045940 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:01.548214912 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:01.553495884 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:09.771686077 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:09.813333035 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:09.839148998 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:09.847548008 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:09.891442060 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:09.891442060 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:09.930365086 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:09.985174894 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.016592979 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.061461926 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.450558901 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.450617075 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.450666904 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.450704098 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.450735092 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.450767994 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.450803995 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.450803995 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.450841904 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.450872898 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.451013088 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.451013088 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.452053070 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.452097893 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.452157974 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.452195883 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.452229977 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.452249050 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.452267885 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.452270985 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.452306986 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.452338934 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.457133055 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.457178116 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.457211971 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.500855923 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.582837105 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.582885981 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.582921982 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.582954884 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.583034039 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.583034039 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.587733984 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:10.641577005 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.672996998 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:10.678626060 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:12.891833067 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:12.898283005 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:15.063786983 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:15.110184908 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:15.126087904 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:15.152802944 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:15.172823906 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:15.203927994 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:15.256623983 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:15.303406000 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:15.522922993 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:15.563313007 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:18.266819954 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:18.271995068 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:18.313505888 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:18.318500996 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.300472021 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:19.300673008 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:19.305639029 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.305685997 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.305731058 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:19.306149960 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.306180000 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.306209087 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.306237936 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.310823917 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.325907946 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:19.325907946 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:19.330872059 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.330900908 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.330941916 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:19.330950022 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.330979109 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.331305981 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.331334114 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.335776091 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.695523977 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:19.695523977 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:19.700522900 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.700606108 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.700644016 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.700651884 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:19.700674057 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.700903893 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.700932026 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:19.705454111 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:22.476881981 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:22.482408047 CEST587094973177.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:22.482470036 CEST4973158709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:22.563482046 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:22.568696976 CEST587094973277.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:22.568876028 CEST4973258709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:22.814629078 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:22.823445082 CEST587094973377.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:22.823515892 CEST4973358709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:24.199177980 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:24.250819921 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:24.456270933 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:24.457531929 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:24.465256929 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:26.921827078 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:26.921827078 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:26.926934004 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:26.926958084 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:26.927022934 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:26.927103043 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:26.927206993 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:26.927222013 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:26.927342892 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:26.931813002 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:27.329405069 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:27.334283113 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:29.954092979 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:29.960040092 CEST587094973477.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:29.960154057 CEST4973458709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:33.058661938 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:33.110239029 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:35.102158070 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:35.102247000 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:35.107204914 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:35.107232094 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:35.107247114 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:35.107259035 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:35.107271910 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:35.107275009 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:35.107284069 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:35.112075090 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:36.172836065 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:36.178922892 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:38.188453913 CEST4974758709192.168.2.477.91.77.66
                          Jun 20, 2024 10:18:38.193845034 CEST587094974777.91.77.66192.168.2.4
                          Jun 20, 2024 10:18:38.193927050 CEST4974758709192.168.2.477.91.77.66

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 20, 2024 10:17:23.651736975 CEST4958453192.168.2.41.1.1.1
                          Jun 20, 2024 10:17:23.660598993 CEST53495841.1.1.1192.168.2.4
                          Jun 20, 2024 10:17:24.370682955 CEST6274453192.168.2.41.1.1.1
                          Jun 20, 2024 10:17:24.379420996 CEST53627441.1.1.1192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jun 20, 2024 10:17:23.651736975 CEST192.168.2.41.1.1.10xa118Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                          Jun 20, 2024 10:17:24.370682955 CEST192.168.2.41.1.1.10x38e4Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jun 20, 2024 10:17:23.660598993 CEST1.1.1.1192.168.2.40xa118No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                          Jun 20, 2024 10:17:24.379420996 CEST1.1.1.1192.168.2.40x38e4No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                          Jun 20, 2024 10:17:24.379420996 CEST1.1.1.1192.168.2.40x38e4No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                          Jun 20, 2024 10:17:24.379420996 CEST1.1.1.1192.168.2.40x38e4No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • ipinfo.io
                          • https:
                          • db-ip.com

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination Port
                          0192.168.2.44973034.117.186.192443
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:16:56 UTC59OUTGET / HTTP/1.1
                          Host: ipinfo.io
                          Connection: Keep-Alive
                          2024-06-20 08:16:57 UTC513INHTTP/1.1 200 OK
                          server: nginx/1.24.0
                          date: Thu, 20 Jun 2024 08:16:56 GMT
                          content-type: application/json; charset=utf-8
                          Content-Length: 319
                          access-control-allow-origin: *
                          x-frame-options: SAMEORIGIN
                          x-xss-protection: 1; mode=block
                          x-content-type-options: nosniff
                          referrer-policy: strict-origin-when-cross-origin
                          x-envoy-upstream-service-time: 2
                          via: 1.1 google
                          strict-transport-security: max-age=2592000; includeSubDomains
                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                          Connection: close
                          2024-06-20 08:16:57 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                          Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.44974134.117.186.1924437344C:\Users\user\Desktop\D44CPdpkNk.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:24 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Referer: https://ipinfo.io/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: ipinfo.io
                          2024-06-20 08:17:24 UTC514INHTTP/1.1 200 OK
                          server: nginx/1.24.0
                          date: Thu, 20 Jun 2024 08:17:24 GMT
                          content-type: application/json; charset=utf-8
                          Content-Length: 1025
                          access-control-allow-origin: *
                          x-frame-options: SAMEORIGIN
                          x-xss-protection: 1; mode=block
                          x-content-type-options: nosniff
                          referrer-policy: strict-origin-when-cross-origin
                          x-envoy-upstream-service-time: 2
                          via: 1.1 google
                          strict-transport-security: max-age=2592000; includeSubDomains
                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                          Connection: close
                          2024-06-20 08:17:24 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                          2024-06-20 08:17:24 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.44974234.117.186.1924437524C:\ProgramData\MPGPH131\MPGPH131.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:24 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Referer: https://ipinfo.io/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: ipinfo.io
                          2024-06-20 08:17:24 UTC514INHTTP/1.1 200 OK
                          server: nginx/1.24.0
                          date: Thu, 20 Jun 2024 08:17:24 GMT
                          content-type: application/json; charset=utf-8
                          Content-Length: 1025
                          access-control-allow-origin: *
                          x-frame-options: SAMEORIGIN
                          x-xss-protection: 1; mode=block
                          x-content-type-options: nosniff
                          referrer-policy: strict-origin-when-cross-origin
                          x-envoy-upstream-service-time: 2
                          via: 1.1 google
                          strict-transport-security: max-age=2592000; includeSubDomains
                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                          Connection: close
                          2024-06-20 08:17:24 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                          2024-06-20 08:17:24 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.44974334.117.186.1924437500C:\ProgramData\MPGPH131\MPGPH131.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:24 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Referer: https://ipinfo.io/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: ipinfo.io
                          2024-06-20 08:17:24 UTC514INHTTP/1.1 200 OK
                          server: nginx/1.24.0
                          date: Thu, 20 Jun 2024 08:17:24 GMT
                          content-type: application/json; charset=utf-8
                          Content-Length: 1025
                          access-control-allow-origin: *
                          x-frame-options: SAMEORIGIN
                          x-xss-protection: 1; mode=block
                          x-content-type-options: nosniff
                          referrer-policy: strict-origin-when-cross-origin
                          x-envoy-upstream-service-time: 2
                          via: 1.1 google
                          strict-transport-security: max-age=2592000; includeSubDomains
                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                          Connection: close
                          2024-06-20 08:17:24 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                          2024-06-20 08:17:24 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.449744104.26.4.154437344C:\Users\user\Desktop\D44CPdpkNk.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:24 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: db-ip.com
                          2024-06-20 08:17:25 UTC653INHTTP/1.1 200 OK
                          Date: Thu, 20 Jun 2024 08:17:25 GMT
                          Content-Type: application/json
                          Transfer-Encoding: chunked
                          Connection: close
                          x-iplb-request-id: A29E9BD7:30A6_93878F2E:0050_6673E595_149F96A8:7B63
                          x-iplb-instance: 59128
                          CF-Cache-Status: DYNAMIC
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E6tIcTdLROUGf5WhhVlSPJxw7NWaFTc7XltMHvB%2BA77i7cEMHW4PhWo1KunnCLq8Q7hJho2THRzZ7w0W%2FZOvE6SPqoVuehawPl1wvjgAVlbhCvq4LPyZATaHrQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 896a52832c4543ad-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-06-20 08:17:25 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                          2024-06-20 08:17:25 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.449745104.26.4.154437524C:\ProgramData\MPGPH131\MPGPH131.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:25 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: db-ip.com
                          2024-06-20 08:17:25 UTC659INHTTP/1.1 200 OK
                          Date: Thu, 20 Jun 2024 08:17:25 GMT
                          Content-Type: application/json
                          Transfer-Encoding: chunked
                          Connection: close
                          x-iplb-request-id: AC4672F1:A97A_93878F2E:0050_6673E595_14B3EA7E:4F34
                          x-iplb-instance: 59215
                          CF-Cache-Status: DYNAMIC
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JbhPTjpt0EMV3o2gfrAVkTccXzY36XozvvWsvmB6xBqG9bfK7Kx9CABz5krBWUnwh%2F%2FHkJR6ori16Fp09HRdWrifAt1gQjddSz%2Bzxs5BXRyPT0zjJWztt%2FO%2BhA%3D%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 896a5283c84a32d0-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-06-20 08:17:25 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                          2024-06-20 08:17:25 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.449746104.26.4.154437500C:\ProgramData\MPGPH131\MPGPH131.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:25 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: db-ip.com
                          2024-06-20 08:17:25 UTC659INHTTP/1.1 200 OK
                          Date: Thu, 20 Jun 2024 08:17:25 GMT
                          Content-Type: application/json
                          Transfer-Encoding: chunked
                          Connection: close
                          x-iplb-request-id: A29E3EA7:3056_93878F2E:0050_6673E595_149F96B4:7B63
                          x-iplb-instance: 59128
                          CF-Cache-Status: DYNAMIC
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1AixWH%2BvoblDvrHNujQwC9AEOZRSnDjdvKdasoPALURQFT50LVkp%2FqnIvfr5fcpCPMV3WiQ3aLhrQcDoE8KquMVcNym5pX%2BSyVBeyt%2FnNiBh49mS4O5NLu%2Fl0A%3D%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 896a52849931c325-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-06-20 08:17:25 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                          2024-06-20 08:17:25 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.44974834.117.186.1924437600C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:28 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Referer: https://ipinfo.io/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: ipinfo.io
                          2024-06-20 08:17:28 UTC514INHTTP/1.1 200 OK
                          server: nginx/1.24.0
                          date: Thu, 20 Jun 2024 08:17:28 GMT
                          content-type: application/json; charset=utf-8
                          Content-Length: 1025
                          access-control-allow-origin: *
                          x-frame-options: SAMEORIGIN
                          x-xss-protection: 1; mode=block
                          x-content-type-options: nosniff
                          referrer-policy: strict-origin-when-cross-origin
                          x-envoy-upstream-service-time: 2
                          via: 1.1 google
                          strict-transport-security: max-age=2592000; includeSubDomains
                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                          Connection: close
                          2024-06-20 08:17:28 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                          2024-06-20 08:17:28 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          8192.168.2.449749104.26.4.154437600C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:29 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: db-ip.com
                          2024-06-20 08:17:29 UTC651INHTTP/1.1 200 OK
                          Date: Thu, 20 Jun 2024 08:17:29 GMT
                          Content-Type: application/json
                          Transfer-Encoding: chunked
                          Connection: close
                          x-iplb-request-id: A29E9AE3:8A24_93878F2E:0050_6673E599_14B3EB81:4F34
                          x-iplb-instance: 59215
                          CF-Cache-Status: DYNAMIC
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dTlvwJJMPdkV7a5KyQYe7x23dZxvDa%2BRcqa68zKMospvfnWSfmX5ytg73WlfOrDiYEr5ej8lorJs7Ectw3IjLwO5HxFlZjqNZGCt8qktw1WQjUSMrsJBke4JGw%3D%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 896a529f6845430f-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-06-20 08:17:29 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                          2024-06-20 08:17:29 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          9192.168.2.44975034.117.186.1924437924C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:34 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Referer: https://ipinfo.io/
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: ipinfo.io
                          2024-06-20 08:17:34 UTC514INHTTP/1.1 200 OK
                          server: nginx/1.24.0
                          date: Thu, 20 Jun 2024 08:17:34 GMT
                          content-type: application/json; charset=utf-8
                          Content-Length: 1025
                          access-control-allow-origin: *
                          x-frame-options: SAMEORIGIN
                          x-xss-protection: 1; mode=block
                          x-content-type-options: nosniff
                          referrer-policy: strict-origin-when-cross-origin
                          x-envoy-upstream-service-time: 3
                          via: 1.1 google
                          strict-transport-security: max-age=2592000; includeSubDomains
                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                          Connection: close
                          2024-06-20 08:17:34 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                          Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                          2024-06-20 08:17:34 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                          Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          10192.168.2.449751104.26.4.154437924C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          TimestampBytes transferredDirectionData
                          2024-06-20 08:17:35 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                          Host: db-ip.com
                          2024-06-20 08:17:35 UTC661INHTTP/1.1 200 OK
                          Date: Thu, 20 Jun 2024 08:17:35 GMT
                          Content-Type: application/json
                          Transfer-Encoding: chunked
                          Connection: close
                          x-iplb-request-id: A29E9A7A:4CE6_93878F2E:0050_6673E59F_149F9946:7B63
                          x-iplb-instance: 59128
                          CF-Cache-Status: DYNAMIC
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6CDMdkCIEVzjrQ2Ar7UAQl5Fh%2BuhTKxgxDpRQEHVAonfN%2BG%2Bfi%2FxydIUNjb1oPQ0e0uIS%2BB2nzJfkX25bjmaouuEmyLiVSZBIoJI4Isy98vv5TTMtlyL9%2BGfkg%3D%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 896a52c52b3f5e70-EWR
                          alt-svc: h3=":443"; ma=86400
                          2024-06-20 08:17:35 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                          2024-06-20 08:17:35 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:04:17:02
                          Start date:20/06/2024
                          Path:C:\Users\user\Desktop\D44CPdpkNk.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\D44CPdpkNk.exe"
                          Imagebase:0x400000
                          File size:3'285'520 bytes
                          MD5 hash:093BDA46F4EBE927A99CC0E120D50D8C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2506747814.0000000005660000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2689948014.0000000000CEF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2691142764.0000000005660000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:04:17:04
                          Start date:20/06/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                          Imagebase:0xbd0000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:2
                          Start time:04:17:04
                          Start date:20/06/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:04:17:04
                          Start date:20/06/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                          Imagebase:0xbd0000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:04:17:04
                          Start date:20/06/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:04:17:06
                          Start date:20/06/2024
                          Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                          Wow64 process (32bit):true
                          Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                          Imagebase:0x400000
                          File size:3'285'520 bytes
                          MD5 hash:093BDA46F4EBE927A99CC0E120D50D8C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.2704555272.0000000005760000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.2478743277.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2703127000.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 50%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:6
                          Start time:04:17:07
                          Start date:20/06/2024
                          Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                          Wow64 process (32bit):true
                          Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                          Imagebase:0x400000
                          File size:3'285'520 bytes
                          MD5 hash:093BDA46F4EBE927A99CC0E120D50D8C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.2474706662.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2719758553.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.2475226109.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:7
                          Start time:04:17:15
                          Start date:20/06/2024
                          Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                          Imagebase:0x400000
                          File size:3'285'520 bytes
                          MD5 hash:093BDA46F4EBE927A99CC0E120D50D8C
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2731573576.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.2731573576.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.2581253200.0000000005621000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.2733173056.0000000005624000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 50%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:11
                          Start time:04:17:23
                          Start date:20/06/2024
                          Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                          Imagebase:0x400000
                          File size:3'285'520 bytes
                          MD5 hash:093BDA46F4EBE927A99CC0E120D50D8C
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.2632498657.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000002.2667670233.00000000057AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2666318959.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.2632832669.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.2632657858.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:17
                          Start time:04:18:21
                          Start date:20/06/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 632
                          Imagebase:0x750000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:18
                          Start time:04:18:21
                          Start date:20/06/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7524 -s 1896
                          Imagebase:0x750000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:20
                          Start time:04:18:22
                          Start date:20/06/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 1920
                          Imagebase:0x750000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:22
                          Start time:04:18:29
                          Start date:20/06/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 1900
                          Imagebase:0x750000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:23.4%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:51.6%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:43
                            execution_graph 46764 45e140 46820 40b8e0 46764->46820 46766 45e1a1 46767 41ab20 41 API calls 46766->46767 46768 45e218 CreateDirectoryA 46767->46768 46774 45e8de 46768->46774 46795 45e24c 46768->46795 46769 45f16d 46770 402df0 std::_Throw_Cpp_error 41 API calls 46769->46770 46773 45f17c 46770->46773 46771 45e8a5 46772 4163b0 std::_Throw_Cpp_error 41 API calls 46771->46772 46775 45e8b9 46772->46775 46774->46769 46776 41ab20 41 API calls 46774->46776 47459 4df030 46775->47459 46778 45e962 CreateDirectoryA 46776->46778 46780 45f15b 46778->46780 46796 45e990 46778->46796 46781 402df0 std::_Throw_Cpp_error 41 API calls 46780->46781 46781->46769 46782 45f11f 46784 4163b0 std::_Throw_Cpp_error 41 API calls 46782->46784 46783 4e6770 93 API calls 46783->46774 46785 45f136 46784->46785 47564 4d7600 46785->47564 46789 4e6ca0 86 API calls 46789->46795 46790 41ad80 41 API calls 46790->46796 46791 45e3bf CreateDirectoryA 46791->46795 46792 41ab20 41 API calls 46792->46795 46793 402df0 41 API calls std::_Throw_Cpp_error 46793->46795 46794 45eb09 CreateDirectoryA 46794->46796 46795->46771 46795->46789 46795->46791 46795->46792 46795->46793 46799 45e4b2 CreateDirectoryA 46795->46799 46801 41ad80 41 API calls 46795->46801 46802 402cf0 std::_Throw_Cpp_error 41 API calls 46795->46802 46805 45e59f CreateDirectoryA 46795->46805 46808 4162c0 41 API calls 46795->46808 46814 45e7f4 CreateDirectoryA 46795->46814 46816 4163b0 41 API calls std::_Throw_Cpp_error 46795->46816 48423 416290 41 API calls 46795->48423 48424 41ae20 46795->48424 48427 4dff00 46795->48427 46796->46782 46796->46790 46796->46794 46797 402df0 41 API calls std::_Throw_Cpp_error 46796->46797 46800 45ebfc CreateDirectoryA 46796->46800 46803 41ab20 41 API calls 46796->46803 46806 402cf0 std::_Throw_Cpp_error 41 API calls 46796->46806 46809 45edd0 CreateDirectoryA 46796->46809 46810 4163b0 41 API calls std::_Throw_Cpp_error 46796->46810 46811 45ece9 CreateDirectoryA 46796->46811 46813 41ae20 41 API calls 46796->46813 46815 4e6ca0 86 API calls 46796->46815 46817 45f050 CreateDirectoryA 46796->46817 46819 4dff00 205 API calls 46796->46819 48662 4162c0 46796->48662 48666 416290 41 API calls 46796->48666 46797->46796 46799->46795 46800->46796 46801->46795 46802->46795 46803->46796 46805->46795 46806->46796 46808->46795 46809->46796 46810->46796 46811->46796 46813->46796 46814->46795 46815->46796 46816->46795 46817->46796 46819->46796 46821 40b916 46820->46821 46822 40c004 46821->46822 46823 41ab20 41 API calls 46821->46823 46824 40f393 46822->46824 46826 41ab20 41 API calls 46822->46826 46825 40b9e7 CreateDirectoryA 46823->46825 46827 411da6 46824->46827 46832 41ab20 41 API calls 46824->46832 46829 40bff2 46825->46829 46830 40ba12 46825->46830 46831 40c0ab CreateDirectoryA 46826->46831 46828 412294 46827->46828 46834 41ab20 41 API calls 46827->46834 46828->46766 46835 402df0 std::_Throw_Cpp_error 41 API calls 46829->46835 46836 41ab20 41 API calls 46830->46836 46837 40f381 46831->46837 46838 40c0d6 46831->46838 46833 40f43a CreateDirectoryA 46832->46833 46840 411d94 46833->46840 46841 40f465 46833->46841 46842 411e4d CreateDirectoryA 46834->46842 46835->46822 46843 40bab4 CreateDirectoryA 46836->46843 46844 402df0 std::_Throw_Cpp_error 41 API calls 46837->46844 46839 41ab20 41 API calls 46838->46839 46845 40c178 CreateDirectoryA 46839->46845 46846 402df0 std::_Throw_Cpp_error 41 API calls 46840->46846 46847 41ab20 41 API calls 46841->46847 46848 412282 46842->46848 46849 411e78 46842->46849 46850 40bae2 __fread_nolock 46843->46850 46851 40bc4c 46843->46851 46844->46824 46852 40c1a0 46845->46852 46853 40c4b9 46845->46853 46846->46827 46854 40f507 CreateDirectoryA 46847->46854 46857 402df0 std::_Throw_Cpp_error 41 API calls 46848->46857 46856 41ab20 41 API calls 46849->46856 46864 40baf5 SHGetFolderPathA 46850->46864 46855 41ab20 41 API calls 46851->46855 46858 402cf0 std::_Throw_Cpp_error 41 API calls 46852->46858 46863 41ab20 41 API calls 46853->46863 46859 40f877 46854->46859 46860 40f52f 46854->46860 46861 40bcea CreateDirectoryA 46855->46861 46862 411fa0 CreateDirectoryA 46856->46862 46857->46828 46866 40c2be 46858->46866 46865 41ab20 41 API calls 46859->46865 46885 403040 std::_Throw_Cpp_error 41 API calls 46860->46885 46867 40bd12 __fread_nolock 46861->46867 46868 40bfbf 46861->46868 46869 411fc8 46862->46869 47110 41225e 46862->47110 46870 40c557 CreateDirectoryA 46863->46870 46871 402cf0 std::_Throw_Cpp_error 41 API calls 46864->46871 46873 40f915 CreateDirectoryA 46865->46873 46892 41ace0 41 API calls 46866->46892 46886 40bd25 SHGetFolderPathA 46867->46886 46874 40bfd1 46868->46874 46882 4e6770 93 API calls 46868->46882 46897 403040 std::_Throw_Cpp_error 41 API calls 46869->46897 46876 40d1de 46870->46876 46877 40c57f 46870->46877 46872 40bba1 46871->46872 46879 41ace0 41 API calls 46872->46879 46880 40fb99 46873->46880 46881 40f93d 46873->46881 46883 402df0 std::_Throw_Cpp_error 41 API calls 46874->46883 46875 4e6770 93 API calls 46884 412270 46875->46884 46887 41ab20 41 API calls 46876->46887 46878 402cf0 std::_Throw_Cpp_error 41 API calls 46877->46878 46888 40c727 46878->46888 46889 40bbb7 46879->46889 46896 41ab20 41 API calls 46880->46896 46890 402cf0 std::_Throw_Cpp_error 41 API calls 46881->46890 46882->46874 46891 40bfe3 46883->46891 46902 402df0 std::_Throw_Cpp_error 41 API calls 46884->46902 46893 40f704 46885->46893 46894 402cf0 std::_Throw_Cpp_error 41 API calls 46886->46894 46895 40d27c CreateDirectoryA 46887->46895 46914 41ace0 41 API calls 46888->46914 46898 402df0 std::_Throw_Cpp_error 41 API calls 46889->46898 46899 40fa5b 46890->46899 46900 402df0 std::_Throw_Cpp_error 41 API calls 46891->46900 46901 40c367 46892->46901 46919 41ace0 41 API calls 46893->46919 46903 40be57 46894->46903 46904 40d2a4 46895->46904 46905 40d63c 46895->46905 46906 40fc37 CreateDirectoryA 46896->46906 46907 41211c 46897->46907 46908 40bbc9 46898->46908 46925 41ace0 41 API calls 46899->46925 46900->46829 46910 402df0 std::_Throw_Cpp_error 41 API calls 46901->46910 46902->46848 46911 41ace0 41 API calls 46903->46911 46932 402cf0 std::_Throw_Cpp_error 41 API calls 46904->46932 46909 41ab20 41 API calls 46905->46909 46912 40fe35 46906->46912 46913 40fc5f 46906->46913 46922 41ace0 41 API calls 46907->46922 46915 4e6ca0 86 API calls 46908->46915 46917 40d6da CreateDirectoryA 46909->46917 46918 40c379 46910->46918 46920 40be6d 46911->46920 46916 41ab20 41 API calls 46912->46916 46921 402cf0 std::_Throw_Cpp_error 41 API calls 46913->46921 46923 40c7d0 46914->46923 46924 40bbe2 46915->46924 46926 40fed3 CreateDirectoryA 46916->46926 46927 40d702 46917->46927 46928 40da1b 46917->46928 46929 402cf0 std::_Throw_Cpp_error 41 API calls 46918->46929 46930 40f7b1 46919->46930 46931 402df0 std::_Throw_Cpp_error 41 API calls 46920->46931 46945 40fcf7 46921->46945 46933 4121c9 46922->46933 46935 402df0 std::_Throw_Cpp_error 41 API calls 46923->46935 46953 4163b0 std::_Throw_Cpp_error 41 API calls 46924->46953 47035 40bc21 46924->47035 46936 40fb04 46925->46936 46937 410e56 46926->46937 46938 40fefb 46926->46938 46939 402cf0 std::_Throw_Cpp_error 41 API calls 46927->46939 46934 41ab20 41 API calls 46928->46934 46940 40c39b 46929->46940 46962 40f7d6 46930->46962 48717 402fe0 41 API calls 2 library calls 46930->48717 46941 40be7f 46931->46941 46944 40d3bb 46932->46944 46946 402df0 std::_Throw_Cpp_error 41 API calls 46933->46946 46951 40dab9 CreateDirectoryA 46934->46951 46952 40c7e2 46935->46952 46947 402df0 std::_Throw_Cpp_error 41 API calls 46936->46947 46943 41ab20 41 API calls 46937->46943 46954 402cf0 std::_Throw_Cpp_error 41 API calls 46938->46954 46955 40d820 46939->46955 46956 4e6d70 78 API calls 46940->46956 46949 402cf0 std::_Throw_Cpp_error 41 API calls 46941->46949 46942 4e6770 93 API calls 46957 40bc28 46942->46957 46958 410ef4 CreateDirectoryA 46943->46958 46973 41ace0 41 API calls 46944->46973 46959 41ace0 41 API calls 46945->46959 46960 4121db 46946->46960 46961 40fb16 46947->46961 46963 40bea1 46949->46963 46950 4e6ca0 86 API calls 46964 40f80d 46950->46964 46965 40de80 46951->46965 46966 40dae1 46951->46966 46967 402cf0 std::_Throw_Cpp_error 41 API calls 46952->46967 46968 40bbfa 46953->46968 46969 40ff97 46954->46969 47000 41ace0 41 API calls 46955->47000 46970 40c3a8 46956->46970 46985 402df0 std::_Throw_Cpp_error 41 API calls 46957->46985 46971 411842 46958->46971 46972 410f1c 46958->46972 46974 40fda0 46959->46974 46975 4e6ca0 86 API calls 46960->46975 46976 4e6ca0 86 API calls 46961->46976 46962->46950 48667 4e6d70 46963->48667 46979 40f84c 46964->46979 46994 4163b0 std::_Throw_Cpp_error 41 API calls 46964->46994 46978 41ab20 41 API calls 46965->46978 46980 402cf0 std::_Throw_Cpp_error 41 API calls 46966->46980 46981 40c804 46967->46981 46982 4163b0 std::_Throw_Cpp_error 41 API calls 46968->46982 47017 41ace0 41 API calls 46969->47017 46983 40c49b 46970->46983 46984 41ab20 41 API calls 46970->46984 46995 41ab20 41 API calls 46971->46995 46986 402cf0 std::_Throw_Cpp_error 41 API calls 46972->46986 46987 40d464 46973->46987 46988 402df0 std::_Throw_Cpp_error 41 API calls 46974->46988 46989 4121f4 46975->46989 46991 40fb2f 46976->46991 46993 40df1e CreateDirectoryA 46978->46993 46999 4e6770 93 API calls 46979->46999 47016 40f853 46979->47016 46996 40dc85 46980->46996 46997 4e6d70 78 API calls 46981->46997 46998 40bc12 46982->46998 46990 4e6770 93 API calls 46983->46990 47002 40c451 46984->47002 46985->46851 47003 410fb9 46986->47003 47004 402df0 std::_Throw_Cpp_error 41 API calls 46987->47004 47005 40fdb2 46988->47005 47006 412233 46989->47006 47023 4163b0 std::_Throw_Cpp_error 41 API calls 46989->47023 47007 40c4a7 46990->47007 47008 40fb6e 46991->47008 47025 4163b0 std::_Throw_Cpp_error 41 API calls 46991->47025 47010 40df46 46993->47010 47011 40e638 46993->47011 47012 40f825 46994->47012 47013 4118e6 CreateDirectoryA 46995->47013 47053 41ace0 41 API calls 46996->47053 47014 40c811 46997->47014 47015 4dff00 205 API calls 46998->47015 46999->47016 47001 40d8c9 47000->47001 47018 402df0 std::_Throw_Cpp_error 41 API calls 47001->47018 47019 40c460 47002->47019 47020 40c462 CopyFileA 47002->47020 47063 41ace0 41 API calls 47003->47063 47021 40d476 47004->47021 47022 4e6ca0 86 API calls 47005->47022 47024 4e6770 93 API calls 47006->47024 47046 41223a 47006->47046 47045 402df0 std::_Throw_Cpp_error 41 API calls 47007->47045 47030 4e6770 93 API calls 47008->47030 47052 40fb75 47008->47052 47009 40bfa1 47034 4e6770 93 API calls 47009->47034 47027 402cf0 std::_Throw_Cpp_error 41 API calls 47010->47027 47028 41ab20 41 API calls 47011->47028 47029 4163b0 std::_Throw_Cpp_error 41 API calls 47012->47029 47031 411d25 47013->47031 47032 41190e 47013->47032 47033 40c98c 47014->47033 47054 41ab20 41 API calls 47014->47054 47015->47035 47056 402df0 std::_Throw_Cpp_error 41 API calls 47016->47056 47036 410040 47017->47036 47039 40d8db 47018->47039 47019->47020 47040 402df0 std::_Throw_Cpp_error 41 API calls 47020->47040 47042 402cf0 std::_Throw_Cpp_error 41 API calls 47021->47042 47043 40fdcb 47022->47043 47044 41220c 47023->47044 47024->47046 47047 40fb47 47025->47047 47026 41ab20 41 API calls 47048 40bf57 47026->47048 47049 40dfe3 47027->47049 47050 40e6dc CreateDirectoryA 47028->47050 47051 40f83d 47029->47051 47030->47052 47038 411d37 47031->47038 47058 4e6770 93 API calls 47031->47058 47091 403040 std::_Throw_Cpp_error 41 API calls 47032->47091 47041 402cf0 std::_Throw_Cpp_error 41 API calls 47033->47041 47055 40bfad 47034->47055 47035->46942 47035->46957 47037 402df0 std::_Throw_Cpp_error 41 API calls 47036->47037 47057 410052 47037->47057 47060 402df0 std::_Throw_Cpp_error 41 API calls 47038->47060 47059 402cf0 std::_Throw_Cpp_error 41 API calls 47039->47059 47061 40c491 47040->47061 47062 40cb30 47041->47062 47064 40d498 47042->47064 47065 40fe0a 47043->47065 47082 4163b0 std::_Throw_Cpp_error 41 API calls 47043->47082 47066 4163b0 std::_Throw_Cpp_error 41 API calls 47044->47066 47045->46853 47086 402df0 std::_Throw_Cpp_error 41 API calls 47046->47086 47067 4163b0 std::_Throw_Cpp_error 41 API calls 47047->47067 47068 40bf66 47048->47068 47069 40bf68 CopyFileA 47048->47069 47103 41ace0 41 API calls 47049->47103 47070 40f2fd 47050->47070 47071 40e704 47050->47071 47072 4dff00 205 API calls 47051->47072 47090 402df0 std::_Throw_Cpp_error 41 API calls 47052->47090 47073 40dd2e 47053->47073 47074 40c940 47054->47074 47056->46859 47076 4e6ca0 86 API calls 47057->47076 47058->47038 47077 40d8fd 47059->47077 47078 411d49 47060->47078 47061->46983 47079 40c495 47061->47079 47118 41ace0 41 API calls 47062->47118 47080 411062 47063->47080 47081 4e6d70 78 API calls 47064->47081 47085 4e6770 93 API calls 47065->47085 47109 40fe11 47065->47109 47083 412224 47066->47083 47087 40fb5f 47067->47087 47068->47069 47084 40f315 47070->47084 47100 4e6770 93 API calls 47070->47100 47089 402cf0 std::_Throw_Cpp_error 41 API calls 47071->47089 47072->46979 47092 402df0 std::_Throw_Cpp_error 41 API calls 47073->47092 47093 40c951 CopyFileA 47074->47093 47094 40c94f 47074->47094 47096 41006b 47076->47096 47106 4e6d70 78 API calls 47077->47106 47097 402df0 std::_Throw_Cpp_error 41 API calls 47078->47097 47079->47007 47098 402df0 std::_Throw_Cpp_error 41 API calls 47080->47098 47099 40d4a5 47081->47099 47107 40fde3 47082->47107 47108 4dff00 205 API calls 47083->47108 47101 402df0 std::_Throw_Cpp_error 41 API calls 47084->47101 47085->47109 47086->47110 47102 4dff00 205 API calls 47087->47102 47104 40e826 47089->47104 47090->46880 47105 4119dc 47091->47105 47112 40dd40 47092->47112 47095 402df0 std::_Throw_Cpp_error 41 API calls 47093->47095 47094->47093 47114 40c980 47095->47114 47115 410e32 47096->47115 47127 41ab20 41 API calls 47096->47127 47119 411074 47098->47119 47120 40d61e 47099->47120 47131 41ab20 41 API calls 47099->47131 47100->47084 47102->47008 47123 40e08c 47103->47123 47141 41ace0 41 API calls 47105->47141 47116 40d90a 47106->47116 47121 4163b0 std::_Throw_Cpp_error 41 API calls 47107->47121 47108->47006 47138 402df0 std::_Throw_Cpp_error 41 API calls 47109->47138 47110->46875 47110->46884 47113 402cf0 std::_Throw_Cpp_error 41 API calls 47112->47113 47126 40dd62 47113->47126 47114->47033 47139 4e6770 93 API calls 47115->47139 47153 410e44 47115->47153 47136 40d9fd 47116->47136 47143 41ab20 41 API calls 47116->47143 47129 40cbd9 47118->47129 47130 4163b0 std::_Throw_Cpp_error 41 API calls 47119->47130 47133 4e6770 93 API calls 47120->47133 47137 40fdfb 47121->47137 47134 402df0 std::_Throw_Cpp_error 41 API calls 47123->47134 47142 410111 47127->47142 47145 402df0 std::_Throw_Cpp_error 41 API calls 47129->47145 47147 40d5d4 47131->47147 47151 40d62a 47133->47151 47148 4dff00 205 API calls 47137->47148 47138->46912 47139->47153 47165 411a89 47141->47165 47158 40cbeb 47145->47158 47160 40d5e3 47147->47160 47161 40d5e5 CopyFileA 47147->47161 47148->47065 47179 402df0 std::_Throw_Cpp_error 41 API calls 47151->47179 47160->47161 47177 402df0 std::_Throw_Cpp_error 41 API calls 47161->47177 47179->46905 47460 4359b0 __fread_nolock 47459->47460 47461 4df088 SHGetFolderPathA 47460->47461 47462 4df150 47461->47462 47462->47462 47463 403040 std::_Throw_Cpp_error 41 API calls 47462->47463 47464 4df16c 47463->47464 47465 41fbf0 41 API calls 47464->47465 47466 4df19d 47465->47466 47469 4dfed9 47466->47469 47471 4df210 std::ios_base::_Ios_base_dtor 47466->47471 47467 4e6ca0 86 API calls 47468 4df245 47467->47468 47472 41ab20 41 API calls 47468->47472 47473 4dfe6b 47468->47473 47470 438c70 std::_Throw_Cpp_error 41 API calls 47469->47470 47480 4dfede 47470->47480 47471->47467 47476 4df2e8 47472->47476 47474 4dfe9b std::ios_base::_Ios_base_dtor 47473->47474 47473->47480 47475 402df0 std::_Throw_Cpp_error 41 API calls 47474->47475 47477 45e8c9 47475->47477 47478 4e6ca0 86 API calls 47476->47478 47477->46774 47477->46783 47479 4df308 47478->47479 47482 4df312 CreateDirectoryA 47479->47482 47486 4df333 47479->47486 47481 438c70 std::_Throw_Cpp_error 41 API calls 47480->47481 47483 4dfef2 47481->47483 47482->47486 47486->47480 47565 4d7636 __fread_nolock 47564->47565 47566 4d7654 SHGetFolderPathA 47565->47566 47567 4359b0 __fread_nolock 47566->47567 47568 4d7681 SHGetFolderPathA 47567->47568 47569 4d77c8 47568->47569 47569->47569 47570 403040 std::_Throw_Cpp_error 41 API calls 47569->47570 47571 4d77e4 47570->47571 47572 41ace0 41 API calls 47571->47572 47576 4d7800 std::ios_base::_Ios_base_dtor 47572->47576 47573 4e6ca0 86 API calls 47574 4d7875 47573->47574 47577 4d79fb 47574->47577 47579 41ab20 41 API calls 47574->47579 47575 4de427 47578 438c70 std::_Throw_Cpp_error 41 API calls 47575->47578 47576->47573 47576->47575 47580 4de42c 47578->47580 48423->46795 48982 41e710 48424->48982 48426 41ae54 48426->46795 48428 41ab20 41 API calls 48427->48428 48430 4e005f 48428->48430 48429 402df0 std::_Throw_Cpp_error 41 API calls 48431 4e00f2 FindFirstFileA 48429->48431 48432 4e06bc 48430->48432 48433 4e009f std::ios_base::_Ios_base_dtor 48430->48433 48439 4e058f std::ios_base::_Ios_base_dtor 48431->48439 48507 4e011f std::locale::_Locimp::_Locimp 48431->48507 48434 438c70 std::_Throw_Cpp_error 41 API calls 48432->48434 48433->48429 48435 4e06c1 48434->48435 48438 438c70 std::_Throw_Cpp_error 41 API calls 48435->48438 48436 4e0564 FindNextFileA 48437 4e057b FindClose GetLastError 48436->48437 48436->48507 48437->48439 48440 4e06cb 48438->48440 48439->48435 48441 4e0670 std::ios_base::_Ios_base_dtor 48439->48441 48446 41ab20 41 API calls 48440->48446 48442 402df0 std::_Throw_Cpp_error 41 API calls 48441->48442 48443 4e0698 48442->48443 48444 402df0 std::_Throw_Cpp_error 41 API calls 48443->48444 48445 4e06a7 48444->48445 48445->46795 48447 4e083a 48446->48447 48448 439820 43 API calls 48447->48448 48449 4e08e8 48448->48449 48450 4e4585 48449->48450 48987 4e71e0 GetCurrentProcess IsWow64Process 48449->48987 48452 4163b0 std::_Throw_Cpp_error 41 API calls 48450->48452 48455 4e45a8 48452->48455 48454 41e8a0 41 API calls 48454->48507 49060 4e7640 48455->49060 48456 403350 78 API calls 48458 4e09c4 48456->48458 48460 403350 78 API calls 48458->48460 48463 4e0a6e 48460->48463 48989 44196b GetSystemTimeAsFileTime 48463->48989 48464 418f00 41 API calls std::_Throw_Cpp_error 48464->48507 48467 402df0 41 API calls std::_Throw_Cpp_error 48467->48507 48478 4e053f CopyFileA 48482 4e05a0 GetLastError 48478->48482 48478->48507 48482->48439 48483 4e6ca0 86 API calls 48483->48507 48486 4e03cd CreateDirectoryA 48486->48482 48486->48507 48503 4dff00 155 API calls 48503->48507 48505 4032d0 41 API calls std::_Throw_Cpp_error 48505->48507 48507->48435 48507->48436 48507->48439 48507->48454 48507->48464 48507->48467 48507->48478 48507->48483 48507->48486 48507->48503 48507->48505 48663 4162d3 48662->48663 48664 4162ce 48662->48664 48663->46796 48665 402df0 std::_Throw_Cpp_error 41 API calls 48664->48665 48665->48663 48666->46796 48668 439820 43 API calls 48667->48668 48669 4e6e2f 48668->48669 48670 4e6e3c 48669->48670 48671 43d0a8 78 API calls 48669->48671 48672 402df0 std::_Throw_Cpp_error 41 API calls 48670->48672 48671->48670 48673 40beae 48672->48673 48673->47009 48673->47026 48717->46962 48983 41e753 48982->48983 48984 4032d0 std::_Throw_Cpp_error 41 API calls 48983->48984 48985 41e758 std::locale::_Locimp::_Locimp 48983->48985 48986 41e843 std::locale::_Locimp::_Locimp 48984->48986 48985->48426 48986->48426 48988 4e0900 48987->48988 48988->48456 49061 439820 43 API calls 49060->49061 49062 4e7740 49061->49062 49076 4e77b9 49062->49076 49153 43d5f6 49062->49153 49400 45f740 49401 45f794 49400->49401 49402 4602fc 49400->49402 49403 41ab20 41 API calls 49401->49403 49404 41ab20 41 API calls 49402->49404 49405 45f876 49403->49405 49406 4603de 49404->49406 49407 4e6ca0 86 API calls 49405->49407 49408 4e6ca0 86 API calls 49406->49408 49409 45f89c 49407->49409 49410 460404 49408->49410 49412 4e6c10 85 API calls 49409->49412 49414 45f8bf 49409->49414 49417 460427 49410->49417 49547 4e6c10 49410->49547 49412->49414 49413 4602cf 49418 4602ea 49413->49418 49423 4e6770 93 API calls 49413->49423 49414->49413 49414->49418 49419 41b260 41 API calls 49414->49419 49415 461b1b 49420 402df0 std::_Throw_Cpp_error 41 API calls 49415->49420 49416 461b00 49416->49415 49424 4e6770 93 API calls 49416->49424 49417->49415 49417->49416 49559 41b260 49417->49559 49421 402df0 std::_Throw_Cpp_error 41 API calls 49418->49421 49460 45f8ef 49419->49460 49425 461b2d 49420->49425 49421->49402 49423->49418 49424->49415 49426 4602c0 49595 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49426->49595 49427 461af1 49598 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49427->49598 49430 4130f0 41 API calls 49430->49460 49431 4130f0 41 API calls 49463 460457 std::ios_base::_Ios_base_dtor 49431->49463 49432 41b260 41 API calls 49432->49460 49433 41b260 41 API calls 49433->49463 49436 4163b0 41 API calls std::_Throw_Cpp_error 49436->49463 49437 4163b0 41 API calls std::_Throw_Cpp_error 49437->49460 49438 41ac50 41 API calls 49438->49460 49439 416240 41 API calls 49439->49463 49441 416240 41 API calls 49441->49460 49443 4e6ca0 86 API calls 49443->49463 49444 4e6c10 85 API calls 49444->49460 49445 4e6c10 85 API calls 49445->49463 49446 41ac50 41 API calls 49446->49463 49447 4e6ca0 86 API calls 49447->49460 49448 439820 43 API calls 49448->49460 49449 439820 43 API calls 49449->49463 49450 41ae20 41 API calls 49450->49460 49451 41ae20 41 API calls 49451->49463 49452 41abb0 41 API calls 49452->49460 49453 41abb0 41 API calls 49453->49463 49454 402df0 41 API calls std::_Throw_Cpp_error 49454->49460 49455 413200 41 API calls 49455->49463 49456 43d0a8 78 API calls 49456->49463 49457 413200 41 API calls 49457->49460 49458 43d0a8 78 API calls 49458->49460 49459 402cf0 41 API calls std::_Throw_Cpp_error 49459->49460 49460->49426 49460->49430 49460->49432 49460->49437 49460->49438 49460->49441 49460->49444 49460->49447 49460->49448 49460->49450 49460->49452 49460->49454 49460->49457 49460->49458 49460->49459 49461 41af80 41 API calls 49460->49461 49465 403350 78 API calls 49460->49465 49591 416210 41 API calls std::_Throw_Cpp_error 49460->49591 49592 41b400 41 API calls 49460->49592 49593 41bae0 41 API calls 2 library calls 49460->49593 49594 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49460->49594 49461->49460 49462 402cf0 41 API calls std::_Throw_Cpp_error 49462->49463 49463->49427 49463->49431 49463->49433 49463->49436 49463->49439 49463->49443 49463->49445 49463->49446 49463->49449 49463->49451 49463->49453 49463->49455 49463->49456 49463->49462 49467 41af80 41 API calls 49463->49467 49469 403040 std::_Throw_Cpp_error 41 API calls 49463->49469 49470 41ace0 41 API calls 49463->49470 49471 4162c0 41 API calls 49463->49471 49472 402df0 41 API calls std::_Throw_Cpp_error 49463->49472 49473 41b400 41 API calls 49463->49473 49474 461e04 49463->49474 49482 416260 41 API calls 49463->49482 49483 403350 78 API calls 49463->49483 49580 4219a0 49463->49580 49596 416210 41 API calls std::_Throw_Cpp_error 49463->49596 49597 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49463->49597 49465->49460 49467->49463 49469->49463 49470->49463 49471->49463 49472->49463 49473->49463 49475 438c70 std::_Throw_Cpp_error 41 API calls 49474->49475 49476 461e09 49475->49476 49477 41ab20 41 API calls 49476->49477 49478 461f34 49477->49478 49479 4e6ca0 86 API calls 49478->49479 49480 461f5a 49479->49480 49481 4e6c10 85 API calls 49480->49481 49485 461f7d 49480->49485 49481->49485 49482->49463 49483->49463 49484 46299f 49488 4629be 49484->49488 49485->49484 49486 41b260 41 API calls 49485->49486 49485->49488 49548 432b99 12 API calls 49547->49548 49549 4e6c3d 49548->49549 49550 4e6c44 49549->49550 49551 4e6c82 49549->49551 49552 4e6c89 49550->49552 49553 4e6c50 CreateDirectoryA 49550->49553 49554 432534 std::_Throw_Cpp_error 76 API calls 49551->49554 49556 432534 std::_Throw_Cpp_error 76 API calls 49552->49556 49555 432baa RtlReleaseSRWLockExclusive 49553->49555 49554->49552 49557 4e6c6e 49555->49557 49558 4e6c9a 49556->49558 49557->49417 49560 433672 std::_Facet_Register 3 API calls 49559->49560 49561 41b2b8 49560->49561 49562 41b2e2 49561->49562 49563 41b3b4 49561->49563 49564 433672 std::_Facet_Register 3 API calls 49562->49564 49566 402cf0 std::_Throw_Cpp_error 41 API calls 49563->49566 49565 41b2f7 49564->49565 49605 42e7e0 49565->49605 49567 41b3c4 49566->49567 49568 41ace0 41 API calls 49567->49568 49570 41b3d9 49568->49570 49572 407cf0 41 API calls 49570->49572 49571 41b33b 49573 41b352 49571->49573 49574 41d1d0 41 API calls 49571->49574 49576 41b3ee 49572->49576 49617 41d1d0 49573->49617 49574->49573 49577 4351fb Concurrency::cancel_current_task RaiseException 49576->49577 49578 41b3ff 49577->49578 49579 41b390 std::ios_base::_Ios_base_dtor 49579->49463 49581 4219d0 49580->49581 49582 4219f5 49580->49582 49581->49463 49583 402cf0 std::_Throw_Cpp_error 41 API calls 49582->49583 49584 421a03 49583->49584 49585 41ace0 41 API calls 49584->49585 49586 421a18 49585->49586 49587 407cf0 41 API calls 49586->49587 49588 421a2d 49587->49588 49589 4351fb Concurrency::cancel_current_task RaiseException 49588->49589 49591->49460 49592->49460 49593->49460 49594->49460 49595->49413 49596->49463 49597->49463 49598->49416 49610 42e82a 49605->49610 49616 42e9ff 49605->49616 49607 42ea1a 49655 407260 RaiseException 49607->49655 49608 433672 std::_Facet_Register 3 API calls 49608->49610 49610->49607 49610->49608 49613 4163b0 41 API calls std::_Throw_Cpp_error 49610->49613 49614 402df0 std::_Throw_Cpp_error 41 API calls 49610->49614 49610->49616 49622 413d50 49610->49622 49611 42ea1f 49612 42ea3d 49611->49612 49656 42d6a0 41 API calls std::_Throw_Cpp_error 49611->49656 49612->49571 49613->49610 49614->49610 49616->49571 49618 41d24d 49617->49618 49620 41d1f8 std::ios_base::_Ios_base_dtor 49617->49620 49618->49579 49619 41d1d0 41 API calls 49619->49620 49620->49618 49620->49619 49621 402df0 std::_Throw_Cpp_error 41 API calls 49620->49621 49621->49620 49623 413d8f 49622->49623 49653 413df7 std::locale::_Locimp::_Locimp 49622->49653 49624 413d96 49623->49624 49625 413e69 49623->49625 49626 413f7d 49623->49626 49627 413f1e 49623->49627 49623->49653 49630 433672 std::_Facet_Register 3 API calls 49624->49630 49629 433672 std::_Facet_Register 3 API calls 49625->49629 49631 433672 std::_Facet_Register 3 API calls 49626->49631 49659 417e80 41 API calls 2 library calls 49627->49659 49634 413e73 49629->49634 49632 413da0 49630->49632 49633 413f8a 49631->49633 49635 433672 std::_Facet_Register 3 API calls 49632->49635 49638 413fd3 49633->49638 49639 41408e 49633->49639 49633->49653 49634->49653 49658 42bf30 41 API calls 3 library calls 49634->49658 49637 413dd2 49635->49637 49657 42f460 41 API calls 2 library calls 49637->49657 49643 414004 49638->49643 49644 413fdb 49638->49644 49660 403330 RaiseException 49639->49660 49640 413eb1 49651 413d50 41 API calls 49640->49651 49640->49653 49645 433672 std::_Facet_Register 3 API calls 49643->49645 49646 414093 49644->49646 49647 413fe6 49644->49647 49645->49653 49661 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 49646->49661 49648 433672 std::_Facet_Register 3 API calls 49647->49648 49650 413fec 49648->49650 49652 438c70 std::_Throw_Cpp_error 41 API calls 49650->49652 49650->49653 49651->49640 49654 41409d 49652->49654 49653->49610 49653->49653 49655->49611 49656->49611 49657->49653 49658->49640 49659->49653 49661->49650 49818 46aa80 50046 46aaba 49818->50046 49819 478b27 49820 46aae1 49821 4163b0 std::_Throw_Cpp_error 41 API calls 49820->49821 49822 4163b0 std::_Throw_Cpp_error 41 API calls 49820->49822 49821->49820 49823 46ab3c 49822->49823 49824 46abc4 49823->49824 49826 46abde 49824->49826 49825 403040 std::_Throw_Cpp_error 41 API calls 49825->49826 49826->49825 49827 403040 std::_Throw_Cpp_error 41 API calls 49826->49827 49828 46ad59 49827->49828 49830 46ad84 49828->49830 51165 47721c 49828->51165 51166 4aa200 49828->51166 49833 46ad96 49830->49833 49831 47722a 49832 47724c 49831->49832 49836 4163b0 std::_Throw_Cpp_error 41 API calls 49832->49836 49834 46adb8 49833->49834 49835 4163b0 std::_Throw_Cpp_error 41 API calls 49834->49835 49837 46adc0 49835->49837 49838 47725b 49836->49838 49839 46adda 49837->49839 49846 477278 49838->49846 49840 46ade1 49839->49840 49842 4163b0 std::_Throw_Cpp_error 41 API calls 49840->49842 49841 4163b0 std::_Throw_Cpp_error 41 API calls 49841->49846 49843 46ade9 49842->49843 49845 402cf0 std::_Throw_Cpp_error 41 API calls 49843->49845 49844 402cf0 std::_Throw_Cpp_error 41 API calls 49844->49846 49847 46ae63 49845->49847 49846->49841 49846->49844 49854 47747b 49846->49854 49849 402cf0 std::_Throw_Cpp_error 41 API calls 49847->49849 49848 402cf0 std::_Throw_Cpp_error 41 API calls 49848->49854 49850 46af8d 49849->49850 49851 4aa200 222 API calls 49850->49851 49853 46afa8 49851->49853 49852 4aa200 222 API calls 49852->49854 49857 46afbd 49853->49857 49854->49848 49854->49852 49855 4774af 49854->49855 49856 4774d1 49855->49856 49859 4163b0 std::_Throw_Cpp_error 41 API calls 49856->49859 49858 46afdf 49857->49858 49860 4163b0 std::_Throw_Cpp_error 41 API calls 49858->49860 49861 4774e0 49859->49861 49862 46afe7 49860->49862 49870 4774fd 49861->49870 49863 46b001 49862->49863 49864 46b008 49863->49864 49866 4163b0 std::_Throw_Cpp_error 41 API calls 49866->49870 49869 402cf0 std::_Throw_Cpp_error 41 API calls 49869->49870 49870->49866 49870->49869 49877 477700 49870->49877 49872 402cf0 std::_Throw_Cpp_error 41 API calls 49872->49877 49875 4aa200 222 API calls 49875->49877 49877->49872 49877->49875 49879 477734 49877->49879 49881 477756 49879->49881 49884 4163b0 std::_Throw_Cpp_error 41 API calls 49881->49884 49885 477765 49884->49885 49894 477782 49885->49894 49889 4163b0 std::_Throw_Cpp_error 41 API calls 49889->49894 49892 402cf0 std::_Throw_Cpp_error 41 API calls 49892->49894 49894->49889 49894->49892 49901 477985 49894->49901 49897 402cf0 std::_Throw_Cpp_error 41 API calls 49897->49901 49900 4aa200 222 API calls 49900->49901 49901->49897 49901->49900 49903 4779b9 49901->49903 49904 4779db 49903->49904 50040 402cf0 std::_Throw_Cpp_error 41 API calls 50040->50046 50044 4aa200 222 API calls 50044->50046 50046->49819 50046->49820 50046->50040 50046->50044 51165->49831 51167 4359b0 __fread_nolock 51166->51167 51168 4aa25b SHGetFolderPathA 51167->51168 52127 41ac50 51168->52127 51170 4aa28f 51171 4aa2ad 51170->51171 51172 4ab3c5 51170->51172 51174 4163b0 std::_Throw_Cpp_error 41 API calls 51171->51174 51173 4152b0 41 API calls 51172->51173 51176 4ab411 51173->51176 51175 4aa2be 51174->51175 51177 4c6000 45 API calls 51175->51177 51178 402df0 std::_Throw_Cpp_error 41 API calls 51176->51178 51179 4aa2d1 51177->51179 51180 4ab3c3 51178->51180 51181 4aa2eb 51179->51181 51436 4aa355 std::locale::_Locimp::_Locimp 51179->51436 51188 4ab46b 51180->51188 51437 4ab490 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 51180->51437 52303 4242a0 41 API calls 51180->52303 51183 4185d0 76 API calls 51181->51183 51182 4ab3b4 51185 4185d0 76 API calls 51182->51185 51184 4aa2f7 51183->51184 51186 4185d0 76 API calls 51184->51186 51185->51180 51189 4aa303 51186->51189 51190 402df0 std::_Throw_Cpp_error 41 API calls 51188->51190 51191 402df0 std::_Throw_Cpp_error 41 API calls 51189->51191 51190->51437 51194 4aa30f 51191->51194 51192 4adb0c 51197 417ef0 41 API calls 51192->51197 51193 41ab20 41 API calls 51193->51437 51195 402df0 std::_Throw_Cpp_error 41 API calls 51194->51195 51199 4adb7a 51197->51199 51201 4140c0 41 API calls 51199->51201 51203 4adba4 51201->51203 52135 41af80 51203->52135 51206 41ad80 41 API calls 51206->51437 51215 4adb07 51219 438c70 std::_Throw_Cpp_error 41 API calls 51215->51219 51219->51192 51227 41e8a0 41 API calls 51227->51437 51235 402df0 41 API calls std::_Throw_Cpp_error 51235->51436 51259 41e8a0 41 API calls 51259->51436 51281 41e710 41 API calls 51281->51437 51284 418f00 std::_Throw_Cpp_error 41 API calls 51284->51437 51292 41abb0 41 API calls 51292->51437 51303 41abb0 41 API calls 51303->51436 51331 4e6d70 78 API calls 51331->51437 51350 403040 41 API calls std::_Throw_Cpp_error 51350->51437 51357 4032d0 41 API calls std::_Throw_Cpp_error 51357->51437 51364 4235f0 41 API calls 51364->51437 51373 402df0 41 API calls std::_Throw_Cpp_error 51373->51437 51376 418f00 41 API calls std::_Throw_Cpp_error 51376->51436 51392 402fe0 41 API calls std::_Throw_Cpp_error 51392->51437 51408 4163b0 41 API calls std::_Throw_Cpp_error 51408->51437 51413 4e6d70 78 API calls 51413->51436 51415 4032d0 std::_Throw_Cpp_error 41 API calls 51415->51436 51420 4163b0 41 API calls std::_Throw_Cpp_error 51420->51436 51436->51182 51436->51192 51436->51235 51436->51259 51436->51303 51436->51376 51436->51413 51436->51415 51436->51420 52302 424400 44 API calls 4 library calls 51436->52302 51437->51184 51437->51192 51437->51193 51437->51206 51437->51215 51437->51227 51437->51281 51437->51284 51437->51292 51437->51331 51437->51350 51437->51357 51437->51364 51437->51373 51437->51392 51437->51408 51438 4098e0 41 API calls 51437->51438 51438->51437 52128 41ac81 52127->52128 52128->52128 52129 41ac9b 52128->52129 52131 41acd3 52128->52131 52130 41e8a0 41 API calls 52129->52130 52132 41acb2 52130->52132 52133 41fbf0 41 API calls 52131->52133 52132->51170 52134 41ad24 52133->52134 52134->51170 52302->51436 52303->51188 52993 46a140 53004 46a17b 52993->53004 52994 46aa60 52995 4163b0 41 API calls std::_Throw_Cpp_error 52995->53004 52999 41af80 41 API calls 52999->53004 53000 413d50 41 API calls 53000->53004 53001 4138b0 41 API calls 53001->53004 53004->52994 53004->52995 53004->52999 53004->53000 53004->53001 53005 49f0d0 53004->53005 53097 49d3a0 53004->53097 53177 49af60 53004->53177 53258 4986b0 53004->53258 53335 4963b0 53004->53335 53006 49f106 53005->53006 53007 417ef0 41 API calls 53006->53007 53008 49f12f 53007->53008 53009 4140c0 41 API calls 53008->53009 53010 49f159 53009->53010 53011 41af80 41 API calls 53010->53011 53012 49f1f4 __fread_nolock 53011->53012 53013 49f212 SHGetFolderPathA 53012->53013 53014 41ac50 41 API calls 53013->53014 53015 49f23f 53014->53015 53016 41ab20 41 API calls 53015->53016 53017 49f2e4 __fread_nolock 53016->53017 53018 49f2fe GetPrivateProfileSectionNamesA 53017->53018 53071 49f331 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 53018->53071 53020 4a348d lstrlen 53021 4a34a3 53020->53021 53020->53071 53022 402df0 std::_Throw_Cpp_error 41 API calls 53021->53022 53024 4a34b2 53022->53024 53023 49f422 GetPrivateProfileStringA 53023->53071 53025 402df0 std::_Throw_Cpp_error 41 API calls 53024->53025 53026 4a34c1 53025->53026 53027 402df0 std::_Throw_Cpp_error 41 API calls 53026->53027 53028 4a34cd 53027->53028 53031 402df0 std::_Throw_Cpp_error 41 API calls 53028->53031 53029 4a34fb 53033 402cf0 std::_Throw_Cpp_error 41 API calls 53029->53033 53030 41abb0 41 API calls 53030->53071 53032 4a34d9 53031->53032 53034 402df0 std::_Throw_Cpp_error 41 API calls 53032->53034 53035 4a3514 53033->53035 53036 4a34e5 53034->53036 53037 41ace0 41 API calls 53035->53037 53036->53004 53038 4a3529 53037->53038 53039 407cf0 41 API calls 53038->53039 53040 4a3541 53039->53040 53041 4351fb Concurrency::cancel_current_task RaiseException 53040->53041 53042 4a3555 53041->53042 53043 438c70 std::_Throw_Cpp_error 41 API calls 53042->53043 53044 4a355a 53043->53044 53046 402cf0 std::_Throw_Cpp_error 41 API calls 53044->53046 53045 41e8a0 41 API calls 53045->53071 53049 4a356d 53046->53049 53047 4d6790 148 API calls 53047->53071 53048 4e7640 87 API calls 53048->53071 53052 41ace0 41 API calls 53049->53052 53050 4032d0 std::_Throw_Cpp_error 41 API calls 53050->53071 53051 41b430 53 API calls 53051->53071 53053 4a3582 53052->53053 53054 407cf0 41 API calls 53053->53054 53055 4a359a 53054->53055 53056 4351fb Concurrency::cancel_current_task RaiseException 53055->53056 53058 4a35ae 53056->53058 53057 4d65f0 87 API calls 53057->53071 53059 402cf0 std::_Throw_Cpp_error 41 API calls 53058->53059 53060 4a35c2 53059->53060 53061 41ace0 41 API calls 53060->53061 53062 4a35d7 53061->53062 53063 407cf0 41 API calls 53062->53063 53064 4a35ef 53063->53064 53065 4351fb Concurrency::cancel_current_task RaiseException 53064->53065 53066 4a3603 53065->53066 53067 417ef0 41 API calls 53067->53071 53068 4130f0 41 API calls 53068->53071 53070 4e6ca0 86 API calls 53070->53071 53071->53020 53071->53023 53071->53029 53071->53030 53071->53042 53071->53044 53071->53045 53071->53047 53071->53048 53071->53050 53071->53051 53071->53057 53071->53058 53071->53067 53071->53068 53071->53070 53072 4a1c5f CreateDirectoryA 53071->53072 53074 426db0 41 API calls 53071->53074 53075 41af80 41 API calls 53071->53075 53076 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53071->53076 53077 41ad80 41 API calls 53071->53077 53078 403040 41 API calls std::_Throw_Cpp_error 53071->53078 53079 413d50 41 API calls 53071->53079 53080 41b0e0 41 API calls 53071->53080 53081 4a1f46 CreateDirectoryA 53071->53081 53082 41ab20 41 API calls 53071->53082 53083 402fe0 41 API calls std::_Throw_Cpp_error 53071->53083 53084 402cf0 std::_Throw_Cpp_error 41 API calls 53071->53084 53086 41ace0 41 API calls 53071->53086 53087 41b7b0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection 53071->53087 53088 4e6d70 78 API calls 53071->53088 53089 439820 43 API calls 53071->53089 53091 413980 41 API calls 53071->53091 53092 402df0 41 API calls std::_Throw_Cpp_error 53071->53092 53093 4a3610 154 API calls 53071->53093 53094 441628 75 API calls 53071->53094 53095 43d0a8 78 API calls 53071->53095 53414 440fae 53071->53414 53428 42c080 41 API calls 2 library calls 53071->53428 53429 424900 41 API calls 53071->53429 53430 413200 53071->53430 53445 41b9d0 41 API calls 2 library calls 53071->53445 53446 4136c0 41 API calls 2 library calls 53071->53446 53072->53071 53074->53071 53075->53071 53076->53071 53077->53071 53078->53071 53079->53071 53080->53071 53081->53071 53082->53071 53083->53071 53084->53071 53086->53071 53087->53071 53088->53071 53089->53071 53091->53071 53092->53071 53093->53071 53094->53071 53095->53071 53098 49d3d6 53097->53098 53099 417ef0 41 API calls 53098->53099 53100 49d3ff 53099->53100 53101 4140c0 41 API calls 53100->53101 53102 49d429 53101->53102 53103 41af80 41 API calls 53102->53103 53104 49d4c4 __fread_nolock 53103->53104 53105 49d4e2 SHGetFolderPathA 53104->53105 53106 41ac50 41 API calls 53105->53106 53107 49d50f 53106->53107 53108 41ab20 41 API calls 53107->53108 53109 49d5b4 __fread_nolock 53108->53109 53110 49d5ce GetPrivateProfileSectionNamesA 53109->53110 53173 49d601 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 53110->53173 53111 440fae 50 API calls 53111->53173 53112 49ef31 lstrlen 53113 49ef47 53112->53113 53112->53173 53115 402df0 std::_Throw_Cpp_error 41 API calls 53113->53115 53114 49d6f2 GetPrivateProfileStringA 53114->53173 53116 49ef56 53115->53116 53117 402df0 std::_Throw_Cpp_error 41 API calls 53116->53117 53118 49ef65 53117->53118 53120 402df0 std::_Throw_Cpp_error 41 API calls 53118->53120 53119 49f068 53124 438c70 std::_Throw_Cpp_error 41 API calls 53119->53124 53122 49ef71 53120->53122 53121 41e8a0 41 API calls 53121->53173 53122->53004 53123 41abb0 41 API calls 53123->53173 53125 49f072 53124->53125 53126 402cf0 std::_Throw_Cpp_error 41 API calls 53125->53126 53127 49f089 53126->53127 53128 41ace0 41 API calls 53127->53128 53129 49f09e 53128->53129 53130 407cf0 41 API calls 53129->53130 53131 49f0b6 53130->53131 53133 4351fb Concurrency::cancel_current_task RaiseException 53131->53133 53132 41ab20 41 API calls 53132->53173 53134 49f0ca 53133->53134 53135 439820 43 API calls 53135->53173 53136 43d0a8 78 API calls 53136->53173 53137 402df0 41 API calls std::_Throw_Cpp_error 53137->53173 53138 4140c0 41 API calls 53138->53173 53139 4032d0 41 API calls std::_Throw_Cpp_error 53139->53173 53140 4e64d0 44 API calls 53140->53173 53142 49efc0 53146 402cf0 std::_Throw_Cpp_error 41 API calls 53142->53146 53143 4185d0 76 API calls 53143->53173 53144 4180a0 41 API calls 53144->53173 53145 416130 41 API calls 53145->53173 53147 49efd7 53146->53147 53148 41ace0 41 API calls 53147->53148 53149 49efec 53148->53149 53151 407cf0 41 API calls 53149->53151 53150 4d6790 148 API calls 53150->53173 53152 49f004 53151->53152 53153 4351fb Concurrency::cancel_current_task RaiseException 53152->53153 53153->53119 53154 49ef86 53156 402cf0 std::_Throw_Cpp_error 41 API calls 53154->53156 53155 4d65f0 87 API calls 53155->53173 53157 49ef99 53156->53157 53158 41ace0 41 API calls 53157->53158 53168 49ee87 53158->53168 53159 407cf0 41 API calls 53159->53152 53160 417ef0 41 API calls 53160->53173 53161 49ee5e 53164 402cf0 std::_Throw_Cpp_error 41 API calls 53161->53164 53162 413d50 41 API calls 53162->53173 53163 424900 41 API calls 53163->53173 53165 49ee72 53164->53165 53166 41ace0 41 API calls 53165->53166 53166->53168 53167 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53167->53173 53168->53159 53169 403040 41 API calls std::_Throw_Cpp_error 53169->53173 53171 426db0 41 API calls 53171->53173 53172 49f014 53174 402cf0 std::_Throw_Cpp_error 41 API calls 53172->53174 53173->53111 53173->53112 53173->53114 53173->53119 53173->53121 53173->53123 53173->53125 53173->53132 53173->53135 53173->53136 53173->53137 53173->53138 53173->53139 53173->53140 53173->53142 53173->53143 53173->53144 53173->53145 53173->53150 53173->53154 53173->53155 53173->53160 53173->53161 53173->53162 53173->53163 53173->53167 53173->53169 53173->53171 53173->53172 53454 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53173->53454 53455 423f40 102 API calls 4 library calls 53173->53455 53175 49f027 53174->53175 53176 41ace0 41 API calls 53175->53176 53176->53168 53178 49af96 53177->53178 53179 417ef0 41 API calls 53178->53179 53180 49afbf 53179->53180 53181 4140c0 41 API calls 53180->53181 53182 49afe9 53181->53182 53183 41af80 41 API calls 53182->53183 53184 49b128 __fread_nolock 53183->53184 53185 49b146 SHGetFolderPathA 53184->53185 53186 41ac50 41 API calls 53185->53186 53187 49b173 53186->53187 53188 41ab20 41 API calls 53187->53188 53189 49b227 __fread_nolock 53188->53189 53190 49b241 GetPrivateProfileSectionNamesA 53189->53190 53246 49b274 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 53190->53246 53191 440fae 50 API calls 53191->53246 53192 49d22c lstrlen 53193 49d242 53192->53193 53192->53246 53195 402df0 std::_Throw_Cpp_error 41 API calls 53193->53195 53194 49b365 GetPrivateProfileStringA 53194->53246 53196 49d251 53195->53196 53197 402df0 std::_Throw_Cpp_error 41 API calls 53196->53197 53198 49d260 53197->53198 53200 402df0 std::_Throw_Cpp_error 41 API calls 53198->53200 53199 49d329 53204 438c70 std::_Throw_Cpp_error 41 API calls 53199->53204 53202 49d26c 53200->53202 53201 41e8a0 41 API calls 53201->53246 53202->53004 53203 41abb0 41 API calls 53203->53246 53205 49d333 53204->53205 53457 419e60 RaiseException 53205->53457 53207 49d338 53208 402cf0 std::_Throw_Cpp_error 41 API calls 53207->53208 53209 49d34f 53208->53209 53210 41ace0 41 API calls 53209->53210 53211 49d364 53210->53211 53213 407cf0 41 API calls 53211->53213 53212 41ab20 41 API calls 53212->53246 53214 49d37c 53213->53214 53216 4351fb Concurrency::cancel_current_task RaiseException 53214->53216 53215 439820 43 API calls 53215->53246 53217 49d390 53216->53217 53218 43d0a8 78 API calls 53218->53246 53219 4140c0 41 API calls 53219->53246 53220 4e64d0 44 API calls 53220->53246 53221 49d281 53226 402cf0 std::_Throw_Cpp_error 41 API calls 53221->53226 53222 4032d0 41 API calls std::_Throw_Cpp_error 53222->53246 53224 4185d0 76 API calls 53224->53246 53225 4180a0 41 API calls 53225->53246 53227 49d298 53226->53227 53229 41ace0 41 API calls 53227->53229 53228 416130 41 API calls 53228->53246 53231 49d2ad 53229->53231 53230 4d6790 148 API calls 53230->53246 53232 407cf0 41 API calls 53231->53232 53233 49d2c5 53232->53233 53235 4351fb Concurrency::cancel_current_task RaiseException 53233->53235 53234 41af80 41 API calls 53234->53246 53235->53199 53236 4d65f0 87 API calls 53236->53246 53237 49d0d3 53240 402cf0 std::_Throw_Cpp_error 41 API calls 53237->53240 53238 413d50 41 API calls 53238->53246 53239 424900 41 API calls 53239->53246 53241 49d0e6 53240->53241 53242 41ace0 41 API calls 53241->53242 53257 49d0fb 53242->53257 53243 407cf0 41 API calls 53243->53233 53244 41fbf0 41 API calls 53244->53246 53245 418f00 std::_Throw_Cpp_error 41 API calls 53245->53246 53246->53191 53246->53192 53246->53194 53246->53199 53246->53201 53246->53203 53246->53205 53246->53207 53246->53212 53246->53215 53246->53218 53246->53219 53246->53220 53246->53221 53246->53222 53246->53224 53246->53225 53246->53228 53246->53230 53246->53234 53246->53236 53246->53237 53246->53238 53246->53239 53246->53244 53246->53245 53247 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53246->53247 53248 402df0 41 API calls std::_Throw_Cpp_error 53246->53248 53249 426db0 41 API calls 53246->53249 53250 4163b0 std::_Throw_Cpp_error 41 API calls 53246->53250 53251 403040 41 API calls std::_Throw_Cpp_error 53246->53251 53252 49d2d5 53246->53252 53253 417ef0 41 API calls 53246->53253 53456 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53246->53456 53247->53246 53248->53246 53249->53246 53250->53246 53251->53246 53254 402cf0 std::_Throw_Cpp_error 41 API calls 53252->53254 53253->53246 53255 49d2e8 53254->53255 53256 41ace0 41 API calls 53255->53256 53256->53257 53257->53243 53259 4986e6 53258->53259 53260 417ef0 41 API calls 53259->53260 53261 49870f 53260->53261 53262 4140c0 41 API calls 53261->53262 53263 498739 53262->53263 53264 41af80 41 API calls 53263->53264 53265 4987d4 __fread_nolock 53264->53265 53266 4987f2 SHGetFolderPathA 53265->53266 53267 41ac50 41 API calls 53266->53267 53268 49881f 53267->53268 53269 41ab20 41 API calls 53268->53269 53270 4988c4 __fread_nolock 53269->53270 53271 4988de GetPrivateProfileSectionNamesA 53270->53271 53325 498914 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 53271->53325 53272 440fae 50 API calls 53272->53325 53273 49ae10 lstrlen 53274 49ae29 53273->53274 53273->53325 53276 402df0 std::_Throw_Cpp_error 41 API calls 53274->53276 53275 498a05 GetPrivateProfileStringA 53275->53325 53277 49ae38 53276->53277 53278 402df0 std::_Throw_Cpp_error 41 API calls 53277->53278 53280 49ae47 53278->53280 53279 49aef7 53285 438c70 std::_Throw_Cpp_error 41 API calls 53279->53285 53281 402df0 std::_Throw_Cpp_error 41 API calls 53280->53281 53283 49ae53 53281->53283 53282 41e8a0 41 API calls 53282->53325 53283->53004 53284 41abb0 41 API calls 53284->53325 53286 49af01 53285->53286 53288 402cf0 std::_Throw_Cpp_error 41 API calls 53286->53288 53287 402df0 41 API calls std::_Throw_Cpp_error 53287->53325 53289 49af15 53288->53289 53290 41ace0 41 API calls 53289->53290 53291 49af2a 53290->53291 53292 407cf0 41 API calls 53291->53292 53293 49af42 53292->53293 53294 4351fb Concurrency::cancel_current_task RaiseException 53293->53294 53296 49af56 53294->53296 53295 41ab20 41 API calls 53295->53325 53297 439820 43 API calls 53297->53325 53298 43d0a8 78 API calls 53298->53325 53299 417ef0 41 API calls 53299->53325 53300 4140c0 41 API calls 53300->53325 53301 4e64d0 44 API calls 53301->53325 53302 4032d0 41 API calls std::_Throw_Cpp_error 53302->53325 53304 49ae68 53306 402cf0 std::_Throw_Cpp_error 41 API calls 53304->53306 53305 4185d0 76 API calls 53305->53325 53308 49ae7f 53306->53308 53307 416130 41 API calls 53307->53325 53309 41ace0 41 API calls 53308->53309 53311 49ad42 53309->53311 53310 4d6790 148 API calls 53310->53325 53312 407cf0 41 API calls 53311->53312 53313 49aee3 53312->53313 53315 4351fb Concurrency::cancel_current_task RaiseException 53313->53315 53314 41af80 41 API calls 53314->53325 53315->53279 53316 4d65f0 87 API calls 53316->53325 53317 49ad1a 53320 402cf0 std::_Throw_Cpp_error 41 API calls 53317->53320 53318 413d50 41 API calls 53318->53325 53319 424900 41 API calls 53319->53325 53321 49ad2d 53320->53321 53322 41ace0 41 API calls 53321->53322 53322->53311 53323 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53323->53325 53324 403040 41 API calls std::_Throw_Cpp_error 53324->53325 53325->53272 53325->53273 53325->53275 53325->53279 53325->53282 53325->53284 53325->53286 53325->53287 53325->53295 53325->53297 53325->53298 53325->53299 53325->53300 53325->53301 53325->53302 53325->53304 53325->53305 53325->53307 53325->53310 53325->53314 53325->53316 53325->53317 53325->53318 53325->53319 53325->53323 53325->53324 53326 4412f6 50 API calls 53325->53326 53327 426db0 41 API calls 53325->53327 53328 402fe0 41 API calls std::_Throw_Cpp_error 53325->53328 53330 4180a0 41 API calls 53325->53330 53331 49aea3 53325->53331 53458 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53325->53458 53459 42c080 41 API calls 2 library calls 53325->53459 53326->53325 53327->53325 53328->53325 53330->53325 53332 402cf0 std::_Throw_Cpp_error 41 API calls 53331->53332 53333 49aeb6 53332->53333 53334 41ace0 41 API calls 53333->53334 53334->53311 53336 4963e6 53335->53336 53337 417ef0 41 API calls 53336->53337 53338 49640f 53337->53338 53339 4140c0 41 API calls 53338->53339 53340 496439 53339->53340 53341 41af80 41 API calls 53340->53341 53342 4964d4 __fread_nolock 53341->53342 53343 4964f2 SHGetFolderPathA 53342->53343 53344 41ac50 41 API calls 53343->53344 53345 49651f 53344->53345 53346 41ab20 41 API calls 53345->53346 53347 4965c4 __fread_nolock 53346->53347 53348 4965de GetPrivateProfileSectionNamesA 53347->53348 53351 496611 std::ios_base::_Ios_base_dtor __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::locale::_Locimp::_Locimp 53348->53351 53349 440fae 50 API calls 53349->53351 53350 49854e lstrlen 53350->53351 53352 498564 53350->53352 53351->53349 53351->53350 53354 496702 GetPrivateProfileStringA 53351->53354 53359 49864b 53351->53359 53360 41e8a0 41 API calls 53351->53360 53363 41abb0 41 API calls 53351->53363 53364 498655 53351->53364 53371 41ab20 41 API calls 53351->53371 53374 439820 43 API calls 53351->53374 53375 43d0a8 78 API calls 53351->53375 53376 402df0 41 API calls std::_Throw_Cpp_error 53351->53376 53377 4140c0 41 API calls 53351->53377 53378 4e64d0 44 API calls 53351->53378 53379 4032d0 41 API calls std::_Throw_Cpp_error 53351->53379 53381 4985a3 53351->53381 53382 4185d0 76 API calls 53351->53382 53383 4180a0 41 API calls 53351->53383 53384 416130 41 API calls 53351->53384 53388 4d6790 148 API calls 53351->53388 53392 41af80 41 API calls 53351->53392 53394 4d65f0 87 API calls 53351->53394 53395 4983f5 53351->53395 53396 424900 41 API calls 53351->53396 53402 41fbf0 41 API calls 53351->53402 53403 418f00 std::_Throw_Cpp_error 41 API calls 53351->53403 53404 433672 std::_Facet_Register 3 API calls 53351->53404 53405 426db0 41 API calls 53351->53405 53406 4412f6 50 API calls 53351->53406 53407 403040 41 API calls std::_Throw_Cpp_error 53351->53407 53408 4985f7 53351->53408 53409 417ef0 41 API calls 53351->53409 53411 413d50 41 API calls 53351->53411 53460 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53351->53460 53353 402df0 std::_Throw_Cpp_error 41 API calls 53352->53353 53355 498573 53353->53355 53354->53351 53356 402df0 std::_Throw_Cpp_error 41 API calls 53355->53356 53357 498582 53356->53357 53358 402df0 std::_Throw_Cpp_error 41 API calls 53357->53358 53361 49858e 53358->53361 53362 438c70 std::_Throw_Cpp_error 41 API calls 53359->53362 53360->53351 53361->53004 53362->53364 53363->53351 53365 402cf0 std::_Throw_Cpp_error 41 API calls 53364->53365 53366 49866c 53365->53366 53367 41ace0 41 API calls 53366->53367 53368 498681 53367->53368 53369 407cf0 41 API calls 53368->53369 53370 498699 53369->53370 53372 4351fb Concurrency::cancel_current_task RaiseException 53370->53372 53371->53351 53373 4986ad 53372->53373 53374->53351 53375->53351 53376->53351 53377->53351 53378->53351 53379->53351 53385 402cf0 std::_Throw_Cpp_error 41 API calls 53381->53385 53382->53351 53383->53351 53384->53351 53386 4985ba 53385->53386 53387 41ace0 41 API calls 53386->53387 53389 4985cf 53387->53389 53388->53351 53390 407cf0 41 API calls 53389->53390 53391 4985e7 53390->53391 53393 4351fb Concurrency::cancel_current_task RaiseException 53391->53393 53392->53351 53393->53359 53394->53351 53397 402cf0 std::_Throw_Cpp_error 41 API calls 53395->53397 53396->53351 53398 498408 53397->53398 53399 41ace0 41 API calls 53398->53399 53400 49841d 53399->53400 53401 407cf0 41 API calls 53400->53401 53401->53391 53402->53351 53403->53351 53404->53351 53405->53351 53406->53351 53407->53351 53410 402cf0 std::_Throw_Cpp_error 41 API calls 53408->53410 53409->53351 53412 49860a 53410->53412 53411->53351 53413 41ace0 41 API calls 53412->53413 53413->53400 53415 441005 53414->53415 53416 440fbd 53414->53416 53451 44101b 50 API calls 3 library calls 53415->53451 53418 440fc3 53416->53418 53420 440fe0 53416->53420 53447 4416ff 14 API calls __dosmaperr 53418->53447 53427 440ffe 53420->53427 53449 4416ff 14 API calls __dosmaperr 53420->53449 53421 440fc8 53448 438c60 41 API calls __fread_nolock 53421->53448 53424 440fd3 53424->53071 53425 440fef 53450 438c60 41 API calls __fread_nolock 53425->53450 53427->53071 53428->53071 53429->53071 53431 41325c 53430->53431 53434 413225 53430->53434 53432 402cf0 std::_Throw_Cpp_error 41 API calls 53431->53432 53433 413269 53432->53433 53452 407b10 41 API calls 3 library calls 53433->53452 53435 413235 53434->53435 53438 402cf0 std::_Throw_Cpp_error 41 API calls 53434->53438 53435->53071 53437 413281 53439 4351fb Concurrency::cancel_current_task RaiseException 53437->53439 53440 41329f 53438->53440 53439->53434 53453 407b10 41 API calls 3 library calls 53440->53453 53442 4132b7 53443 4351fb Concurrency::cancel_current_task RaiseException 53442->53443 53444 4132c8 53443->53444 53445->53071 53446->53071 53447->53421 53448->53424 53449->53425 53450->53424 53451->53424 53452->53437 53453->53442 53454->53173 53455->53173 53456->53246 53458->53325 53459->53325 53460->53351 53646 4c7b00 53647 4c7ecc 53646->53647 53655 4c7b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 53646->53655 53648 4c7b87 setsockopt recv WSAGetLastError 53648->53647 53648->53655 53650 4c7e15 recv 53653 4c7eaf Sleep 53650->53653 53652 4c7eb7 Sleep 53652->53647 53652->53655 53653->53652 53654 418dc0 41 API calls 53656 4c7c2d recv 53654->53656 53655->53648 53655->53650 53655->53652 53655->53653 53655->53654 53658 409280 44 API calls 53655->53658 53659 4c7ee1 53655->53659 53660 4163b0 std::_Throw_Cpp_error 41 API calls 53655->53660 53661 4c7cd6 setsockopt recv 53655->53661 53662 418dc0 41 API calls 53655->53662 53666 4c8590 WSAStartup 53655->53666 53679 4c7ef0 53655->53679 53751 433069 53655->53751 53656->53655 53657 4c7c4e recv 53656->53657 53657->53655 53658->53655 53663 438c70 std::_Throw_Cpp_error 41 API calls 53659->53663 53660->53655 53661->53655 53662->53661 53664 4c7ee6 53663->53664 53667 4c8696 53666->53667 53668 4c85c8 53666->53668 53667->53655 53668->53667 53669 4c85fe getaddrinfo 53668->53669 53670 4c8646 53669->53670 53671 4c8690 WSACleanup 53669->53671 53672 4c86a4 FreeAddrInfoW 53670->53672 53674 4c8654 socket 53670->53674 53671->53667 53672->53671 53673 4c86b0 53672->53673 53673->53655 53674->53671 53675 4c866a connect 53674->53675 53676 4c867c closesocket 53675->53676 53677 4c86a0 53675->53677 53676->53674 53678 4c8686 FreeAddrInfoW 53676->53678 53677->53672 53678->53671 53680 4c7f6c 53679->53680 53681 4c7f3e 53679->53681 53682 4c7f8e 53680->53682 53683 4c7f74 53680->53683 53684 402cf0 std::_Throw_Cpp_error 41 API calls 53681->53684 53686 4c7f96 53682->53686 53687 4c7fb0 53682->53687 53754 416290 41 API calls 53683->53754 53688 4c7f50 53684->53688 53755 416290 41 API calls 53686->53755 53690 4c7fb8 53687->53690 53691 4c7fd5 53687->53691 53692 409280 44 API calls 53688->53692 53720 4c7f64 53690->53720 53756 416290 41 API calls 53690->53756 53693 4c7fdd 53691->53693 53694 4c7ffb 53691->53694 53692->53720 53757 4412b7 50 API calls __fread_nolock 53693->53757 53699 4c801b 53694->53699 53700 4c82c0 53694->53700 53694->53720 53697 402df0 std::_Throw_Cpp_error 41 API calls 53698 4c84f1 53697->53698 53698->53655 53758 405400 85 API calls std::_Throw_Cpp_error 53699->53758 53702 4c82c8 53700->53702 53703 4c831b 53700->53703 53704 41b430 53 API calls 53702->53704 53705 4c8376 53703->53705 53706 4c8323 53703->53706 53704->53720 53708 4c837e 53705->53708 53709 4c83d1 53705->53709 53707 41b430 53 API calls 53706->53707 53707->53720 53710 41b430 53 API calls 53708->53710 53712 4c842c 53709->53712 53713 4c83d9 53709->53713 53710->53720 53711 4c82a5 53716 432baa RtlReleaseSRWLockExclusive 53711->53716 53714 4c8484 53712->53714 53715 4c8434 53712->53715 53718 41b430 53 API calls 53713->53718 53714->53720 53763 458b00 50 API calls 2 library calls 53714->53763 53719 41b430 53 API calls 53715->53719 53716->53720 53717 402cf0 std::_Throw_Cpp_error 41 API calls 53728 4c8040 53717->53728 53718->53720 53719->53720 53720->53697 53722 4c849a 53723 4162c0 41 API calls 53722->53723 53725 4c84a9 53723->53725 53724 41ace0 41 API calls 53724->53728 53726 402df0 std::_Throw_Cpp_error 41 API calls 53725->53726 53726->53720 53727 402df0 41 API calls std::_Throw_Cpp_error 53727->53728 53728->53711 53728->53717 53728->53724 53728->53727 53729 4c810b 53728->53729 53759 402d30 41 API calls std::_Throw_Cpp_error 53729->53759 53731 4c812f 53760 4d62c0 43 API calls 5 library calls 53731->53760 53733 4c8140 53734 402df0 std::_Throw_Cpp_error 41 API calls 53733->53734 53735 4c814f 53734->53735 53736 4c81b2 GetCurrentProcess 53735->53736 53740 4c81e5 53735->53740 53737 4163b0 std::_Throw_Cpp_error 41 API calls 53736->53737 53738 4c81ce 53737->53738 53761 4cf280 61 API calls 3 library calls 53738->53761 53742 439820 43 API calls 53740->53742 53741 4c81dd 53743 4c8279 53741->53743 53744 4c8247 53742->53744 53762 415230 41 API calls std::_Throw_Cpp_error 53743->53762 53744->53743 53747 441628 75 API calls 53744->53747 53746 4c8296 53748 402df0 std::_Throw_Cpp_error 41 API calls 53746->53748 53749 4c8273 53747->53749 53748->53711 53750 43d0a8 78 API calls 53749->53750 53750->53743 53764 43361d 53751->53764 53754->53720 53755->53720 53756->53720 53757->53720 53758->53728 53759->53731 53760->53733 53761->53741 53762->53746 53763->53722 53765 433659 GetSystemTimeAsFileTime 53764->53765 53766 43364d GetSystemTimePreciseAsFileTime 53764->53766 53767 433077 53765->53767 53766->53767 53767->53655 45681 419950 45682 419968 45681->45682 45683 419978 std::ios_base::_Ios_base_dtor 45681->45683 45682->45683 45693 438c70 45682->45693 45698 438bac 41 API calls __fread_nolock 45693->45698 45695 438c7f 45699 438c8d 11 API calls std::locale::_Setgloballocale 45695->45699 45697 438c8c 45698->45695 45699->45697 45700 420ad0 45705 4214a0 45700->45705 45702 420ae0 45704 420b2a 45702->45704 45710 429e20 45702->45710 45706 4214cb 45705->45706 45707 4214ee 45706->45707 45708 429e20 41 API calls 45706->45708 45707->45702 45709 42150b 45708->45709 45709->45702 45711 429e62 45710->45711 45712 429f76 45710->45712 45713 429e7c 45711->45713 45715 429eba 45711->45715 45719 429eca 45711->45719 45737 403330 RaiseException 45712->45737 45728 433672 45713->45728 45715->45713 45716 429f7b 45715->45716 45738 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 45716->45738 45722 433672 std::_Facet_Register 3 API calls 45719->45722 45725 429e9a std::locale::_Locimp::_Locimp 45719->45725 45720 429f80 45723 438c70 std::_Throw_Cpp_error 41 API calls 45720->45723 45721 429e8f 45721->45720 45721->45725 45722->45725 45724 429f85 45723->45724 45736 4277d0 41 API calls 2 library calls 45725->45736 45727 429f47 45727->45704 45730 433677 45728->45730 45729 433691 45729->45721 45730->45729 45733 402b50 Concurrency::cancel_current_task 45730->45733 45742 445a89 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45730->45742 45732 43369d 45732->45732 45733->45732 45739 4351fb 45733->45739 45735 402b6c ___std_exception_copy 45735->45721 45736->45727 45738->45720 45740 435242 RaiseException 45739->45740 45741 435215 45739->45741 45740->45735 45741->45740 45742->45730 46519 45dcd0 46520 45de11 46519->46520 46521 45dd1d 46519->46521 46522 41ab20 41 API calls 46520->46522 46523 41ab20 41 API calls 46521->46523 46525 45de6d 46522->46525 46524 45dd79 46523->46524 46606 41b980 41 API calls 46524->46606 46527 4163b0 std::_Throw_Cpp_error 41 API calls 46525->46527 46528 45de88 46527->46528 46539 481c10 46528->46539 46529 45ddd0 46607 4e5ff0 11 API calls 46529->46607 46533 402df0 std::_Throw_Cpp_error 41 API calls 46535 45dea7 46533->46535 46534 45ddf0 46608 4188d0 46534->46608 46537 45de02 46538 402df0 std::_Throw_Cpp_error 41 API calls 46537->46538 46538->46520 46540 4e6ca0 86 API calls 46539->46540 46605 481c6c __fread_nolock std::locale::_Locimp::_Locimp 46540->46605 46541 48443c 46542 402df0 std::_Throw_Cpp_error 41 API calls 46541->46542 46543 45de95 46542->46543 46543->46533 46544 48449d 46545 402cf0 std::_Throw_Cpp_error 41 API calls 46544->46545 46546 4844ad 46545->46546 46695 407b10 41 API calls 3 library calls 46546->46695 46548 4844c8 46551 4351fb Concurrency::cancel_current_task RaiseException 46548->46551 46549 484598 46550 402cf0 std::_Throw_Cpp_error 41 API calls 46549->46550 46552 4845a8 46550->46552 46553 4844dc 46551->46553 46698 407b10 41 API calls 3 library calls 46552->46698 46555 438c70 std::_Throw_Cpp_error 41 API calls 46553->46555 46559 4844e1 46555->46559 46556 48445e 46557 402cf0 std::_Throw_Cpp_error 41 API calls 46556->46557 46560 48446e 46557->46560 46558 4845c3 46561 4351fb Concurrency::cancel_current_task RaiseException 46558->46561 46696 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 46559->46696 46694 407b10 41 API calls 3 library calls 46560->46694 46564 4845d7 46561->46564 46565 4844e6 46697 403330 RaiseException 46565->46697 46567 484489 46568 4351fb Concurrency::cancel_current_task RaiseException 46567->46568 46568->46544 46569 4844eb 46571 402cf0 std::_Throw_Cpp_error 41 API calls 46569->46571 46570 41af80 41 API calls 46570->46605 46573 484503 46571->46573 46572 41b0e0 41 API calls 46572->46605 46574 41ace0 41 API calls 46573->46574 46575 484518 46574->46575 46577 407cf0 41 API calls 46575->46577 46576 484544 46581 402cf0 std::_Throw_Cpp_error 41 API calls 46576->46581 46578 484530 46577->46578 46580 4351fb Concurrency::cancel_current_task RaiseException 46578->46580 46580->46576 46583 484557 46581->46583 46584 41ace0 41 API calls 46583->46584 46586 48456c 46584->46586 46585 402fe0 41 API calls std::_Throw_Cpp_error 46585->46605 46587 407cf0 41 API calls 46586->46587 46588 484584 46587->46588 46589 4351fb Concurrency::cancel_current_task RaiseException 46588->46589 46589->46549 46590 4e64d0 44 API calls 46590->46605 46591 482793 SHGetFolderPathA 46591->46605 46592 482a95 SHGetFolderPathA 46592->46605 46593 482d93 SHGetFolderPathA 46593->46605 46594 4830f3 SHGetFolderPathA 46594->46605 46595 48341b SHGetFolderPathA 46595->46605 46596 483725 SHGetFolderPathA 46596->46605 46597 403040 41 API calls std::_Throw_Cpp_error 46597->46605 46598 4032d0 41 API calls std::_Throw_Cpp_error 46598->46605 46600 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46600->46605 46601 4163b0 41 API calls std::_Throw_Cpp_error 46601->46605 46602 4185d0 76 API calls 46602->46605 46603 418b00 41 API calls 46603->46605 46604 402df0 41 API calls std::_Throw_Cpp_error 46604->46605 46605->46541 46605->46544 46605->46549 46605->46553 46605->46556 46605->46559 46605->46565 46605->46569 46605->46570 46605->46572 46605->46576 46605->46585 46605->46590 46605->46591 46605->46592 46605->46593 46605->46594 46605->46595 46605->46596 46605->46597 46605->46598 46605->46600 46605->46601 46605->46602 46605->46603 46605->46604 46613 4412b7 50 API calls __fread_nolock 46605->46613 46614 4845e0 46605->46614 46693 416130 41 API calls 2 library calls 46605->46693 46606->46529 46607->46534 46609 418914 std::ios_base::_Ios_base_dtor 46608->46609 46610 4188f3 46608->46610 46609->46537 46610->46609 46611 438c70 std::_Throw_Cpp_error 41 API calls 46610->46611 46612 418947 46611->46612 46613->46605 46615 484641 46614->46615 46616 485d64 46614->46616 46617 4e6ca0 86 API calls 46615->46617 46619 485dda 46615->46619 46751 4339b3 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive SleepConditionVariableSRW 46616->46751 46622 484651 46617->46622 46752 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 46619->46752 46621 485ddf 46753 403330 RaiseException 46621->46753 46624 484a38 46622->46624 46627 4163b0 std::_Throw_Cpp_error 41 API calls 46622->46627 46632 485c79 46622->46632 46628 4163b0 std::_Throw_Cpp_error 41 API calls 46624->46628 46624->46632 46625 485de4 46633 438c70 std::_Throw_Cpp_error 41 API calls 46625->46633 46626 485ce9 46636 485d0c 46626->46636 46637 485d15 46626->46637 46629 4846b0 46627->46629 46630 484a58 46628->46630 46699 4c6000 46629->46699 46631 4c6000 45 API calls 46630->46631 46690 484a6f std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 46631->46690 46632->46626 46632->46632 46640 403040 std::_Throw_Cpp_error 41 API calls 46632->46640 46635 485dee 46633->46635 46749 413340 41 API calls 2 library calls 46636->46749 46750 413340 41 API calls 2 library calls 46637->46750 46639 485c67 46646 4185d0 76 API calls 46639->46646 46644 485cc7 46640->46644 46641 484a26 46645 4185d0 76 API calls 46641->46645 46643 485d11 46648 402df0 std::_Throw_Cpp_error 41 API calls 46643->46648 46647 4e6770 93 API calls 46644->46647 46645->46624 46646->46632 46649 485cd7 46647->46649 46651 485d28 46648->46651 46652 402df0 std::_Throw_Cpp_error 41 API calls 46649->46652 46650 4163b0 std::_Throw_Cpp_error 41 API calls 46655 4846c7 46650->46655 46654 402df0 std::_Throw_Cpp_error 41 API calls 46651->46654 46652->46626 46656 485d34 46654->46656 46655->46641 46655->46650 46665 48474a 46655->46665 46722 415350 46655->46722 46745 485fa0 76 API calls std::_Throw_Cpp_error 46655->46745 46658 4185d0 76 API calls 46656->46658 46660 485d40 46658->46660 46661 4185d0 76 API calls 46660->46661 46662 485d4f 46661->46662 46662->46605 46663 41ab20 41 API calls 46663->46665 46664 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46664->46690 46665->46663 46667 41ad80 41 API calls 46665->46667 46668 402df0 std::_Throw_Cpp_error 41 API calls 46665->46668 46666 4163b0 41 API calls std::_Throw_Cpp_error 46666->46690 46667->46665 46669 484870 CreateDirectoryA 46668->46669 46671 41ab20 41 API calls 46669->46671 46670 41ad80 41 API calls 46670->46690 46675 415350 41 API calls 46675->46690 46676 41e8a0 41 API calls 46676->46690 46680 402df0 41 API calls std::_Throw_Cpp_error 46680->46690 46681 4e7220 79 API calls 46681->46690 46682 4032d0 41 API calls std::_Throw_Cpp_error 46682->46690 46683 485032 CreateDirectoryA 46683->46690 46684 485bbc CopyFileA 46685 485bdf 46684->46685 46684->46690 46685->46690 46687 4852f2 CoInitialize 46687->46690 46688 4188d0 41 API calls 46688->46690 46689 4854fe PathFindExtensionA 46689->46690 46690->46619 46690->46621 46690->46625 46690->46639 46690->46664 46690->46666 46690->46670 46690->46675 46690->46676 46690->46680 46690->46681 46690->46682 46690->46683 46690->46684 46690->46687 46690->46688 46690->46689 46691 403040 41 API calls std::_Throw_Cpp_error 46690->46691 46692 418b00 41 API calls 46690->46692 46746 485fa0 76 API calls std::_Throw_Cpp_error 46690->46746 46747 485df0 104 API calls std::_Throw_Cpp_error 46690->46747 46748 4d3320 43 API calls 46690->46748 46691->46690 46692->46690 46693->46605 46694->46567 46695->46548 46696->46565 46698->46558 46700 4c6082 46699->46700 46701 4c6072 46699->46701 46702 41ab20 41 API calls 46700->46702 46701->46700 46703 402df0 std::_Throw_Cpp_error 41 API calls 46701->46703 46704 4c6125 FindFirstFileA 46702->46704 46703->46701 46706 402df0 std::_Throw_Cpp_error 41 API calls 46704->46706 46717 4c6159 std::ios_base::_Ios_base_dtor 46706->46717 46707 4c6463 46708 402df0 std::_Throw_Cpp_error 41 API calls 46707->46708 46710 4c6479 46708->46710 46709 4c6437 FindNextFileA 46711 4c644d GetLastError 46709->46711 46709->46717 46710->46655 46712 4c645c FindClose 46711->46712 46711->46717 46712->46707 46713 41ab20 41 API calls 46713->46717 46714 403040 std::_Throw_Cpp_error 41 API calls 46714->46717 46715 418f00 std::_Throw_Cpp_error 41 API calls 46715->46717 46716 4c648e 46718 438c70 std::_Throw_Cpp_error 41 API calls 46716->46718 46717->46707 46717->46709 46717->46713 46717->46714 46717->46715 46717->46716 46719 4242a0 41 API calls 46717->46719 46721 402df0 std::_Throw_Cpp_error 41 API calls 46717->46721 46720 4c6493 46718->46720 46719->46717 46721->46717 46723 4153a0 46722->46723 46737 415439 46722->46737 46724 415469 46723->46724 46725 4153ab 46723->46725 46761 403330 RaiseException 46724->46761 46726 4153e2 46725->46726 46727 4153b9 46725->46727 46733 433672 std::_Facet_Register 3 API calls 46726->46733 46736 4153d7 46726->46736 46729 4153c4 46727->46729 46733->46736 46736->46737 46737->46655 46745->46655 46746->46690 46747->46690 46748->46690 46749->46643 46750->46643 46751->46615 46752->46621 49662 461e10 49663 461e60 49662->49663 49664 41ab20 41 API calls 49663->49664 49665 461f34 49664->49665 49666 4e6ca0 86 API calls 49665->49666 49667 461f5a 49666->49667 49668 4e6c10 85 API calls 49667->49668 49670 461f7d 49667->49670 49668->49670 49669 46299f 49672 4e6770 93 API calls 49669->49672 49673 4629be 49669->49673 49670->49669 49671 41b260 41 API calls 49670->49671 49670->49673 49708 461fad 49671->49708 49672->49673 49674 41ab20 41 API calls 49673->49674 49676 462aa3 49674->49676 49675 462990 49734 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49675->49734 49678 4e6ca0 86 API calls 49676->49678 49679 462ac9 49678->49679 49680 4e6c10 85 API calls 49679->49680 49683 462aec 49679->49683 49680->49683 49681 463529 49684 402df0 std::_Throw_Cpp_error 41 API calls 49681->49684 49682 46350e 49682->49681 49688 4e6770 93 API calls 49682->49688 49683->49681 49683->49682 49685 41b260 41 API calls 49683->49685 49686 46353b 49684->49686 49731 462b1c 49685->49731 49689 402df0 std::_Throw_Cpp_error 41 API calls 49686->49689 49687 4130f0 41 API calls 49687->49708 49688->49681 49691 46354a 49689->49691 49690 4634ff 49737 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49690->49737 49693 413200 41 API calls 49693->49708 49694 41b260 41 API calls 49694->49708 49696 413200 41 API calls 49696->49731 49697 41b260 41 API calls 49697->49731 49698 41ac50 41 API calls 49698->49708 49699 4163b0 41 API calls std::_Throw_Cpp_error 49699->49708 49702 416240 41 API calls 49702->49708 49703 4e6ca0 86 API calls 49703->49708 49704 4e6c10 85 API calls 49704->49708 49705 4163b0 41 API calls std::_Throw_Cpp_error 49705->49731 49706 439820 43 API calls 49706->49708 49707 41ae20 41 API calls 49707->49708 49708->49675 49708->49687 49708->49693 49708->49694 49708->49698 49708->49699 49708->49702 49708->49703 49708->49704 49708->49706 49708->49707 49710 41abb0 41 API calls 49708->49710 49715 402df0 41 API calls std::_Throw_Cpp_error 49708->49715 49717 43d0a8 78 API calls 49708->49717 49720 402cf0 41 API calls std::_Throw_Cpp_error 49708->49720 49725 41af80 41 API calls 49708->49725 49726 41b400 41 API calls 49708->49726 49727 403350 78 API calls 49708->49727 49732 416210 41 API calls std::_Throw_Cpp_error 49708->49732 49733 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49708->49733 49709 41ac50 41 API calls 49709->49731 49710->49708 49711 4e6ca0 86 API calls 49711->49731 49713 416240 41 API calls 49713->49731 49714 402cf0 41 API calls std::_Throw_Cpp_error 49714->49731 49715->49708 49716 4e6c10 85 API calls 49716->49731 49717->49708 49718 439820 43 API calls 49718->49731 49719 41ae20 41 API calls 49719->49731 49720->49708 49721 41abb0 41 API calls 49721->49731 49722 402df0 41 API calls std::_Throw_Cpp_error 49722->49731 49723 4130f0 41 API calls 49723->49731 49724 43d0a8 78 API calls 49724->49731 49725->49708 49726->49708 49727->49708 49728 41b400 41 API calls 49728->49731 49729 41af80 41 API calls 49729->49731 49730 403350 78 API calls 49730->49731 49731->49690 49731->49696 49731->49697 49731->49705 49731->49709 49731->49711 49731->49713 49731->49714 49731->49716 49731->49718 49731->49719 49731->49721 49731->49722 49731->49723 49731->49724 49731->49728 49731->49729 49731->49730 49735 416210 41 API calls std::_Throw_Cpp_error 49731->49735 49736 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49731->49736 49732->49708 49733->49708 49734->49669 49735->49731 49736->49731 49737->49682 45743 45f460 45744 45f4cc 45743->45744 45745 45f4ad 45743->45745 45749 4163b0 45745->45749 45747 45f4bf 45754 493f40 45747->45754 45751 4163d8 45749->45751 45750 4163e7 45750->45747 45751->45750 45891 4032d0 45751->45891 45753 41642a std::locale::_Locimp::_Locimp 45753->45747 45906 4359b0 45754->45906 45757 494100 45757->45757 45908 403040 45757->45908 45759 49411c 45914 41fbf0 45759->45914 45762 495779 45764 438c70 std::_Throw_Cpp_error 41 API calls 45762->45764 45763 49414d std::ios_base::_Ios_base_dtor 45763->45762 45923 4e6ca0 45763->45923 45767 49577e 45764->45767 45938 417ef0 45767->45938 45775 4957dd 45957 4140c0 45775->45957 45781 4958bc 45786 417ef0 41 API calls 45786->45781 45892 4032e2 45891->45892 45896 403306 45891->45896 45893 4032e9 45892->45893 45894 40331f 45892->45894 45898 433672 std::_Facet_Register 3 API calls 45893->45898 45905 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 45894->45905 45895 403318 45895->45753 45896->45895 45899 433672 std::_Facet_Register 3 API calls 45896->45899 45900 4032ef 45898->45900 45901 403310 45899->45901 45902 438c70 std::_Throw_Cpp_error 41 API calls 45900->45902 45903 4032f8 45900->45903 45901->45753 45904 403329 45902->45904 45903->45753 45905->45900 45907 4359c7 SHGetFolderPathA 45906->45907 45907->45757 45909 4030c8 45908->45909 45911 403052 45908->45911 45910 403057 std::locale::_Locimp::_Locimp 45910->45759 45911->45910 45912 4032d0 std::_Throw_Cpp_error 41 API calls 45911->45912 45913 4030a3 std::locale::_Locimp::_Locimp 45912->45913 45913->45759 45916 41fc8d 45914->45916 45918 41fc12 std::locale::_Locimp::_Locimp 45914->45918 45915 41fd5e 45916->45915 45917 4032d0 std::_Throw_Cpp_error 41 API calls 45916->45917 45919 41fce1 std::locale::_Locimp::_Locimp 45917->45919 45918->45763 45920 41fd3a std::locale::_Locimp::_Locimp 45919->45920 46115 402fe0 41 API calls 2 library calls 45919->46115 45920->45763 45922 41fd27 45922->45763 46116 432b99 45923->46116 45926 4e6d4d 46122 432534 45926->46122 45927 4e6cd7 45929 4e6d54 45927->45929 45932 4e6ce3 45927->45932 45930 432534 std::_Throw_Cpp_error 76 API calls 45929->45930 45931 4e6d65 45930->45931 45932->45932 45935 4e6cfb GetFileAttributesA 45932->45935 45937 4e6d12 45932->45937 45936 4e6d07 GetLastError 45935->45936 45935->45937 45936->45937 46119 432baa 45937->46119 45939 418034 45938->45939 45940 417f1d 45938->45940 45950 402cf0 std::_Throw_Cpp_error 41 API calls 45939->45950 45951 417f29 45939->45951 45941 417fcb 45940->45941 45942 417f83 45940->45942 45943 417f24 45940->45943 45944 417f2b 45940->45944 45945 417f7c 45940->45945 45941->45775 45947 433672 std::_Facet_Register 3 API calls 45942->45947 46254 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45943->46254 45949 433672 std::_Facet_Register 3 API calls 45944->45949 46255 41cf80 41 API calls 2 library calls 45945->46255 45947->45951 45949->45951 45952 41804f 45950->45952 45951->45775 46256 407f90 41 API calls 2 library calls 45952->46256 45954 418062 45955 4351fb Concurrency::cancel_current_task RaiseException 45954->45955 45956 418073 45955->45956 45959 4140ff 45957->45959 45958 433672 std::_Facet_Register 3 API calls 45960 41412e 45958->45960 45959->45958 45961 4141ac 45960->45961 46257 42bf30 41 API calls 3 library calls 45960->46257 45961->45781 45961->45786 45963 414171 45963->45961 46115->45922 46130 432bc8 GetCurrentThreadId 46116->46130 46120 432bb6 RtlReleaseSRWLockExclusive 46119->46120 46121 432bc4 46119->46121 46120->46121 46121->45767 46123 43254a std::_Throw_Cpp_error 46122->46123 46154 4324e7 46123->46154 46131 432bf2 46130->46131 46132 432c11 46130->46132 46133 432bf7 RtlAcquireSRWLockExclusive 46131->46133 46136 432c07 46131->46136 46134 432c31 46132->46134 46135 432c1a 46132->46135 46133->46136 46138 432c90 46134->46138 46144 432c49 46134->46144 46135->46136 46137 432c25 RtlAcquireSRWLockExclusive 46135->46137 46145 433d77 46136->46145 46137->46136 46138->46136 46140 432c97 RtlTryAcquireSRWLockExclusive 46138->46140 46140->46136 46141 432ba6 46141->45926 46141->45927 46143 432c80 RtlTryAcquireSRWLockExclusive 46143->46136 46143->46144 46144->46136 46144->46143 46152 43302b GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 46144->46152 46146 433d80 IsProcessorFeaturePresent 46145->46146 46147 433d7f 46145->46147 46149 43455a 46146->46149 46147->46141 46153 43451d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46149->46153 46151 43463d 46151->46141 46152->46144 46153->46151 46155 4324f3 __EH_prolog3_GS 46154->46155 46254->45951 46255->45951 46256->45954 46257->45963 53461 466d20 53462 466d6a 53461->53462 53464 468712 53462->53464 53465 41ab20 41 API calls 53462->53465 53468 46974b 53462->53468 53463 469b34 53578 492440 53463->53578 53469 41ab20 41 API calls 53464->53469 53467 466e01 53465->53467 53470 4e6ca0 86 API calls 53467->53470 53468->53463 53475 41ab20 41 API calls 53468->53475 53471 4687eb 53469->53471 53473 466e27 53470->53473 53477 439820 43 API calls 53471->53477 53472 469e50 53621 412c30 41 API calls 2 library calls 53472->53621 53479 4e6c10 85 API calls 53473->53479 53482 466e4a 53473->53482 53480 469838 53475->53480 53476 469e62 53481 468813 53477->53481 53478 469b42 53478->53472 53488 41ab20 41 API calls 53478->53488 53479->53482 53487 439820 43 API calls 53480->53487 53483 402df0 std::_Throw_Cpp_error 41 API calls 53481->53483 53484 468700 53482->53484 53486 41b260 41 API calls 53482->53486 53492 467b0b 53482->53492 53495 46882a 53483->53495 53485 402df0 std::_Throw_Cpp_error 41 API calls 53484->53485 53485->53464 53574 466e79 53486->53574 53490 469860 53487->53490 53489 469c31 53488->53489 53496 439820 43 API calls 53489->53496 53493 402df0 std::_Throw_Cpp_error 41 API calls 53490->53493 53491 4686e5 53491->53484 53502 4e6770 93 API calls 53491->53502 53492->53491 53494 41b260 41 API calls 53492->53494 53503 46987a 53493->53503 53576 467b2e 53494->53576 53495->53468 53498 403350 78 API calls 53495->53498 53499 469c59 53496->53499 53497 467afc 53616 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53497->53616 53507 4688bd 53498->53507 53501 402df0 std::_Throw_Cpp_error 41 API calls 53499->53501 53510 469c73 53501->53510 53502->53484 53503->53463 53505 403350 78 API calls 53503->53505 53504 4686d6 53618 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53504->53618 53527 469911 53505->53527 53509 41b260 41 API calls 53507->53509 53513 469003 53507->53513 53557 4688e3 53509->53557 53510->53472 53512 403350 78 API calls 53510->53512 53511 469b2e 53515 43d0a8 78 API calls 53511->53515 53528 469d0a 53512->53528 53514 469743 53513->53514 53519 41b260 41 API calls 53513->53519 53518 43d0a8 78 API calls 53514->53518 53515->53463 53516 4130f0 41 API calls 53516->53576 53517 413200 41 API calls 53517->53574 53518->53468 53559 469026 53519->53559 53520 468ff4 53619 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53520->53619 53521 402cf0 41 API calls std::_Throw_Cpp_error 53521->53574 53523 469e4a 53524 43d0a8 78 API calls 53523->53524 53524->53472 53525 413200 41 API calls 53525->53576 53526 469734 53620 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53526->53620 53527->53511 53530 403350 78 API calls 53527->53530 53528->53523 53532 403350 78 API calls 53528->53532 53530->53527 53531 4130f0 41 API calls 53531->53557 53532->53528 53533 413200 41 API calls 53533->53557 53534 4130f0 41 API calls 53534->53559 53535 402cf0 41 API calls std::_Throw_Cpp_error 53535->53576 53536 413200 41 API calls 53536->53559 53537 402cf0 41 API calls std::_Throw_Cpp_error 53537->53557 53538 402cf0 41 API calls std::_Throw_Cpp_error 53538->53559 53539 41af80 41 API calls 53539->53574 53540 41b400 41 API calls 53540->53576 53541 41b400 41 API calls 53541->53574 53542 41af80 41 API calls 53542->53576 53543 41af80 41 API calls 53543->53557 53544 41b400 41 API calls 53544->53557 53545 41ac50 41 API calls 53545->53574 53546 41ac50 41 API calls 53546->53576 53547 41af80 41 API calls 53547->53559 53548 416240 41 API calls 53548->53576 53549 4e6ca0 86 API calls 53549->53574 53550 402df0 41 API calls std::_Throw_Cpp_error 53550->53557 53551 403350 78 API calls 53551->53557 53552 4e6c10 85 API calls 53552->53574 53553 4e6ca0 86 API calls 53553->53576 53554 402df0 41 API calls std::_Throw_Cpp_error 53554->53559 53555 4163b0 41 API calls std::_Throw_Cpp_error 53555->53574 53556 41b400 41 API calls 53556->53559 53557->53520 53557->53531 53557->53533 53557->53537 53557->53543 53557->53544 53557->53550 53557->53551 53558 403350 78 API calls 53558->53559 53559->53526 53559->53534 53559->53536 53559->53538 53559->53547 53559->53554 53559->53556 53559->53558 53563 4e6d70 78 API calls 53563->53574 53564 4163b0 41 API calls std::_Throw_Cpp_error 53564->53576 53565 4e6d70 78 API calls 53565->53576 53566 402df0 41 API calls std::_Throw_Cpp_error 53566->53574 53567 439820 43 API calls 53567->53574 53568 4e6c10 85 API calls 53568->53576 53569 439820 43 API calls 53569->53576 53570 403350 78 API calls 53570->53574 53571 416240 41 API calls 53571->53574 53572 403350 78 API calls 53572->53576 53573 402df0 41 API calls std::_Throw_Cpp_error 53573->53576 53574->53497 53574->53517 53574->53521 53574->53539 53574->53541 53574->53545 53574->53549 53574->53552 53574->53555 53574->53563 53574->53566 53574->53567 53574->53570 53574->53571 53575 43d0a8 78 API calls 53574->53575 53605 4130f0 53574->53605 53614 4e6470 41 API calls 53574->53614 53615 416210 41 API calls std::_Throw_Cpp_error 53574->53615 53575->53574 53576->53504 53576->53516 53576->53525 53576->53535 53576->53540 53576->53542 53576->53546 53576->53548 53576->53553 53576->53564 53576->53565 53576->53568 53576->53569 53576->53572 53576->53573 53577 43d0a8 78 API calls 53576->53577 53617 416210 41 API calls std::_Throw_Cpp_error 53576->53617 53577->53576 53622 493b60 53578->53622 53580 4924ad 53580->53478 53581 4924a7 53581->53580 53582 403040 std::_Throw_Cpp_error 41 API calls 53581->53582 53583 4924ee 53582->53583 53585 418f00 std::_Throw_Cpp_error 41 API calls 53583->53585 53586 4925a0 53585->53586 53640 4938d0 45 API calls 2 library calls 53586->53640 53588 492a33 53589 4185d0 76 API calls 53588->53589 53591 492a49 53589->53591 53590 492a74 53594 438c70 std::_Throw_Cpp_error 41 API calls 53590->53594 53592 402df0 std::_Throw_Cpp_error 41 API calls 53591->53592 53592->53580 53593 41e8a0 41 API calls 53604 4925c7 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 53593->53604 53596 492a7e 53594->53596 53595 41ad80 41 API calls 53595->53604 53597 41ab20 41 API calls 53597->53604 53600 4032d0 std::_Throw_Cpp_error 41 API calls 53600->53604 53601 4163b0 41 API calls std::_Throw_Cpp_error 53601->53604 53603 402df0 41 API calls std::_Throw_Cpp_error 53603->53604 53604->53588 53604->53590 53604->53593 53604->53595 53604->53597 53604->53600 53604->53601 53604->53603 53641 493080 46 API calls 4 library calls 53604->53641 53642 492a80 50 API calls 5 library calls 53604->53642 53643 422ac0 41 API calls 4 library calls 53604->53643 53606 413114 53605->53606 53607 41316c 53605->53607 53606->53574 53608 402cf0 std::_Throw_Cpp_error 41 API calls 53607->53608 53609 413179 53608->53609 53645 407b10 41 API calls 3 library calls 53609->53645 53611 413191 53612 4351fb Concurrency::cancel_current_task RaiseException 53611->53612 53613 4131a2 53612->53613 53614->53574 53615->53574 53616->53492 53617->53576 53618->53491 53619->53513 53620->53514 53621->53476 53623 493ba5 __fread_nolock 53622->53623 53624 493bd7 RegOpenKeyExA 53623->53624 53625 493f1b 53624->53625 53626 493d97 RegQueryValueExA RegCloseKey 53624->53626 53625->53581 53626->53625 53627 493dc5 53626->53627 53628 403040 std::_Throw_Cpp_error 41 API calls 53627->53628 53629 493dea 53628->53629 53630 493e19 53629->53630 53631 493f30 53629->53631 53632 403040 std::_Throw_Cpp_error 41 API calls 53630->53632 53644 419e60 RaiseException 53631->53644 53634 493e35 std::locale::_Locimp::_Locimp 53632->53634 53635 438c70 std::_Throw_Cpp_error 41 API calls 53634->53635 53637 493e97 std::ios_base::_Ios_base_dtor 53634->53637 53635->53637 53636 438c70 std::_Throw_Cpp_error 41 API calls 53638 493f3f 53636->53638 53637->53636 53639 493ee9 std::ios_base::_Ios_base_dtor 53637->53639 53639->53581 53640->53604 53641->53604 53642->53604 53643->53604 53645->53611 49738 463830 49744 463879 49738->49744 49739 463891 49740 465b82 49739->49740 49741 402df0 std::_Throw_Cpp_error 41 API calls 49739->49741 49743 41ab20 41 API calls 49740->49743 49741->49739 49742 41ab20 41 API calls 49742->49744 49745 465c69 49743->49745 49744->49739 49744->49742 49761 4e6770 93 API calls 49744->49761 49773 413200 41 API calls 49744->49773 49774 41b260 41 API calls 49744->49774 49776 408ab0 41 API calls 49744->49776 49778 4163b0 41 API calls std::_Throw_Cpp_error 49744->49778 49779 41ac50 41 API calls 49744->49779 49785 416210 41 API calls 49744->49785 49786 4e6ca0 86 API calls 49744->49786 49787 402cf0 41 API calls std::_Throw_Cpp_error 49744->49787 49792 41ae20 41 API calls 49744->49792 49793 439820 43 API calls 49744->49793 49795 4e6c10 85 API calls 49744->49795 49796 416240 41 API calls 49744->49796 49798 41abb0 41 API calls 49744->49798 49800 43d0a8 78 API calls 49744->49800 49801 4130f0 41 API calls 49744->49801 49808 41b400 41 API calls 49744->49808 49809 41bae0 41 API calls 49744->49809 49810 41b1e0 41 API calls 49744->49810 49811 41af80 41 API calls 49744->49811 49812 403350 78 API calls 49744->49812 49813 402df0 41 API calls std::_Throw_Cpp_error 49744->49813 49746 4e6ca0 86 API calls 49745->49746 49747 465c8f 49746->49747 49748 465c93 CreateDirectoryA 49747->49748 49750 465cbe 49747->49750 49748->49750 49753 4667d7 49748->49753 49749 402df0 std::_Throw_Cpp_error 41 API calls 49752 466a3b 49749->49752 49751 4667bc 49750->49751 49754 41b260 41 API calls 49750->49754 49751->49753 49756 4e6770 93 API calls 49751->49756 49755 4185d0 76 API calls 49752->49755 49759 41ab20 41 API calls 49753->49759 49768 466a29 49753->49768 49805 465ce6 49754->49805 49757 466a47 49755->49757 49756->49753 49758 4667ad 49817 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49758->49817 49762 466922 49759->49762 49761->49744 49763 439820 43 API calls 49762->49763 49764 46694a 49763->49764 49765 402df0 std::_Throw_Cpp_error 41 API calls 49764->49765 49769 466964 49765->49769 49766 466a23 49767 43d0a8 78 API calls 49766->49767 49767->49768 49768->49749 49769->49766 49769->49768 49771 403350 78 API calls 49769->49771 49770 413200 41 API calls 49770->49805 49771->49769 49772 41b260 41 API calls 49772->49805 49773->49744 49774->49744 49776->49744 49777 4163b0 41 API calls std::_Throw_Cpp_error 49777->49805 49778->49744 49779->49744 49780 4e6ca0 86 API calls 49780->49805 49782 416240 41 API calls 49782->49805 49783 402df0 41 API calls std::_Throw_Cpp_error 49783->49805 49784 465ea9 CreateDirectoryA 49784->49805 49785->49744 49786->49744 49787->49744 49788 439820 43 API calls 49788->49805 49789 465fb8 CreateDirectoryA 49789->49805 49790 41ac50 41 API calls 49790->49805 49791 41ae20 41 API calls 49791->49805 49792->49744 49793->49744 49794 41abb0 41 API calls 49794->49805 49795->49744 49796->49744 49797 4130f0 41 API calls 49797->49805 49798->49744 49799 43d0a8 78 API calls 49799->49805 49800->49744 49801->49744 49802 402cf0 41 API calls std::_Throw_Cpp_error 49802->49805 49803 41af80 41 API calls 49803->49805 49804 41b400 41 API calls 49804->49805 49805->49758 49805->49770 49805->49772 49805->49777 49805->49780 49805->49782 49805->49783 49805->49784 49805->49788 49805->49789 49805->49790 49805->49791 49805->49794 49805->49797 49805->49799 49805->49802 49805->49803 49805->49804 49806 403350 78 API calls 49805->49806 49814 416210 41 API calls std::_Throw_Cpp_error 49805->49814 49815 415310 44 API calls std::_Throw_Cpp_error 49805->49815 49816 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49805->49816 49806->49805 49808->49744 49809->49744 49810->49744 49811->49744 49812->49744 49813->49744 49814->49805 49815->49805 49816->49805 49817->49751

                            Executed Functions

                            Function 004DFF00 Relevance: 98.4, APIs: 50, Strings: 4, Instructions: 3939registrytimefileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                            • CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004E0556
                            • FindNextFileA.KERNEL32(00000000,?), ref: 004E056C
                            • FindClose.KERNEL32(00000000), ref: 004E057C
                            • GetLastError.KERNEL32 ref: 004E0582
                            • GetLastError.KERNEL32 ref: 004E05A0
                              • Part of subcall function 004E71E0: GetCurrentProcess.KERNEL32(004E0900), ref: 004E71EF
                              • Part of subcall function 004E71E0: IsWow64Process.KERNEL32(00000000), ref: 004E71F6
                              • Part of subcall function 0044196B: GetSystemTimeAsFileTime.KERNEL32(004E0A78,00000000,00000000,?,?,?,004E0A78,00000000), ref: 00441980
                              • Part of subcall function 0044196B: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044199F
                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?,?,?), ref: 004E0D31
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 004E0DFD
                            • RegCloseKey.ADVAPI32(?), ref: 004E0E32
                            • GetCurrentHwProfileA.ADVAPI32(?), ref: 004E0FCA
                            • GetModuleHandleExA.KERNEL32(00000004,004E5FC0,?,?,?,?,?,?,?,?,00000000), ref: 004E14CB
                            • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,00000000), ref: 004E14E3
                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 004E1E96
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 004E1F62
                            • RegCloseKey.ADVAPI32(?), ref: 004E21E1
                            • GetComputerNameA.KERNEL32(?,?), ref: 004E2215
                            • GetUserNameA.ADVAPI32(?,?), ref: 004E23B3
                            • GetDesktopWindow.USER32 ref: 004E2456
                            • GetWindowRect.USER32(00000000,?), ref: 004E2464
                            • GetUserDefaultLocaleName.KERNEL32(?,00000200), ref: 004E25CF
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 004E2A95
                            • LocalAlloc.KERNEL32(00000040), ref: 004E2AA7
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 004E2AC2
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004E2AED
                            • LocalFree.KERNEL32(?), ref: 004E2CB0
                            • GetLocalTime.KERNEL32(?), ref: 004E2CC7
                            • GetSystemTime.KERNEL32(?), ref: 004E2EDD
                            • GetTimeZoneInformation.KERNELBASE(?), ref: 004E2F00
                            • TzSpecificLocalTimeToSystemTime.KERNELBASE(?,?,?), ref: 004E2F25
                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 004E333F
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 004E3491
                            • RegCloseKey.ADVAPI32(?), ref: 004E3542
                            • GetSystemInfo.KERNELBASE(?), ref: 004E356A
                            • GlobalMemoryStatusEx.KERNELBASE(?), ref: 004E361D
                            • EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004E3731
                            • EnumDisplayDevicesA.USER32(00000000,00000001,?,00000001), ref: 004E3B14
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004E3C53
                            • Process32First.KERNEL32(00000000,?), ref: 004E3C6B
                            • Process32Next.KERNEL32(00000000,?), ref: 004E3C81
                            • Process32Next.KERNEL32(00000000,?), ref: 004E3D53
                            • CloseHandle.KERNEL32(00000000), ref: 004E3D62
                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 004E40D6
                            • RegEnumKeyExA.KERNELBASE(?,00000000,?,?), ref: 004E410D
                            • wsprintfA.USER32 ref: 004E41F0
                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 004E4213
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 004E4312
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 004E4409
                            • RegCloseKey.ADVAPI32(?), ref: 004E44E5
                            • RegCloseKey.ADVAPI32(?), ref: 004E4500
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: CloseTime$FileOpenQueryValue$LocalNameSystem$EnumFindNextProcess32$CreateCurrentDevicesDisplayErrorFirstHandleInfoKeyboardLastLayoutListLocaleModuleProcessUserWindow$AllocComputerCopyDefaultDesktopDirectoryFreeGlobalInformationMemoryProfileRectSnapshotSpecificStatusToolhelp32Unothrow_t@std@@@Wow64Zone__ehfuncinfo$??2@wsprintf
                            • String ID: 2.0$3"A$;Yb.$lamer
                            • API String ID: 3185416054-4066377185
                            • Opcode ID: 45b43ed7126da009d445b01400a3cc839448738a09c41abf21b3d1ab3094e474
                            • Instruction ID: 762722eee12899a3fad9018c2ab51fc1fd94b4ba954c9d0aaa9e31c72487c533
                            • Opcode Fuzzy Hash: 45b43ed7126da009d445b01400a3cc839448738a09c41abf21b3d1ab3094e474
                            • Instruction Fuzzy Hash: BFB3EFB4D0426D8BDB25CF99C981AEEBBB1FF48300F1041AAD949B7351DB345A81CFA5
                            Function 0040B8E0 Relevance: 65.9, APIs: 40, Instructions: 5855fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BAD2
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040BF80
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C47A
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C575
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C969
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040CD72
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D17B
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D29A
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D6F8
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D9DC
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DAD7
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040DE41
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 0040E55A
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040ECF6
                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040EEEA
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F45B
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F525
                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 004101ED
                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410580
                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0041088D
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00410DC4
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 0041173C
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411904
                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00411CD7
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411E6E
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411FBE
                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410B14
                              • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00410F12
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FEF1
                              • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FC55
                              • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F933
                              • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                              • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                              • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                              • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                              • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040E6FA
                              • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                              • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 0042910D
                              • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00429155
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DF3C
                              • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                              • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                              • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                              • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D5FD
                              • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BB07
                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BD08
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BD37
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C0CC
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C196
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Directory$Create$File$Copy$Find$Cpp_errorThrow_std::_$AttributesErrorFirstLast$FolderPath___std_fs_convert_narrow_to_wide@20$CloseDeleteNextRemove
                            • String ID:
                            • API String ID: 1172780710-0
                            • Opcode ID: a5ab48d61c2b3dff66acd5580ca9f5a7979e211ebeafd6bfe51893aa718087df
                            • Instruction ID: 57087eddf2f8576e704702d152c9cc5b4e2b87ff67a8e07952ed474be97f1841
                            • Opcode Fuzzy Hash: a5ab48d61c2b3dff66acd5580ca9f5a7979e211ebeafd6bfe51893aa718087df
                            • Instruction Fuzzy Hash: 56F3E2B4D0425D8BDF25CF99C981AEEBBB1BF18304F1041AAD849B7341DB385A85CF69
                            Function 004AA200 Relevance: 56.8, APIs: 10, Strings: 11, Instructions: 20001COMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 004AA277
                              • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: FileFindFirstFolderPath
                            • String ID: ;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$Jzv"$WUa5$X<b.$cannot use operator[] with a string argument with $cannot use push_back() with
                            • API String ID: 2195519125-383699475
                            • Opcode ID: c36f79b10380e0d4eb6227b5af65ef75ab6caf6994dd972f376c2d3bc510d359
                            • Instruction ID: d5c29c46e18a526762dbfc7c8aed9f945ae13eab665394adbd88e65e82b678fb
                            • Opcode Fuzzy Hash: c36f79b10380e0d4eb6227b5af65ef75ab6caf6994dd972f376c2d3bc510d359
                            • Instruction Fuzzy Hash: 29B433B0D052698BDB25CF68C984BEEBBB1BF49304F1081DAD449A7281DB746F84CF95
                            Function 004D7600 Relevance: 52.8, APIs: 31, Instructions: 6337fileCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,0055B192,000000FF), ref: 004D766C
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004D7693
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7959
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7CBB
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004D8DF7
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D9992
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA31E
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DA3EF
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA712
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAA7D
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DAB4E
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAE39
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 004DB0C9
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB27C
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB556
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB93C
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 004DBCF1
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DBEA4
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC17E
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC564
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9FB3
                              • Part of subcall function 004DFF00: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004E0556
                              • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E05A0
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC99C
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DCAF3
                              • Part of subcall function 004DE430: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9C53
                              • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                              • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                              • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                              • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                              • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                              • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 004D9648
                              • Part of subcall function 004DFF00: FindNextFileA.KERNEL32(00000000,?), ref: 004E056C
                              • Part of subcall function 004DFF00: FindClose.KERNEL32(00000000), ref: 004E057C
                              • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E0582
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004D91DD
                              • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                              • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                              • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                              • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 004D896A
                              • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D8B1D
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004D8362
                              • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 004D8623
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D801B
                              • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Directory$Create$File$Find$ErrorLast$CopyCpp_errorThrow_std::_$AttributesFolderPath$CloseFirstNext$DeleteRemove
                            • String ID:
                            • API String ID: 1140557632-0
                            • Opcode ID: e82f1e92f549f30e97cc6cc2b299e4ee6cad0568081bbef442e5b3f1a2ecc56a
                            • Instruction ID: 6b404ecdfd53acb60f6cf5d734e717c5294ca690171ae70fa85b8f1a38f34a58
                            • Opcode Fuzzy Hash: e82f1e92f549f30e97cc6cc2b299e4ee6cad0568081bbef442e5b3f1a2ecc56a
                            • Instruction Fuzzy Hash: 76F3F2B4D0525A8BCF15CFA9C9916EEBBB0BF18304F20419AD549B7341DB346B84CFA6
                            Function 00490440 Relevance: 28.0, APIs: 13, Strings: 2, Instructions: 1749registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?), ref: 0049083B
                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0049086F
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00490895
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490A2C
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490CB3
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490DA0
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490EE1
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490FCB
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 004910B5
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 0049119F
                            • RegCloseKey.ADVAPI32(?), ref: 0049229B
                            • RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 004922D1
                            • RegCloseKey.ADVAPI32(?), ref: 004922E5
                            Strings
                            • cannot use operator[] with a string argument with , xrefs: 0049239E, 004923F3
                            • cannot use push_back() with , xrefs: 00492345
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: QueryValue$CloseEnumOpen
                            • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                            • API String ID: 2041898428-3306948993
                            • Opcode ID: d77b9d8c88138d747d633f127853c746ccae4b46e75a2bdc3769da4eb66397e1
                            • Instruction ID: 6d5f253b48c5edfa20594e0b0a8a78ae050bf84d77acb07cc1b8e3b44561805a
                            • Opcode Fuzzy Hash: d77b9d8c88138d747d633f127853c746ccae4b46e75a2bdc3769da4eb66397e1
                            • Instruction Fuzzy Hash: 511322B0C042698BDB25CF68CD84BEEBBB4BF49304F1042EAD549A7241EB756B85CF54
                            Function 00493F40 Relevance: 26.5, APIs: 12, Strings: 2, Instructions: 1966fileCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00493FA7
                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                            • FindFirstFileA.KERNEL32(?,?), ref: 0049455F
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0049496C
                            • FindClose.KERNEL32(00000000), ref: 0049497C
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494A53
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494B19
                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00494C9D
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494E44
                            • CopyFileA.KERNEL32(00000000,?,00000000), ref: 004950F8
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00495638
                            • CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000004), ref: 004959FD
                            • LocalFree.KERNELBASE(00000000,?,?,?,00000004), ref: 004962D7
                              • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,0041ABA8,?,?,?,00431D09,0041ABA8,005799D8,00000000,0041ABA8), ref: 0043525B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: File$CopyCreateDirectoryFind$Cpp_errorThrow_std::_$AttributesCloseCredEnumerateErrorExceptionFirstFolderFreeLastLocalNextPathRaise
                            • String ID: cannot use operator[] with a string argument with $tmX
                            • API String ID: 3528249430-2011928656
                            • Opcode ID: 3d2b1456e8b39aeb366bde87ef0f14ff4fdcb0ee34f3961ee7aedf5236aca31f
                            • Instruction ID: 1c5c2bc117abc336d538eb0f3ab0e4b698252c7f2e821ac10c87ad1798346723
                            • Opcode Fuzzy Hash: 3d2b1456e8b39aeb366bde87ef0f14ff4fdcb0ee34f3961ee7aedf5236aca31f
                            • Instruction Fuzzy Hash: 0E3310B4C042698BDB25CFA8C994BEDBBB0BF18304F1041EAD849A7351EB346B85CF55
                            Function 00481C10 Relevance: 21.5, APIs: 7, Strings: 4, Instructions: 2202COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                            • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 004827AB
                            • SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00482AA7
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00482DA5
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00483105
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00483433
                            • SHGetFolderPathA.SHELL32(00000000,00000008,00000000,00000000,?), ref: 00483737
                            • Concurrency::cancel_current_task.LIBCPMT ref: 004844E1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: FolderPath$AttributesConcurrency::cancel_current_taskErrorFileLast
                            • String ID: cannot compare iterators of different containers$cannot get value$type must be boolean, but is $type must be string, but is
                            • API String ID: 1974481932-2698695959
                            • Opcode ID: d0301a8b95a08a71e917fed5252be201ad1dde5db3a88a7951cdcef90b627165
                            • Instruction ID: 7d592af2553ac1c7978d8671279e796c0dcb22ab630186640302ddbce1f3b4fb
                            • Opcode Fuzzy Hash: d0301a8b95a08a71e917fed5252be201ad1dde5db3a88a7951cdcef90b627165
                            • Instruction Fuzzy Hash: D74334B0C042698BDB25DF28C994BEEBBB5BF48304F1082DAD449A7281DB756F84CF55
                            Function 004E6770 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 334fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7670 4e6770-4e67c3 call 432b99 7673 4e67c9-4e67d3 7670->7673 7674 4e6be5-4e6be7 call 432534 7670->7674 7675 4e6bec-4e6bf8 call 432534 7673->7675 7676 4e67d9-4e6822 7673->7676 7674->7675 7678 4e6bfd call 402c60 7675->7678 7676->7678 7679 4e6828-4e682e 7676->7679 7684 4e6c02 call 438c70 7678->7684 7682 4e6832-4e6854 call 41e8a0 7679->7682 7683 4e6830 7679->7683 7689 4e6856-4e6862 7682->7689 7690 4e6882-4e68f1 call 402df0 FindFirstFileA 7682->7690 7683->7682 7688 4e6c07-4e6c0f call 438c70 7684->7688 7692 4e6878-4e687f call 4338f3 7689->7692 7693 4e6864-4e6872 7689->7693 7699 4e6b2a 7690->7699 7700 4e68f7 7690->7700 7692->7690 7693->7684 7693->7692 7701 4e6b2c-4e6b36 7699->7701 7702 4e6900-4e6909 7700->7702 7704 4e6b38-4e6b44 7701->7704 7705 4e6b64-4e6b80 7701->7705 7703 4e6910-4e6915 7702->7703 7703->7703 7706 4e6917-4e6922 7703->7706 7709 4e6b5a-4e6b61 call 4338f3 7704->7709 7710 4e6b46-4e6b54 7704->7710 7707 4e6baa-4e6be4 call 432baa 7705->7707 7708 4e6b82-4e6b8e 7705->7708 7712 4e692d-4e6930 7706->7712 7713 4e6924-4e6927 7706->7713 7714 4e6ba0-4e6ba7 call 4338f3 7708->7714 7715 4e6b90-4e6b9e 7708->7715 7709->7705 7710->7688 7710->7709 7719 4e6932-4e6935 7712->7719 7720 4e6943-4e6969 7712->7720 7713->7712 7718 4e6aae-4e6ac1 FindNextFileA 7713->7718 7714->7707 7715->7688 7715->7714 7718->7702 7726 4e6ac7-4e6adb FindClose GetLastError 7718->7726 7719->7720 7723 4e6937-4e693d 7719->7723 7720->7678 7724 4e696f-4e6975 7720->7724 7723->7718 7723->7720 7727 4e6979-4e69a1 call 41e8a0 7724->7727 7728 4e6977 7724->7728 7726->7701 7729 4e6add-4e6ae3 7726->7729 7738 4e69a4-4e69a9 7727->7738 7728->7727 7731 4e6ae7-4e6af5 SetFileAttributesA 7729->7731 7732 4e6ae5 7729->7732 7733 4e6af7-4e6b00 7731->7733 7734 4e6b02-4e6b06 7731->7734 7732->7731 7733->7701 7736 4e6b0a-4e6b13 RemoveDirectoryA 7734->7736 7737 4e6b08 7734->7737 7736->7699 7740 4e6b15-4e6b1e 7736->7740 7737->7736 7738->7738 7741 4e69ab-4e6a59 call 418f00 call 402df0 * 3 7738->7741 7740->7701 7751 4e6a5b-4e6a6e call 4e6770 7741->7751 7752 4e6a79-4e6a92 SetFileAttributesA 7741->7752 7751->7701 7757 4e6a74-4e6a77 7751->7757 7754 4e6a98-4e6aac DeleteFileA 7752->7754 7755 4e6b20-4e6b28 GetLastError 7752->7755 7754->7718 7754->7755 7755->7701 7757->7718
                            APIs
                            • FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                            • DeleteFileA.KERNEL32(?), ref: 004E6AA4
                            • FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                            • FindClose.KERNEL32(?), ref: 004E6ACA
                            • GetLastError.KERNEL32 ref: 004E6AD0
                            • SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                            • RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                            • GetLastError.KERNEL32 ref: 004E6B20
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: File$Find$AttributesCpp_errorErrorLastThrow_std::_$CloseDeleteDirectoryFirstNextRemove
                            • String ID: \*.*
                            • API String ID: 460640838-1173974218
                            • Opcode ID: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                            • Instruction ID: d809dff945c313677263d2cc5f51936a643c350294cf92fd29307912c56e1fe7
                            • Opcode Fuzzy Hash: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                            • Instruction Fuzzy Hash: EDD11670C00288CFDB10DFA9C9487EEBBB1FF65305F20425AE454BB292D7786A89DB55
                            Function 0049F0D0 Relevance: 20.7, APIs: 6, Strings: 4, Instructions: 3171stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049F224
                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049F322
                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049F515
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1C76
                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1F5D
                            • lstrlen.KERNEL32(?), ref: 004A348E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
                            • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with $~]d
                            • API String ID: 2833034228-1763774129
                            • Opcode ID: 747f4e010e13d6d04a90195c26ca14158d5fcfd1b6ea7f72e288f8632fb18a75
                            • Instruction ID: 3f98b5ef17dcfaa8f689e4fcb5a5d7fbbd5e2711f2842c60bb6495c93d0a2e70
                            • Opcode Fuzzy Hash: 747f4e010e13d6d04a90195c26ca14158d5fcfd1b6ea7f72e288f8632fb18a75
                            • Instruction Fuzzy Hash: 2793DCB4D052A98ADB65CF29C990BEDBBB1BF59304F0081EAD84DA7241DB742BC4CF45
                            Function 004963B0 Relevance: 17.5, APIs: 5, Strings: 4, Instructions: 1775stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00496504
                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00496602
                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 004967F5
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498078
                            • lstrlen.KERNEL32(?), ref: 0049854F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: PrivateProfile$FolderNamesPathSectionStringUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                            • String ID: ;Yb.$Tz}9$cannot use operator[] with a string argument with $cannot use push_back() with
                            • API String ID: 3203477177-4100205650
                            • Opcode ID: 641fc5b18450fd03bf11618a53967572d52a20251f884f0a8a37d384370fa803
                            • Instruction ID: 6b3be8cf9a559e92d133cc3b6572ed682d4dab2050fd03768d9c929fe5be15d2
                            • Opcode Fuzzy Hash: 641fc5b18450fd03bf11618a53967572d52a20251f884f0a8a37d384370fa803
                            • Instruction Fuzzy Hash: 352300B0D052688BDB25CF28C9947EDBBB5BF49304F1082EAE449A7281DB746BC4CF55
                            Function 004986B0 Relevance: 16.1, APIs: 4, Strings: 4, Instructions: 2129stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00498804
                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00498902
                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00498AF8
                            • lstrlen.KERNEL32(?), ref: 0049AE11
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                            • String ID: ;Yb.$AN|5$cannot use operator[] with a string argument with $cannot use push_back() with
                            • API String ID: 1311570089-1903585501
                            • Opcode ID: 7a795f4a75cc05358dbe245a654706af840b6884b9ea29fb8d3fe37fdcea0eaf
                            • Instruction ID: e112265f5291f7fbed9e5ebb381307dd27655726dfd0f1f0b2bb5fda635101ca
                            • Opcode Fuzzy Hash: 7a795f4a75cc05358dbe245a654706af840b6884b9ea29fb8d3fe37fdcea0eaf
                            • Instruction Fuzzy Hash: D44322B0D052688BDB25CF28C8947EEBBB5BF49304F1082EAD449A7242DB756BC4CF55
                            Function 0049AF60 Relevance: 14.1, APIs: 4, Strings: 3, Instructions: 1876stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049B158
                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049B265
                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049B458
                            • lstrlen.KERNEL32(?), ref: 0049D22D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                            • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with
                            • API String ID: 1311570089-747751661
                            • Opcode ID: c3ff6d4c08391f03b95f4eab6d93f624c9091cf10f40d6c6a7f23604d409b1d3
                            • Instruction ID: b2dbe3f5757ef5304a2bca7f4d9e3a7c922558eb406562d1b13ccbd165419304
                            • Opcode Fuzzy Hash: c3ff6d4c08391f03b95f4eab6d93f624c9091cf10f40d6c6a7f23604d409b1d3
                            • Instruction Fuzzy Hash: BF2321B0D042688BDB25CF28C9947EDBBB1BF59304F1082EAE449A7281DB746BC4CF55
                            Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 9717 4c8590-4c85c2 WSAStartup 9718 4c85c8-4c85f2 call 4ea420 * 2 9717->9718 9719 4c8696-4c869f 9717->9719 9724 4c85fe-4c8644 getaddrinfo 9718->9724 9725 4c85f4-4c85f8 9718->9725 9726 4c8646-4c864c 9724->9726 9727 4c8690 WSACleanup 9724->9727 9725->9719 9725->9724 9728 4c864e 9726->9728 9729 4c86a4-4c86ae FreeAddrInfoW 9726->9729 9727->9719 9731 4c8654-4c8668 socket 9728->9731 9729->9727 9730 4c86b0-4c86b8 9729->9730 9731->9727 9732 4c866a-4c867a connect 9731->9732 9733 4c867c-4c8684 closesocket 9732->9733 9734 4c86a0 9732->9734 9733->9731 9735 4c8686-4c868a FreeAddrInfoW 9733->9735 9734->9729 9735->9727
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                            • String ID:
                            • API String ID: 448659506-0
                            • Opcode ID: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                            • Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
                            • Opcode Fuzzy Hash: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                            • Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7
                            Function 0049D3A0 Relevance: 12.1, APIs: 4, Strings: 2, Instructions: 1570stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049D4F4
                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049D5F2
                            • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049D7E5
                            • lstrlen.KERNEL32(?), ref: 0049EF32
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                            • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                            • API String ID: 1311570089-3306948993
                            • Opcode ID: ae28f5e89c03080d73ac5a78ec42496be91557f4f3b74bbfbf37e3b0e6e5a074
                            • Instruction ID: d38aed82ee4788d52106214de1412b854dd9129e0c255bb6c7140376d04d8967
                            • Opcode Fuzzy Hash: ae28f5e89c03080d73ac5a78ec42496be91557f4f3b74bbfbf37e3b0e6e5a074
                            • Instruction Fuzzy Hash: 570334B0D042688BDB25CF28C9947EEBBB4BF59304F1042EED449A7281EB746B84CF55
                            Function 004C6D80 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 535fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 12753 4c6d80-4c6ddc 12754 4c7004-4c7018 call 4339b3 12753->12754 12755 4c6de2-4c6df1 call 432b99 12753->12755 12754->12755 12762 4c701e-4c704a call 408710 call 4338de call 433962 12754->12762 12760 4c704f-4c7051 call 432534 12755->12760 12761 4c6df7-4c6e01 12755->12761 12764 4c7056-4c71ad call 432534 call 41ae80 call 4163b0 call 4e74c0 DeleteFileA call 4359b0 call 435270 call 4359b0 call 435270 call 4359b0 call 435270 12760->12764 12761->12764 12765 4c6e07-4c6eff call 4ea420 call 41ab20 call 41ad80 call 409280 call 402df0 12761->12765 12762->12755 12823 4c71af-4c71b6 12764->12823 12824 4c71c0-4c71c5 call 418dc0 12764->12824 12793 4c6fb5-4c7003 call 4163b0 call 432baa call 402df0 * 2 12765->12793 12794 4c6f05-4c6f0c 12765->12794 12794->12793 12797 4c6f12-4c6f1e GetPEB 12794->12797 12798 4c6f20-4c6f34 12797->12798 12801 4c6f36-4c6f3b 12798->12801 12802 4c6f87-4c6f89 12798->12802 12801->12802 12807 4c6f3d-4c6f43 12801->12807 12802->12798 12810 4c6f45-4c6f5a 12807->12810 12813 4c6f5c 12810->12813 12814 4c6f7d-4c6f85 12810->12814 12817 4c6f60-4c6f73 12813->12817 12814->12802 12814->12810 12817->12817 12820 4c6f75-4c6f7b 12817->12820 12820->12814 12822 4c6f8b-4c6faf 12820->12822 12822->12793 12822->12797 12825 4c71b8 12823->12825 12826 4c71ba-4c71be 12823->12826 12829 4c71ca-4c71d1 12824->12829 12825->12826 12826->12829 12830 4c71d5-4c71e9 12829->12830 12831 4c71d3 12829->12831 12832 4c71ed-4c7204 12830->12832 12833 4c71eb 12830->12833 12831->12830 12834 4c7208-4c7224 12832->12834 12835 4c7206 12832->12835 12833->12832 12836 4c7228-4c722f 12834->12836 12837 4c7226 12834->12837 12835->12834 12838 4c7231 12836->12838 12839 4c7233-4c72ef call 435270 call 4ea420 12836->12839 12837->12836 12838->12839 12844 4c72f2-4c72f7 12839->12844 12844->12844 12845 4c72f9-4c7347 call 403040 call 409280 call 4ea420 12844->12845 12852 4c734d-4c7413 call 408f20 call 4ea420 12845->12852 12853 4c7349 12845->12853 12858 4c7416-4c741b 12852->12858 12853->12852 12858->12858 12859 4c741d-4c7438 call 403040 call 409280 12858->12859 12863 4c743d-4c744c 12859->12863 12864 4c746d-4c7476 12863->12864 12865 4c744e-4c7455 12863->12865 12866 4c7478-4c747f 12864->12866 12867 4c7496-4c74c3 call 402df0 * 2 12864->12867 12865->12864 12868 4c7457-4c7464 12865->12868 12866->12867 12869 4c7481-4c748d 12866->12869 12868->12864 12873 4c7466-4c7468 12868->12873 12869->12867 12876 4c748f-4c7491 12869->12876 12873->12864 12876->12867
                            APIs
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004C7051
                              • Part of subcall function 00432534: __EH_prolog3.LIBCMT ref: 00432570
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004C7062
                              • Part of subcall function 004E74C0: __fread_nolock.LIBCMT ref: 004E7609
                            • DeleteFileA.KERNELBASE(?), ref: 004C70EB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Cpp_errorThrow_std::_$DeleteFileH_prolog3__fread_nolock
                            • String ID: 131$lamer
                            • API String ID: 3880692912-2147393740
                            • Opcode ID: ed82176a8a559ef53b8c12fb7edaf71171fa2efdd5e6f73f41023a368e686b71
                            • Instruction ID: 7966019704e3fd473910eda9b3190c6326d4c2da0caac65bea49cbac806563d6
                            • Opcode Fuzzy Hash: ed82176a8a559ef53b8c12fb7edaf71171fa2efdd5e6f73f41023a368e686b71
                            • Instruction Fuzzy Hash: 1E32ACB4D04248CFCB04DFA8C985BAEBBB1BF58304F14419EE8056B392D779AA45CF95
                            Function 004FAD00 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 12878 4fad00-4fad1e call 4fbf00 12881 4fb35e-4fb364 12878->12881 12882 4fad24-4fad2d 12878->12882 12883 4fad2f-4fad31 12882->12883 12884 4fad33-4fad39 12882->12884 12885 4fad53-4fad59 12883->12885 12886 4fad3f-4fad50 12884->12886 12887 4fad3b-4fad3d 12884->12887 12888 4fad5b-4fad61 12885->12888 12889 4fad63-4fad6a 12885->12889 12886->12885 12887->12885 12890 4fad72-4fad8f call 54a0f0 12888->12890 12889->12890 12891 4fad6c 12889->12891 12894 4fb348 12890->12894 12895 4fad95-4fada7 call 4359b0 12890->12895 12891->12890 12896 4fb34a 12894->12896 12901 4fadeb-4fadf0 12895->12901 12902 4fada9-4fadb0 12895->12902 12898 4fb34f-4fb354 call 54b110 12896->12898 12908 4fb356-4fb35b 12898->12908 12904 4fadfc-4faeb4 call 54a8c0 12901->12904 12905 4fadf2-4fadf9 12901->12905 12906 4fadc9-4fadd9 12902->12906 12907 4fadb2-4fadc4 call 549d90 12902->12907 12916 4faf19-4faf88 call 4fb370 * 4 12904->12916 12917 4faeb6-4faec4 call 5475d0 12904->12917 12905->12904 12906->12901 12915 4faddb-4fade6 call 549d90 12906->12915 12907->12896 12908->12881 12915->12896 12927 4faec9-4faece 12916->12927 12942 4faf8e 12916->12942 12925 4faec7 12917->12925 12925->12927 12929 4faeda-4faee2 12927->12929 12930 4faed0-4faed7 12927->12930 12931 4fb31b-4fb321 12929->12931 12932 4faee8-4faeed 12929->12932 12930->12929 12931->12896 12936 4fb323-4fb32c 12931->12936 12932->12931 12935 4faef3-4faef8 12932->12935 12935->12931 12938 4faefe-4faf18 12935->12938 12936->12898 12939 4fb32e-4fb330 12936->12939 12939->12908 12941 4fb332-4fb347 12939->12941 12943 4faf93-4faf97 12942->12943 12943->12943 12944 4faf99-4fafaf 12943->12944 12945 4fafb1-4fafbd 12944->12945 12946 4fb000 12944->12946 12947 4fafbf-4fafc1 12945->12947 12948 4faff0-4faffe 12945->12948 12949 4fb002-4fb015 call 5461b0 12946->12949 12950 4fafc3-4fafe2 12947->12950 12948->12949 12954 4fb01c 12949->12954 12955 4fb017-4fb01a 12949->12955 12950->12950 12952 4fafe4-4fafed 12950->12952 12952->12948 12956 4fb01e-4fb063 call 4fb370 call 4fb5d0 12954->12956 12955->12956 12961 4fb065-4fb07e call 5475d0 12956->12961 12962 4fb083-4fb0d1 call 51ba20 * 2 12956->12962 12961->12925 12962->12925 12969 4fb0d7-4fb102 call 5475d0 call 4fb710 12962->12969 12974 4fb108-4fb10d 12969->12974 12975 4fb1a4-4fb1b2 12969->12975 12976 4fb110-4fb114 12974->12976 12977 4fb1b8-4fb1bd 12975->12977 12978 4fb2c1-4fb2cb 12975->12978 12976->12976 12979 4fb116-4fb127 12976->12979 12982 4fb1c0-4fb1c7 12977->12982 12980 4fb2df-4fb2e3 12978->12980 12981 4fb2cd-4fb2d2 12978->12981 12983 4fb129-4fb130 12979->12983 12984 4fb133-4fb14b call 51bbd0 12979->12984 12980->12927 12986 4fb2e9-4fb2ef 12980->12986 12981->12980 12985 4fb2d4-4fb2d9 12981->12985 12987 4fb1cd-4fb1dc 12982->12987 12988 4fb1c9-4fb1cb 12982->12988 12983->12984 12999 4fb14d-4fb166 call 4fb710 12984->12999 13000 4fb169-4fb16e 12984->13000 12985->12927 12985->12980 12986->12927 12990 4fb2f5-4fb30e call 5475d0 call 4fbbd0 12986->12990 12991 4fb1e8-4fb1ee 12987->12991 13002 4fb1de-4fb1e5 12987->13002 12988->12991 13014 4fb313-4fb316 12990->13014 12992 4fb1f7-4fb1fc 12991->12992 12993 4fb1f0-4fb1f5 12991->12993 12998 4fb1ff-4fb201 12992->12998 12993->12998 13003 4fb20d-4fb214 12998->13003 13004 4fb203-4fb20a 12998->13004 12999->13000 13007 4fb185-4fb18f 13000->13007 13008 4fb170-4fb180 call 5475d0 13000->13008 13002->12991 13011 4fb216-4fb227 13003->13011 13012 4fb242-4fb244 13003->13012 13004->13003 13009 4fb19b-4fb19e 13007->13009 13010 4fb191-4fb198 13007->13010 13008->13007 13009->12975 13017 4fb1a0 13009->13017 13010->13009 13028 4fb23f 13011->13028 13029 4fb229-4fb23c call 5475d0 13011->13029 13020 4fb246-4fb24d 13012->13020 13021 4fb2b0-4fb2bb 13012->13021 13014->12927 13017->12975 13022 4fb24f-4fb256 13020->13022 13023 4fb2a6 13020->13023 13021->12978 13021->12982 13026 4fb258-4fb25f 13022->13026 13027 4fb262-4fb282 13022->13027 13030 4fb2ad 13023->13030 13026->13027 13035 4fb28a-4fb29b 13027->13035 13036 4fb284 13027->13036 13028->13012 13029->13028 13030->13021 13035->13021 13038 4fb29d-4fb2a4 13035->13038 13036->13035 13038->13030
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID:
                            • String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
                            • API String ID: 0-1885142750
                            • Opcode ID: 709491dc051ea1e70093cc478a2a2d0c63acaf5bae6c4c00e9975ec16f4ae69b
                            • Instruction ID: 5912c9be0b5fe0253428befa1510005b8e6d21b15bd6994098c8da1f87b2af15
                            • Opcode Fuzzy Hash: 709491dc051ea1e70093cc478a2a2d0c63acaf5bae6c4c00e9975ec16f4ae69b
                            • Instruction Fuzzy Hash: 510258B0A007089BEB209F15DC4577B7BE4EF51304F14442EEA4A9B391EBB9E944CBC6
                            Function 004DF030 Relevance: 8.4, APIs: 5, Instructions: 876COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 13710 4df030-4df14d call 4359b0 SHGetFolderPathA 13713 4df150-4df155 13710->13713 13713->13713 13714 4df157-4df179 call 403040 13713->13714 13717 4df180-4df185 13714->13717 13717->13717 13718 4df187-4df1e9 call 41fbf0 13717->13718 13721 4df1eb-4df1fa 13718->13721 13722 4df21a-4df247 call 4e6ca0 13718->13722 13724 4df1fc-4df20a 13721->13724 13725 4df210-4df217 call 4338f3 13721->13725 13729 4df24d-4df310 call 41ab20 call 4e6ca0 13722->13729 13730 4dfe6b-4dfe7b 13722->13730 13724->13725 13727 4dfed9 call 438c70 13724->13727 13725->13722 13734 4dfede call 402c60 13727->13734 13751 4df333-4df3c3 13729->13751 13752 4df312-4df32d CreateDirectoryA 13729->13752 13735 4dfe7d-4dfe89 13730->13735 13736 4dfea5-4dfed8 call 402df0 13730->13736 13745 4dfee3 call 402c60 13734->13745 13740 4dfe9b-4dfea2 call 4338f3 13735->13740 13741 4dfe8b-4dfe99 13735->13741 13740->13736 13741->13740 13746 4dfeed-4dfef2 call 438c70 13741->13746 13753 4dfee8 call 402c60 13745->13753 13756 4df3c6-4df3cb 13751->13756 13752->13751 13755 4dfe59 13752->13755 13753->13746 13758 4dfe5c-4dfe66 call 402df0 13755->13758 13756->13756 13759 4df3cd-4df3dd 13756->13759 13758->13730 13759->13734 13761 4df3e3-4df44b call 41e8a0 call 4e6ca0 call 402df0 13759->13761 13768 4df65e-4df6ee 13761->13768 13769 4df451-4df511 call 41ab20 call 4e6ca0 13761->13769 13771 4df6f1-4df6f6 13768->13771 13778 4df534-4df603 call 4163b0 call 41ab20 call 4dff00 13769->13778 13779 4df513-4df52e CreateDirectoryA 13769->13779 13771->13771 13773 4df6f8-4df703 13771->13773 13773->13745 13775 4df709-4df76b call 41e8a0 call 4e6ca0 call 402df0 13773->13775 13791 4df771-4df831 call 41ab20 call 4e6ca0 13775->13791 13792 4df982-4dfa9b 13775->13792 13797 4df60d-4df64a call 402cf0 call 4e6770 call 402df0 13778->13797 13798 4df605-4df60b 13778->13798 13779->13778 13781 4df64f-4df659 call 402df0 13779->13781 13781->13768 13808 4df858-4df927 call 4163b0 call 41ab20 call 4dff00 13791->13808 13809 4df833-4df852 CreateDirectoryA 13791->13809 13795 4dfaa0-4dfaa5 13792->13795 13795->13795 13800 4dfaa7-4dfab0 13795->13800 13797->13781 13798->13781 13800->13753 13803 4dfab6-4dfb18 call 41e8a0 call 4e6ca0 call 402df0 13800->13803 13803->13758 13823 4dfb1e-4dfc64 call 41ab20 call 4e6ca0 13803->13823 13827 4df929-4df92f 13808->13827 13828 4df931-4df96e call 402cf0 call 4e6770 call 402df0 13808->13828 13809->13808 13812 4df973-4df97d call 402df0 13809->13812 13812->13792 13835 4dfc8b-4dfdfe call 4163b0 call 41ab20 call 4dff00 13823->13835 13836 4dfc66-4dfc85 CreateDirectoryA 13823->13836 13827->13812 13828->13812 13847 4dfe08-4dfe45 call 402cf0 call 4e6770 call 402df0 13835->13847 13848 4dfe00-4dfe06 13835->13848 13836->13835 13838 4dfe4a-4dfe54 call 402df0 13836->13838 13838->13755 13847->13838 13848->13838
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DF09A
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF329
                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF52A
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF84A
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DFC7D
                              • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesErrorFindFirstFolderLastPath
                            • String ID:
                            • API String ID: 2127212259-0
                            • Opcode ID: 0a9d66dacc852727762dd02661486b9ec628ab0a78a4986b9bfafa3a96ef7e23
                            • Instruction ID: 8e27dc709fe3b7ff7b62f4d1f71842afe3ac2492894b6e8ccfd466f18f63ab33
                            • Opcode Fuzzy Hash: 0a9d66dacc852727762dd02661486b9ec628ab0a78a4986b9bfafa3a96ef7e23
                            • Instruction Fuzzy Hash: DBA202B4D0425D8BDF25CFA8C995AEEBBB0BF18304F2041AAD949B7351D7341A84CFA5
                            Function 004DE430 Relevance: 8.2, APIs: 5, Instructions: 731fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 13854 4de430-4de53b call 4359b0 SHGetFolderPathA 13857 4de540-4de545 13854->13857 13857->13857 13858 4de547-4de563 call 403040 13857->13858 13861 4de566-4de56b 13858->13861 13861->13861 13862 4de56d-4de64d call 41fbf0 call 418f00 13861->13862 13867 4de64f-4de65e 13862->13867 13868 4de67e-4de6a6 13862->13868 13869 4de674-4de67b call 4338f3 13867->13869 13870 4de660-4de66e 13867->13870 13871 4de6a8-4de6b7 13868->13871 13872 4de6d7-4de70a call 4e6ca0 13868->13872 13869->13868 13870->13869 13873 4df016 call 438c70 13870->13873 13875 4de6cd-4de6d4 call 4338f3 13871->13875 13876 4de6b9-4de6c7 13871->13876 13884 4def96-4defa6 13872->13884 13885 4de710-4de7ca call 41ab20 call 4e6d70 13872->13885 13882 4df01b call 402c60 13873->13882 13875->13872 13876->13873 13876->13875 13890 4df020 call 402c60 13882->13890 13887 4defa8-4defb7 13884->13887 13888 4defd3-4df015 call 402df0 * 2 13884->13888 13906 4deb14-4deba4 13885->13906 13907 4de7d0-4de8b0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 13885->13907 13891 4defc9-4defd0 call 4338f3 13887->13891 13892 4defb9-4defc7 13887->13892 13901 4df025 call 402c60 13890->13901 13891->13888 13892->13891 13897 4df02a-4df02f call 438c70 13892->13897 13901->13897 13911 4deba7-4debac 13906->13911 13926 4de8d7-4de982 call 41ab20 13907->13926 13927 4de8b2-4de8d1 CreateDirectoryA 13907->13927 13911->13911 13913 4debae-4debb9 13911->13913 13913->13890 13915 4debbf-4dec27 call 41e8a0 call 4e6ca0 call 402df0 13913->13915 13915->13884 13931 4dec2d-4ded01 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 13915->13931 13936 4de984 13926->13936 13937 4de986-4dea19 13926->13937 13927->13926 13929 4deb05-4deb0f call 402df0 13927->13929 13929->13906 13950 4ded1f-4dedaf 13931->13950 13951 4ded03-4ded19 CreateDirectoryA 13931->13951 13936->13937 13939 4dea20-4dea25 13937->13939 13939->13939 13941 4dea27-4dea32 13939->13941 13941->13882 13943 4dea38-4deab1 call 41e8a0 CopyFileA call 402df0 * 2 13941->13943 13960 4deabe-4deafb call 402cf0 call 4e6770 call 402df0 13943->13960 13961 4deab3-4deabc 13943->13961 13955 4dedb2-4dedb7 13950->13955 13951->13950 13953 4def87 13951->13953 13956 4def8a-4def91 call 402df0 13953->13956 13955->13955 13958 4dedb9-4dedc2 13955->13958 13956->13884 13958->13901 13962 4dedc8-4dee57 call 41e8a0 call 402df0 * 2 call 4e6ca0 13958->13962 13963 4deb00 13960->13963 13961->13963 13977 4dee59-4dee6f CreateDirectoryA 13962->13977 13978 4dee75-4def41 call 4163b0 call 41ab20 call 4dff00 13962->13978 13963->13929 13977->13956 13977->13978 13985 4def4e-4def82 call 402cf0 call 4e6770 call 402df0 13978->13985 13986 4def43-4def4c 13978->13986 13985->13953 13986->13953
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DE8C9
                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DEA83
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DED11
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DEE67
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesCopyErrorFolderLastPath
                            • String ID:
                            • API String ID: 1001086254-0
                            • Opcode ID: 421e36309c22111a033c8f9f38f840648b1e0bb665710f0a707a7c163fba85ac
                            • Instruction ID: 4de69712ac24b7a09e9bc2c7d11d42553b755471a164b72fa8c1d2b7ead1c118
                            • Opcode Fuzzy Hash: 421e36309c22111a033c8f9f38f840648b1e0bb665710f0a707a7c163fba85ac
                            • Instruction Fuzzy Hash: 298225B0C042598BCB15CFA9C995BEEBBB0BF18304F10419ED549BB382DB745A85CFA5
                            Function 004C6000 Relevance: 6.3, APIs: 4, Instructions: 310fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 14881 4c6000-4c6070 14882 4c608a-4c6133 call 41ab20 14881->14882 14883 4c6072 14881->14883 14889 4c6135 14882->14889 14890 4c6137-4c615c FindFirstFileA call 402df0 14882->14890 14885 4c6074-4c6080 call 402df0 14883->14885 14891 4c6082-4c6087 14885->14891 14889->14890 14894 4c6162-4c6166 14890->14894 14895 4c6463-4c648d call 402df0 14890->14895 14891->14882 14896 4c6168-4c616f 14894->14896 14897 4c6177-4c617e 14894->14897 14899 4c6175 14896->14899 14900 4c6437-4c6447 FindNextFileA 14896->14900 14897->14900 14902 4c6184-4c618d 14897->14902 14899->14902 14900->14894 14903 4c644d-4c6456 GetLastError 14900->14903 14904 4c6190-4c6195 14902->14904 14903->14894 14906 4c645c-4c645d FindClose 14903->14906 14904->14904 14905 4c6197-4c61a2 14904->14905 14907 4c61ad-4c61b0 14905->14907 14908 4c61a4-4c61a7 14905->14908 14906->14895 14909 4c61b2-4c61b5 14907->14909 14910 4c61c3-4c61c7 14907->14910 14908->14900 14908->14907 14909->14910 14911 4c61b7-4c61bd 14909->14911 14912 4c61cd-4c6295 call 41ab20 14910->14912 14913 4c6385-4c63b7 call 403040 14910->14913 14911->14900 14911->14910 14918 4c6298-4c629d 14912->14918 14919 4c63b9-4c63e1 14913->14919 14920 4c63e3-4c63ef call 4242a0 14913->14920 14918->14918 14921 4c629f-4c62ef call 418f00 14918->14921 14922 4c63f2-4c63f9 14919->14922 14920->14922 14933 4c62f1-4c6310 14921->14933 14934 4c6312-4c631e call 4242a0 14921->14934 14925 4c63fb-4c6409 14922->14925 14926 4c6425-4c6433 14922->14926 14928 4c641b-4c6422 call 4338f3 14925->14928 14929 4c640b-4c6419 14925->14929 14926->14900 14928->14926 14929->14928 14931 4c648e-4c6493 call 438c70 14929->14931 14936 4c6321-4c632e 14933->14936 14934->14936 14941 4c635c-4c6380 call 402df0 14936->14941 14942 4c6330-4c633c 14936->14942 14941->14900 14943 4c633e-4c634c 14942->14943 14944 4c6352-4c6359 call 4338f3 14942->14944 14943->14931 14943->14944 14944->14941
                            APIs
                            • FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                            • FindNextFileA.KERNELBASE(00000000,00000010), ref: 004C643F
                            • GetLastError.KERNEL32 ref: 004C644D
                            • FindClose.KERNEL32(00000000), ref: 004C645D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Find$File$CloseErrorFirstLastNext
                            • String ID:
                            • API String ID: 819619735-0
                            • Opcode ID: f696f36471cce9f3eb40e10dd2f1f3c06691054e1164fa2630a9de22a9a37f80
                            • Instruction ID: afe6fe270f27518361ed143ef8865d869d8c660e8b4c9bb3a5978c93709ae348
                            • Opcode Fuzzy Hash: f696f36471cce9f3eb40e10dd2f1f3c06691054e1164fa2630a9de22a9a37f80
                            • Instruction Fuzzy Hash: ACD17CB4C043488FDB24CF98C994BEEBBB1BF45314F14829ED4496B392D7785A84CB59
                            Function 004C6B00 Relevance: 4.7, APIs: 3, Instructions: 206encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004C6B57
                            • LocalFree.KERNEL32(?), ref: 004C6B86
                            • LocalFree.KERNEL32(?), ref: 004C6C82
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: FreeLocal$CryptDataUnprotect
                            • String ID:
                            • API String ID: 2835072361-0
                            • Opcode ID: ca1e730759337fa49bbce61ea0016bf7f681cd111c34800b91b137380e4f608d
                            • Instruction ID: 6019ec204b0dd747d4126109e6a4f8e7bf51aa55734569d67b400ef60c6c0d13
                            • Opcode Fuzzy Hash: ca1e730759337fa49bbce61ea0016bf7f681cd111c34800b91b137380e4f608d
                            • Instruction Fuzzy Hash: 6171B171C002489BDB00DFA8C945BEEFBB4EF14314F10826EE851B3391EB786A44DBA5
                            Function 0053F550 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053F705
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053FA07
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID:
                            • API String ID: 885266447-0
                            • Opcode ID: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                            • Instruction ID: 1f76d2344d35fe0e13097961589cbfb84b6978ae6f877586e2245b879765d82e
                            • Opcode Fuzzy Hash: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                            • Instruction Fuzzy Hash: E3029C71A04702AFDB18CF29C840B6ABBE4BF88318F14867DE859D7650D774ED94CB92
                            Function 0044002D Relevance: .3, Instructions: 318COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                            • Instruction ID: 127d1e6b524efbadbaaaff55744b8fab0cc6e196c82b7e7b6ae44d0b7ee8643f
                            • Opcode Fuzzy Hash: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                            • Instruction Fuzzy Hash: 3BB1F67090060A9BFB28CE68D855ABFBBB1AF04304F140A1FDA52A7791C77D9D21CB59
                            Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279networksleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 8282 4c7b00-4c7b38 8283 4c7ecc-4c7ee0 8282->8283 8284 4c7b3e 8282->8284 8285 4c7b44-4c7b4c 8284->8285 8286 4c7b4e-4c7b74 call 4c8590 8285->8286 8287 4c7b87-4c7bd0 setsockopt recv WSAGetLastError 8285->8287 8292 4c7b79-4c7b81 8286->8292 8287->8283 8289 4c7bd6-4c7bd9 8287->8289 8290 4c7bdf-4c7be6 8289->8290 8291 4c7e2a-4c7e53 call 433069 call 458660 8289->8291 8293 4c7bec-4c7c48 call 418dc0 recv 8290->8293 8294 4c7e15-4c7e25 recv 8290->8294 8297 4c7eaf-4c7eb1 Sleep 8291->8297 8306 4c7e55 8291->8306 8292->8287 8296 4c7eb7-4c7ec6 Sleep 8292->8296 8302 4c7c4e-4c7c69 recv 8293->8302 8303 4c7dc3-4c7dd0 8293->8303 8294->8297 8296->8283 8296->8285 8297->8296 8302->8303 8305 4c7c6f-4c7caa 8302->8305 8307 4c7dfe-4c7e10 8303->8307 8308 4c7dd2-4c7dde 8303->8308 8309 4c7cac-4c7cb1 8305->8309 8310 4c7d1d-4c7d7d call 4163b0 call 408d50 call 4c7ef0 8305->8310 8311 4c7e5f-4c7e97 call 409280 8306->8311 8312 4c7e57-4c7e5d 8306->8312 8307->8297 8313 4c7df4-4c7dfb call 4338f3 8308->8313 8314 4c7de0-4c7dee 8308->8314 8315 4c7cc7-4c7cd1 call 418dc0 8309->8315 8316 4c7cb3-4c7cc5 8309->8316 8332 4c7d7f-4c7d8b 8310->8332 8333 4c7dab-4c7dbf 8310->8333 8323 4c7e9c-4c7eaa 8311->8323 8312->8297 8312->8311 8313->8307 8314->8313 8318 4c7ee1-4c7ee6 call 438c70 8314->8318 8321 4c7cd6-4c7d1b setsockopt recv 8315->8321 8316->8321 8321->8310 8323->8297 8334 4c7d8d-4c7d9b 8332->8334 8335 4c7da1-4c7da3 call 4338f3 8332->8335 8333->8303 8334->8318 8334->8335 8337 4c7da8 8335->8337 8337->8333
                            APIs
                            • setsockopt.WS2_32(00000354,0000FFFF,00001006,?,00000008), ref: 004C7BA6
                            • recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
                            • WSAGetLastError.WS2_32 ref: 004C7BC5
                            • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
                            • recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
                            • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
                            • recv.WS2_32(00000000,?,00000008), ref: 004C7D1B
                              • Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
                              • Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
                              • Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
                              • Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
                              • Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
                              • Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
                              • Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690
                            • recv.WS2_32(?,00000004,00000008), ref: 004C7E23
                            • __Xtime_get_ticks.LIBCPMT ref: 004C7E2A
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
                            • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
                            • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
                            • String ID:
                            • API String ID: 3089209366-0
                            • Opcode ID: f9e28bc168eabd23f713c9d075067e09dfc649ed2f0dd86ee053ab152bb4c171
                            • Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
                            • Opcode Fuzzy Hash: f9e28bc168eabd23f713c9d075067e09dfc649ed2f0dd86ee053ab152bb4c171
                            • Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95
                            Function 0045E140 Relevance: 17.4, APIs: 11, Instructions: 889COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 8667 45e140-45e246 call 40b8e0 call 4132d0 call 41ab20 CreateDirectoryA 8674 45e8e1-45e8e8 8667->8674 8675 45e24c-45e250 8667->8675 8676 45f16d-45f452 call 402df0 8674->8676 8677 45e8ee-45e98a call 4132d0 call 41ab20 CreateDirectoryA 8674->8677 8678 45e252-45e26d 8675->8678 8695 45e990-45e994 8677->8695 8696 45f15e-45f168 call 402df0 8677->8696 8681 45e8a5-45e8d0 call 4163b0 call 4df030 8678->8681 8682 45e273-45e3bd call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8678->8682 8681->8674 8698 45e8d2-45e8d9 call 4e6770 8681->8698 8739 45e3dd-45e4b0 call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8682->8739 8740 45e3bf-45e3d7 CreateDirectoryA 8682->8740 8699 45e996-45e9b1 8695->8699 8696->8676 8709 45e8de 8698->8709 8702 45e9b7-45eb07 call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8699->8702 8703 45f11f-45f14d call 4163b0 call 4d7600 8699->8703 8756 45eb27-45ebfa call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8702->8756 8757 45eb09-45eb21 CreateDirectoryA 8702->8757 8703->8696 8721 45f14f-45f156 call 4e6770 8703->8721 8709->8674 8727 45f15b 8721->8727 8727->8696 8791 45e4d0-45e4d7 8739->8791 8792 45e4b2-45e4ca CreateDirectoryA 8739->8792 8740->8739 8742 45e854-45e8a0 call 402df0 * 5 8740->8742 8742->8678 8816 45ebfc-45ec14 CreateDirectoryA 8756->8816 8817 45ec1a-45ec21 8756->8817 8757->8756 8760 45f0ce-45f11a call 402df0 * 5 8757->8760 8760->8699 8795 45e5e0-45e5e4 8791->8795 8796 45e4dd-45e59d call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8791->8796 8792->8742 8792->8791 8797 45e5e6-45e649 call 4132d0 8795->8797 8798 45e64e-45e652 8795->8798 8853 45e5c2-45e5cc call 416290 8796->8853 8854 45e59f-45e5c0 CreateDirectoryA 8796->8854 8813 45e704-45e7f2 call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 4162c0 call 402df0 * 3 call 4e6ca0 8797->8813 8805 45e654-45e6b7 call 4132d0 8798->8805 8806 45e6b9-45e6ff call 4132d0 8798->8806 8805->8813 8806->8813 8905 45e7f4-45e80c CreateDirectoryA 8813->8905 8906 45e80e-45e84e call 4163b0 * 2 call 4dff00 8813->8906 8816->8760 8816->8817 8820 45ec27-45ece7 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8817->8820 8821 45ed2a-45ed2e 8817->8821 8882 45ed0c-45ed16 call 416290 8820->8882 8883 45ece9-45ed0a CreateDirectoryA 8820->8883 8825 45ed34-45edce call 4132d0 call 41ab20 call 4e6ca0 8821->8825 8826 45ee43-45ee47 8821->8826 8870 45edd0-45edf1 CreateDirectoryA 8825->8870 8871 45edf3-45ee31 call 4163b0 * 2 call 4dff00 8825->8871 8831 45eeb1-45eeb5 8826->8831 8832 45ee49-45eeac call 4132d0 8826->8832 8839 45eeb7-45ef1a call 4132d0 8831->8839 8840 45ef1c-45ef7a call 4132d0 8831->8840 8849 45ef7f-45f04e call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 402df0 * 2 call 4e6ca0 8832->8849 8839->8849 8840->8849 8912 45f050-45f071 CreateDirectoryA 8849->8912 8913 45f073-45f0b9 call 4163b0 * 2 call 4dff00 8849->8913 8860 45e5d1-45e5db call 402df0 8853->8860 8854->8853 8854->8860 8860->8795 8870->8871 8875 45ee34-45ee3e 8870->8875 8871->8875 8880 45f0c9 call 402df0 8875->8880 8880->8760 8888 45ed1b-45ed25 call 402df0 8882->8888 8883->8882 8883->8888 8888->8821 8905->8742 8905->8906 8906->8742 8921 45e850 8906->8921 8912->8913 8914 45f0bf-45f0c3 8912->8914 8913->8914 8925 45f0bb 8913->8925 8914->8880 8921->8742 8925->8914
                            APIs
                              • Part of subcall function 0040B8E0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E242
                            • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045E3D3
                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045E4C6
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045E5BC
                            • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 0045E808
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E986
                            • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045EB1D
                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045EC10
                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045ED06
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045EDED
                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045F06D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                            • String ID:
                            • API String ID: 453214671-0
                            • Opcode ID: e1ed7e54ebd5b020c8e79904b3ae03e0818e29e9e47e40a3245b38651c09fec3
                            • Instruction ID: 0e418cf523baa0a35c0a910b93c4bb77d5942d6061cfe1063ad62b245a56bb8b
                            • Opcode Fuzzy Hash: e1ed7e54ebd5b020c8e79904b3ae03e0818e29e9e47e40a3245b38651c09fec3
                            • Instruction Fuzzy Hash: 4FA226B0D012688BCB25DB65CD95BDDBBB4AF14304F0040EED44A67282EB785F88DF5A
                            Function 004E4720 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 291registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 9337 4e4720-4e4a78 call 4359b0 RegGetValueA 9340 4e4a7a-4e4a89 9337->9340 9341 4e4aa8-4e4aac 9337->9341 9342 4e4a90-4e4a95 9340->9342 9343 4e4bad-4e4bc0 9341->9343 9344 4e4ab2-4e4ae4 call 4359b0 GetComputerNameExA 9341->9344 9342->9342 9345 4e4a97-4e4aa3 call 416130 9342->9345 9349 4e4b08-4e4b0c 9344->9349 9350 4e4ae6-4e4aef 9344->9350 9345->9341 9349->9343 9352 4e4b12-4e4b3d call 4359b0 LsaOpenPolicy 9349->9352 9351 4e4af0-4e4af5 9350->9351 9351->9351 9353 4e4af7-4e4b03 call 416130 9351->9353 9357 4e4b3f-4e4b50 LsaQueryInformationPolicy 9352->9357 9358 4e4b85-4e4b92 9352->9358 9353->9349 9360 4e4b7c-4e4b7f LsaClose 9357->9360 9361 4e4b52-4e4b59 9357->9361 9359 4e4b95-4e4b9a 9358->9359 9359->9359 9362 4e4b9c-4e4ba8 call 416130 9359->9362 9360->9358 9363 4e4b5e-4e4b76 call 403440 LsaFreeMemory 9361->9363 9364 4e4b5b 9361->9364 9362->9343 9363->9360 9364->9363
                            APIs
                            • RegGetValueA.KERNELBASE(80000002,?,?,0001FFFF,?,?,00000104), ref: 004E4A70
                            • GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 004E4ADC
                            • LsaOpenPolicy.ADVAPI32(00000000,00587684,00000001,?), ref: 004E4B35
                            • LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 004E4B48
                            • LsaFreeMemory.ADVAPI32(?), ref: 004E4B76
                            • LsaClose.ADVAPI32(?), ref: 004E4B7F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
                            • String ID: %wZ$&"N$;Yb.
                            • API String ID: 762890658-4094109456
                            • Opcode ID: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                            • Instruction ID: db120a3af714b361d6db134a28a940fef9e0d4b71911d12d67c4190411436b99
                            • Opcode Fuzzy Hash: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                            • Instruction Fuzzy Hash: 1EE101B4D0425A8FDB14CF98C985BEEBBB4BF08304F2041AAE949B7341D7745A85CFA5
                            Function 00448910 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 12645 448910-448920 12646 448922-448935 call 4416ec call 4416ff 12645->12646 12647 44893a-44893c 12645->12647 12661 448c94 12646->12661 12648 448942-448948 12647->12648 12649 448c7c-448c89 call 4416ec call 4416ff 12647->12649 12648->12649 12652 44894e-448977 12648->12652 12666 448c8f call 438c60 12649->12666 12652->12649 12656 44897d-448986 12652->12656 12659 4489a0-4489a2 12656->12659 12660 448988-44899b call 4416ec call 4416ff 12656->12660 12664 448c78-448c7a 12659->12664 12665 4489a8-4489ac 12659->12665 12660->12666 12667 448c97-448c9a 12661->12667 12664->12667 12665->12664 12669 4489b2-4489b6 12665->12669 12666->12661 12669->12660 12672 4489b8-4489cf 12669->12672 12674 448a04-448a0a 12672->12674 12675 4489d1-4489d4 12672->12675 12678 448a0c-448a13 12674->12678 12679 4489de-4489f5 call 4416ec call 4416ff call 438c60 12674->12679 12676 4489d6-4489dc 12675->12676 12677 4489fa-448a02 12675->12677 12676->12677 12676->12679 12681 448a77-448a96 12677->12681 12682 448a15 12678->12682 12683 448a17-448a35 call 44b094 call 44b01a * 2 12678->12683 12710 448baf 12679->12710 12685 448b52-448b5b call 453be3 12681->12685 12686 448a9c-448aa8 12681->12686 12682->12683 12714 448a37-448a4d call 4416ff call 4416ec 12683->12714 12715 448a52-448a75 call 4425fd 12683->12715 12698 448bcc 12685->12698 12699 448b5d-448b6f 12685->12699 12686->12685 12690 448aae-448ab0 12686->12690 12690->12685 12694 448ab6-448ad7 12690->12694 12694->12685 12700 448ad9-448aef 12694->12700 12703 448bd0-448be6 ReadFile 12698->12703 12699->12698 12705 448b71-448b80 GetConsoleMode 12699->12705 12700->12685 12701 448af1-448af3 12700->12701 12701->12685 12706 448af5-448b18 12701->12706 12708 448c44-448c4f GetLastError 12703->12708 12709 448be8-448bee 12703->12709 12705->12698 12711 448b82-448b86 12705->12711 12706->12685 12713 448b1a-448b30 12706->12713 12716 448c51-448c63 call 4416ff call 4416ec 12708->12716 12717 448c68-448c6b 12708->12717 12709->12708 12718 448bf0 12709->12718 12712 448bb2-448bbc call 44b01a 12710->12712 12711->12703 12719 448b88-448ba0 ReadConsoleW 12711->12719 12712->12667 12713->12685 12721 448b32-448b34 12713->12721 12714->12710 12715->12681 12716->12710 12728 448c71-448c73 12717->12728 12729 448ba8-448bae call 4416a5 12717->12729 12725 448bf3-448c05 12718->12725 12726 448bc1-448bca 12719->12726 12727 448ba2 GetLastError 12719->12727 12721->12685 12731 448b36-448b4d 12721->12731 12725->12712 12735 448c07-448c0b 12725->12735 12726->12725 12727->12729 12728->12712 12729->12710 12731->12685 12739 448c24-448c31 12735->12739 12740 448c0d-448c1d call 448622 12735->12740 12742 448c33 call 448779 12739->12742 12743 448c3d-448c42 call 448468 12739->12743 12752 448c20-448c22 12740->12752 12750 448c38-448c3b 12742->12750 12743->12750 12750->12752 12752->12712
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 943b4daea694f09bf5cc7279e1323805ab79d8a6de6c46f62910db13226954fd
                            • Instruction ID: d4d7462daa34083545f9d93f0c5ebf53bf58a01a885379ada905c47cec286c1a
                            • Opcode Fuzzy Hash: 943b4daea694f09bf5cc7279e1323805ab79d8a6de6c46f62910db13226954fd
                            • Instruction Fuzzy Hash: E2B1F4B0A00245AFFB11DF99C881BAE7BB1FF55304F14015EE414AB392CB78AD81CB69
                            Function 004D6BA0 Relevance: 9.2, APIs: 6, Instructions: 164fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 13040 4d6ba0-4d6bd8 GetLastError 13041 4d6bde-4d6bf1 13040->13041 13042 4d6d19-4d6d31 CopyFileA 13040->13042 13043 4d6bf4-4d6bf9 13041->13043 13044 4d6d73-4d6d85 13042->13044 13045 4d6d33-4d6d38 GetLastError 13042->13045 13043->13043 13046 4d6bfb-4d6c5a call 429070 call 4359b0 6CE47CF0 13043->13046 13047 4d6d5f-4d6d72 13045->13047 13048 4d6d3a-4d6d3c call 4e77e0 13045->13048 13055 4d6cf4-4d6d13 SetLastError call 4188d0 13046->13055 13056 4d6c60-4d6c9b call 415eb0 13046->13056 13051 4d6d41-4d6d5e CopyFileA 13048->13051 13055->13042 13063 4d6c9d-4d6cc3 13056->13063 13064 4d6ce2-4d6cef call 4188d0 13056->13064 13067 4d6ccd-4d6cd1 13063->13067 13068 4d6cc5-4d6ccb 13063->13068 13064->13055 13067->13064 13069 4d6cd3-4d6ce0 13067->13069 13068->13064 13068->13067 13069->13064
                            APIs
                            • GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                            • 6CE47CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                            • SetLastError.KERNEL32(00000000), ref: 004D6CFE
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D25
                            • GetLastError.KERNEL32(?,?,00000000), ref: 004D6D33
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D47
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: ErrorLast$CopyFile
                            • String ID:
                            • API String ID: 936320341-0
                            • Opcode ID: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                            • Instruction ID: cca443e56f4e81c83c2dc89493b37bcb85ee1d7da0cfa031959f485395bd6110
                            • Opcode Fuzzy Hash: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                            • Instruction Fuzzy Hash: 6051C172D01219ABCB21CF94DC55BEEBBB8EB04320F10026AE804B3390D7396E05CBA4
                            Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382libraryloadernetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 13992 409280-4092dd call 4163b0 13995 409413-409521 call 402df0 call 4ea420 13992->13995 13996 4092e3-4092e9 13992->13996 14012 409523-409535 13995->14012 14013 409537-40953f call 418dc0 13995->14013 13997 4092f0-409313 13996->13997 13999 409324-409331 13997->13999 14000 409315-40931f 13997->14000 14003 409342-40934f 13999->14003 14004 409333-40933d 13999->14004 14002 409403-409406 14000->14002 14006 409409-40940d 14002->14006 14007 409360-40936d 14003->14007 14008 409351-40935b 14003->14008 14004->14002 14006->13995 14006->13997 14010 40937e-40938b 14007->14010 14011 40936f-409379 14007->14011 14008->14002 14014 409399-4093a6 14010->14014 14015 40938d-409397 14010->14015 14011->14002 14016 409544-409597 call 4ea420 * 2 14012->14016 14013->14016 14018 4093b4-4093c1 14014->14018 14019 4093a8-4093b2 14014->14019 14015->14002 14029 409599-4095c8 call 4ea420 call 435270 14016->14029 14030 4095cb-4095e1 call 4ea420 14016->14030 14021 4093c3-4093cd 14018->14021 14022 4093cf-4093dc 14018->14022 14019->14002 14021->14002 14024 4093ea-4093f4 14022->14024 14025 4093de-4093e8 14022->14025 14024->14006 14028 4093f6-4093ff 14024->14028 14025->14002 14028->14002 14029->14030 14036 4096e2 14030->14036 14037 4095e7-4095ed 14030->14037 14040 4096e6-4096f0 14036->14040 14039 4095f0-4096ce GetModuleHandleA GetProcAddress WSASend 14037->14039 14041 4096d4-4096dc 14039->14041 14042 40975f-409763 14039->14042 14043 4096f2-4096fe 14040->14043 14044 40971e-40973d 14040->14044 14041->14036 14041->14039 14042->14040 14045 409700-40970e 14043->14045 14046 409714-40971b call 4338f3 14043->14046 14047 40976f-409796 14044->14047 14048 40973f-40974b 14044->14048 14045->14046 14049 409797-4097fe call 438c70 call 402df0 * 2 14045->14049 14046->14044 14051 409765-40976c call 4338f3 14048->14051 14052 40974d-40975b 14048->14052 14051->14047 14052->14049 14054 40975d 14052->14054 14054->14051
                            APIs
                            • GetModuleHandleA.KERNEL32(Ws2_32.dll), ref: 004096A6
                            • GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
                            • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 004096C9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: AddressHandleModuleProcSend
                            • String ID: Ws2_32.dll
                            • API String ID: 2819740048-3093949381
                            • Opcode ID: f134e1088910f21205feb50cafa7421b375cc3c6533d6feb8916e2264968fd77
                            • Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
                            • Opcode Fuzzy Hash: f134e1088910f21205feb50cafa7421b375cc3c6533d6feb8916e2264968fd77
                            • Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96
                            Function 00463830 Relevance: 6.9, APIs: 3, Instructions: 2365COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                              • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                              • Part of subcall function 004E6C10: CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00465CB0
                            • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465FD5
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                              • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                            • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465EC6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                            • String ID:
                            • API String ID: 453214671-0
                            • Opcode ID: 05a502395d9f526f757c14469c863ff3b4cefea8d5e99dd5fdd399119d475625
                            • Instruction ID: bdb7de5e538d98cc2bc1e856d074b668cb5d4ba5ca64421d2565693f44b24664
                            • Opcode Fuzzy Hash: 05a502395d9f526f757c14469c863ff3b4cefea8d5e99dd5fdd399119d475625
                            • Instruction Fuzzy Hash: 8053CFB0D052688FDB65DF55C994BDDBBB0BB58304F0041EAD44AA7292EB382F84DF49
                            Function 004E6CA0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                            • GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                            • String ID:
                            • API String ID: 995686243-0
                            • Opcode ID: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                            • Instruction ID: 241e2f942859b358e1133ab4bf22632851a161ac9c5554c12c2f2fb0b7350d8e
                            • Opcode Fuzzy Hash: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                            • Instruction Fuzzy Hash: DF11CE71A0028496DB205F6A5C08F6A7F60EB22772F64031BD8359B3D4DB3948058759
                            Function 004D6790 Relevance: 4.8, APIs: 3, Instructions: 278fileCOMMON
                            Download Yara Rule
                            APIs
                            • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6A20
                              • Part of subcall function 004D6BA0: GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                              • Part of subcall function 004D6BA0: 6CE47CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B84
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B95
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Cpp_errorThrow_std::_$CopyErrorFileLast
                            • String ID:
                            • API String ID: 1723067277-0
                            • Opcode ID: e483eb5b337a640106d2fd647702f1d046535e5974e3c1cb80ba773399d43a59
                            • Instruction ID: af59b977606615079acd7a310a8afa41bd250120d803ccb4a837ad8b48953fd5
                            • Opcode Fuzzy Hash: e483eb5b337a640106d2fd647702f1d046535e5974e3c1cb80ba773399d43a59
                            • Instruction Fuzzy Hash: 5BD18BB0C00249DBDB04DFA9C9557EEBBB1BF54304F14419ED80577382EB785A45CBA6
                            Function 00493B60 Relevance: 4.8, APIs: 3, Instructions: 264registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 00493D89
                            • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?), ref: 00493DAC
                            • RegCloseKey.ADVAPI32(?), ref: 00493DB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                            • Instruction ID: c2861601c7c989816088ca7cd521e7ac3defefe444e22908af63c5fcea44e6b0
                            • Opcode Fuzzy Hash: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                            • Instruction Fuzzy Hash: C8C136B1D042499FDB14CFA8D986BAEBBB0EF09314F204169E905B7391E7345A84CFA5
                            Function 004E6C10 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                              • Part of subcall function 00432BAA: RtlReleaseSRWLockExclusive.NTDLL(004E6D30), ref: 00432BBE
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C84
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C95
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Cpp_errorThrow_std::_$CreateDirectoryExclusiveLockRelease
                            • String ID:
                            • API String ID: 1881651058-0
                            • Opcode ID: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                            • Instruction ID: b54f6e02dbe68d52aaf8ce57ceccae370b453a77f91dfdb3bbc81736346272f4
                            • Opcode Fuzzy Hash: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                            • Instruction Fuzzy Hash: B2F049B1500640FBD7109F999D06B6ABBA8FB05731F14031AFC35A63D0D7B5190087AA
                            Function 0044B9D0 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileW.KERNELBASE(?,?,0043D2B1,?), ref: 0044B9D8
                            • GetLastError.KERNEL32(?,0043D2B1,?), ref: 0044B9E2
                            • __dosmaperr.LIBCMT ref: 0044B9E9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: DeleteErrorFileLast__dosmaperr
                            • String ID:
                            • API String ID: 1545401867-0
                            • Opcode ID: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                            • Instruction ID: 29a5b21677c8caf908dcad016bfb5ae84cbfd6cad116b975ceede8be2d8f2443
                            • Opcode Fuzzy Hash: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                            • Instruction Fuzzy Hash: 00D0C9321146086BEA106BB6BC089163B6D9A913797140616F52CC52A0EE25C895A665
                            Function 004E57F0 Relevance: 3.4, APIs: 2, Instructions: 350COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004E588F
                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004E5B9B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: DirectoryInformationVolumeWindows
                            • String ID:
                            • API String ID: 3487004747-0
                            • Opcode ID: 0a0dcd09eef47cc32d5847b2942677d40245ae2126d3bdebcd0edae20a9bad6e
                            • Instruction ID: 009fea26e280c08ebde66711631a2368a09a7ac58c7b38572a32fddf838a6e16
                            • Opcode Fuzzy Hash: 0a0dcd09eef47cc32d5847b2942677d40245ae2126d3bdebcd0edae20a9bad6e
                            • Instruction Fuzzy Hash: 81F157B0D002499BDB14CFA8C9957EEBBB1FF08304F24425EE545BB381DB756A84CBA5
                            Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(6E40838E,00000000,00000000,0043D0C7), ref: 00448F02
                            • WriteFile.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,?,004E6E3C,?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7), ref: 0044990E
                            • GetLastError.KERNEL32(?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7,004E6E3C,?,00000000,?), ref: 00449918
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: ConsoleErrorFileLastOutputWrite
                            • String ID:
                            • API String ID: 2915228174-0
                            • Opcode ID: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                            • Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
                            • Opcode Fuzzy Hash: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                            • Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65
                            Function 004D65F0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
                            Download Yara Rule
                            APIs
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004D676A
                            • std::_Throw_Cpp_error.LIBCPMT ref: 004D677B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Cpp_errorThrow_std::_
                            • String ID:
                            • API String ID: 2134207285-0
                            • Opcode ID: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                            • Instruction ID: 177bb7d1701b8dda1f5a90c4ee3be826f8175b366ab48e47effb054e9b4aa952
                            • Opcode Fuzzy Hash: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                            • Instruction Fuzzy Hash: 6441F2B1E002058BC720DF68995136EBBA1BB94314F19072FE815673D1EB79EA04C795
                            Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E55
                            • GetLastError.KERNEL32(?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E5F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: ChangeCloseErrorFindLastNotification
                            • String ID:
                            • API String ID: 1687624791-0
                            • Opcode ID: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                            • Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
                            • Opcode Fuzzy Hash: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                            • Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D
                            Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNELBASE(00000000,00000000,0043D0C7,00000000,00000002,00000000,00000000,00000000,00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000), ref: 00442558
                            • GetLastError.KERNEL32(00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000,?,0044982E,00000000,00000000,00000000,00000002,0043D0C7,00000000), ref: 00442565
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer
                            • String ID:
                            • API String ID: 2976181284-0
                            • Opcode ID: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                            • Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
                            • Opcode Fuzzy Hash: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                            • Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4
                            Function 0044B01A Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000000,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B030
                            • GetLastError.KERNEL32(?,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B03B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 485612231-0
                            • Opcode ID: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                            • Instruction ID: f233056e1464041c82b2d36bf1c88bdb576215b3e64377b8de55bab97aefa9e3
                            • Opcode Fuzzy Hash: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                            • Instruction Fuzzy Hash: 66E08C32100204ABEB212FA5AC0CB9A3B69EF00756F15802AF608971B0DB38C894D798
                            Function 00415350 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • Concurrency::cancel_current_task.LIBCPMT ref: 0041546E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Concurrency::cancel_current_task
                            • String ID:
                            • API String ID: 118556049-0
                            • Opcode ID: b9807a8e1e53bdc0741c0b29a15e753e918fcacc6ab5bfcc201a1d379d2a7090
                            • Instruction ID: bd448271620100f3a1b1b6e8090fbb17c8ec551eb96fe3ea9a7077eb077db61a
                            • Opcode Fuzzy Hash: b9807a8e1e53bdc0741c0b29a15e753e918fcacc6ab5bfcc201a1d379d2a7090
                            • Instruction Fuzzy Hash: AF6199B1A00614DFCB10CF59C984B9ABBF5FF88310F24816EE8199B391C778EA41CB95
                            Function 00438E02 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                            • Instruction ID: 9663080612542d3e5f9b84a36c3ecf1ef98ea00319430370267f097460dfd66c
                            • Opcode Fuzzy Hash: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                            • Instruction Fuzzy Hash: 2651C670A00204AFDF14DF59C881AAABBA2EF8D328F24915EF8089B352D775DD41CB55
                            Function 00429E20 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                            Download Yara Rule
                            APIs
                            • Concurrency::cancel_current_task.LIBCPMT ref: 00429F7B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Concurrency::cancel_current_task
                            • String ID:
                            • API String ID: 118556049-0
                            • Opcode ID: 8482c0d6c957f33918d9138d1bd6797b8604ed2ab317032aa5cc83da2685a5d5
                            • Instruction ID: efe4cd6a287aa12a83b409d23e88dd93d6c4865ddef84cf0d949cd52fc0f7608
                            • Opcode Fuzzy Hash: 8482c0d6c957f33918d9138d1bd6797b8604ed2ab317032aa5cc83da2685a5d5
                            • Instruction Fuzzy Hash: AA410271E001259FCB14DF68C9419AEBBB9EB89310F64422EE815E7381D738DE01CBE4
                            Function 004E7640 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: __fread_nolock
                            • String ID:
                            • API String ID: 2638373210-0
                            • Opcode ID: 025cbb467e96eb611f2940d14225f23d526d4ccfef296c2d3f6c21a772ab55fe
                            • Instruction ID: 028c77ef4637c0ac0bfd58be9ca2c186fed01019b569c5d695070078eed700b9
                            • Opcode Fuzzy Hash: 025cbb467e96eb611f2940d14225f23d526d4ccfef296c2d3f6c21a772ab55fe
                            • Instruction Fuzzy Hash: A8517FB0D043499BDB10DF99D986BAEFBB4FF44714F10012EE8416B381D7796A44CBA5
                            Function 004E74C0 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: __fread_nolock
                            • String ID:
                            • API String ID: 2638373210-0
                            • Opcode ID: 630099f540daf6efa67ea676e65f3a2a0d7fe5641c6b0820276aea293422c398
                            • Instruction ID: 959dba962c579710b3c8227977385e6342f185642bc3a86ace1f34c607c4467c
                            • Opcode Fuzzy Hash: 630099f540daf6efa67ea676e65f3a2a0d7fe5641c6b0820276aea293422c398
                            • Instruction Fuzzy Hash: 78416CB0D04248EBDB14DF99D985BEEBBB4FF48714F10416EE801AB381D7799901CBA5
                            Function 00406870 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 00406908
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: ___std_fs_directory_iterator_open@12
                            • String ID:
                            • API String ID: 29801545-0
                            • Opcode ID: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                            • Instruction ID: 382a6ddcba4688358f9e0a4ad0208e6a3358ad319658d54a7c18dfc33c73484c
                            • Opcode Fuzzy Hash: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                            • Instruction Fuzzy Hash: AB21AE76E00619ABCB14EF49D841BAAB7B4FB84324F00466EED1663780DB396D10CB94
                            Function 004E5D00 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                            Download Yara Rule
                            APIs
                            • SetupDiGetClassDevsA.SETUPAPI(0055D560,00000000,00000000), ref: 004E5D47
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: ClassDevsSetup
                            • String ID:
                            • API String ID: 2330331845-0
                            • Opcode ID: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                            • Instruction ID: 3af1858aaf6aa964ebdd9f4359c5c99147492c850a3065a18f0c0dee6211d041
                            • Opcode Fuzzy Hash: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                            • Instruction Fuzzy Hash: A0110EB1D04B449BE3208F28DD0A757BBF0EB00B28F10471EE850573C1E3BA6A4887E2
                            Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • Concurrency::cancel_current_task.LIBCPMT ref: 0040331F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: Concurrency::cancel_current_task
                            • String ID:
                            • API String ID: 118556049-0
                            • Opcode ID: 6b439644f511b7bf5bd0b924e2b63d29697b7510f9c6a7035d7f710025fe36b7
                            • Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
                            • Opcode Fuzzy Hash: 6b439644f511b7bf5bd0b924e2b63d29697b7510f9c6a7035d7f710025fe36b7
                            • Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788
                            Function 00406840 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406853
                              • Part of subcall function 00431F7B: FindNextFileW.KERNELBASE(?,?,?,00406858,?,?,?,?,0040691A,?,?,?,00000000,?,?), ref: 00431F84
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                            • String ID:
                            • API String ID: 3878998205-0
                            • Opcode ID: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                            • Instruction ID: f155dccb83496c4d8f98fbb14974b26749813e83e467fdfa34ea523ab42003ff
                            • Opcode Fuzzy Hash: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                            • Instruction Fuzzy Hash: 63D05E22701520118D24752738085AF06498DC66A8A42447FB84AB32C2EA2D8C0311AD
                            Function 004466D5 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2688779198.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.2688649707.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688940387.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2688980812.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689013674.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689049517.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000727000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007B0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689081534.00000000007BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2689681140.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_D44CPdpkNk.jbxd
                            Similarity
                            • API ID: H_prolog3
                            • String ID:
                            • API String ID: 431132790-0
                            • Opcode ID: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                            • Instruction ID: ccf5b3b5ee64302dd7184922bc8d264c22512182c10063c293431932d1ea205a
                            • Opcode Fuzzy Hash: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                            • Instruction Fuzzy Hash: 13E09AB2C0020D9ADB00DFD5C452BEFBBB8AB08315F50446BA205E6181EB789748CBE5