Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PNO3otPYOa.exe

Overview

General Information

Sample name:PNO3otPYOa.exe
renamed because original name is a hash value
Original sample name:ffccf1df9e560e259284b35348a3989f.exe
Analysis ID:1460309
MD5:ffccf1df9e560e259284b35348a3989f
SHA1:853ad3befc8423ebd10442fc1fd3d436b3656afa
SHA256:e2de3f42bd8737b0b825370aa662cf700b88a05832e4c26a3c7d8a3579b03227
Tags:exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • PNO3otPYOa.exe (PID: 3168 cmdline: "C:\Users\user\Desktop\PNO3otPYOa.exe" MD5: FFCCF1DF9E560E259284B35348A3989F)
    • schtasks.exe (PID: 6520 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5836 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5636 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1972 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 2668 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: FFCCF1DF9E560E259284B35348A3989F)
    • WerFault.exe (PID: 5136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1916 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 2272 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: FFCCF1DF9E560E259284B35348A3989F)
    • WerFault.exe (PID: 1988 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1736 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 4956 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: FFCCF1DF9E560E259284B35348A3989F)
  • RageMP131.exe (PID: 4440 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: FFCCF1DF9E560E259284B35348A3989F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\J7z8s88sXcCE6j1G9cCUUTi.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\r_sRxMygZ5JYHZAcFpnL_Yd.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000000.00000003.2619633459.00000000057C6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                Click to see the 8 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PNO3otPYOa.exe, ProcessId: 3168, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                Snort Signatures

                Timestamp:06/20/24-19:37:42.593714
                SID:2046269
                Source Port:49707
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:22.677810
                SID:2046266
                Source Port:58709
                Destination Port:49717
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:42.406359
                SID:2046269
                Source Port:49706
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:38:03.935564
                SID:2046267
                Source Port:58709
                Destination Port:49717
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:57.156294
                SID:2046269
                Source Port:49717
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:15.832806
                SID:2046266
                Source Port:58709
                Destination Port:49710
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:50.390622
                SID:2046269
                Source Port:49710
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:01.301696
                SID:2049060
                Source Port:49705
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:47.877509
                SID:2046267
                Source Port:58709
                Destination Port:49706
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:36.375060
                SID:2046269
                Source Port:49705
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:47.713249
                SID:2046267
                Source Port:58709
                Destination Port:49705
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:47.917742
                SID:2046267
                Source Port:58709
                Destination Port:49707
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:01.927137
                SID:2046266
                Source Port:58709
                Destination Port:49705
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:07.981504
                SID:2046266
                Source Port:58709
                Destination Port:49706
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:08.081416
                SID:2046266
                Source Port:58709
                Destination Port:49707
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/go.exenAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exe/riseproAvira URL Cloud: Label: malware
                Source: http://77.91.77.81/mine/amadka.exehAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exe00.1Avira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exerracoi$Avira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: malware
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 57%
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 57%
                Multi AV Scanner detection for submitted file
                Source: PNO3otPYOa.exeReversingLabs: Detection: 54%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: PNO3otPYOa.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004C6B00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,6_2_004C6B00
                Source: PNO3otPYOa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49729 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49731 version: TLS 1.2
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_004C6000
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,6_2_004E6770
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,6_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,6_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,6_2_00431F9C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,6_2_00432022
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_004938D0

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49705
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49706
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49707
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49707 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49710
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49710 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49717
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49717 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49705
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49706
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49707
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49717
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
                Source: global trafficTCP traffic: 192.168.2.5:49705 -> 77.91.77.66:58709
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
                Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
                Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,0_2_004C8590
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                Source: global trafficDNS traffic detected: DNS query: db-ip.com
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exen
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe/risepro
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe00.1
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exerracoi$
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exeh
                Source: Amcache.hve.16.drString found in binary or memory: http://upx.sf.net
                Source: PNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/PS
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/Z
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33?2
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33s
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/~
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/~OM
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.3352
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F16000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/SE
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/T
                Source: PNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/k
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/uQX
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33?
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33B
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33OV
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33o
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33x
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F16000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33G
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33r
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.7
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, J7z8s88sXcCE6j1G9cCUUTi.zip.6.dr, r_sRxMygZ5JYHZAcFpnL_Yd.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT;
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTF
                Source: MPGPH131.exe, 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTJ9U
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTp;
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTted88
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.drString found in binary or memory: https://t.me/risepro_bot
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot.46.123.33b
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot2
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botDU
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botL
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botY
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bots
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.zx
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: PNO3otPYOa.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                Source: PNO3otPYOa.exe, 00000000.00000003.2610854014.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2604694117.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2605775440.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2603602544.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596911417.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2592530864.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618678401.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2651907976.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2594138136.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2601645989.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2615048675.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2619040137.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2613206614.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2840729994.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618150729.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2617064829.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616066299.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2595194273.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616427478.0000000005812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/y
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: PNO3otPYOa.exe, 00000000.00000003.2610854014.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2604694117.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2605775440.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2603602544.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596911417.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2592530864.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618678401.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2651907976.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2594138136.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2601645989.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2615048675.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2619040137.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2613206614.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2840729994.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618150729.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2617064829.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616066299.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2595194273.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616427478.0000000005812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/7)_1
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
                Source: PNO3otPYOa.exe, 00000000.00000003.2610854014.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2604694117.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2605775440.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2603602544.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596911417.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2592530864.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618678401.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2651907976.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2594138136.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2601645989.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2615048675.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2619040137.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2613206614.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2840729994.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618150729.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2617064829.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616066299.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2595194273.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616427478.0000000005812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/irefoxz
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/t
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49729 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49731 version: TLS 1.2
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E5FF0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,73BC74A0,DeleteObject,DeleteObject,ReleaseDC,0_2_004E5FF0

                System Summary

                barindex
                PE file contains section with special chars
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0044002D0_2_0044002D
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DF0300_2_004DF030
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0049F0D00_2_0049F0D0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004AA2000_2_004AA200
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0049D3A00_2_0049D3A0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004963B00_2_004963B0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004904400_2_00490440
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DE4300_2_004DE430
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0053F5500_2_0053F550
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004D76000_2_004D7600
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004986B00_2_004986B0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0040B8E00_2_0040B8E0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00481C100_2_00481C10
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004FAD000_2_004FAD00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00493F400_2_00493F40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0049AF600_2_0049AF60
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF000_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004930800_2_00493080
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004371A00_2_004371A0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0044036F0_2_0044036F
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004A43200_2_004A4320
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004845E00_2_004845E0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0042F5800_2_0042F580
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004A36100_2_004A3610
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_005486C00_2_005486C0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_005477600_2_00547760
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E77E00_2_004E77E0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004547BF0_2_004547BF
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0043C9600_2_0043C960
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0043A9280_2_0043A928
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0044DA860_2_0044DA86
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00458BB00_2_00458BB0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004EEC400_2_004EEC40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004EFC400_2_004EFC40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00534D400_2_00534D40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00546D200_2_00546D20
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00545DE00_2_00545DE0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00458E300_2_00458E30
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00541F000_2_00541F00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004F2FD00_2_004F2FD0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0044002D6_2_0044002D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DF0306_2_004DF030
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0049F0D06_2_0049F0D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004AA2006_2_004AA200
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0049D3A06_2_0049D3A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004963B06_2_004963B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004904406_2_00490440
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DE4306_2_004DE430
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0053F5506_2_0053F550
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004D76006_2_004D7600
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004986B06_2_004986B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0040B8E06_2_0040B8E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00481C106_2_00481C10
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004FAD006_2_004FAD00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00493F406_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0049AF606_2_0049AF60
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DFF006_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004930806_2_00493080
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004371A06_2_004371A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0044036F6_2_0044036F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004A43206_2_004A4320
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004845E06_2_004845E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0042F5806_2_0042F580
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004A36106_2_004A3610
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005486C06_2_005486C0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005477606_2_00547760
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004E77E06_2_004E77E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004547BF6_2_004547BF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0043C9606_2_0043C960
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0043A9286_2_0043A928
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0044DA866_2_0044DA86
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00458BB06_2_00458BB0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004EEC406_2_004EEC40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004EFC406_2_004EFC40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00534D406_2_00534D40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00546D206_2_00546D20
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00545DE06_2_00545DE0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00458E306_2_00458E30
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00541F006_2_00541F00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004F2FD06_2_004F2FD0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0041ACE0 appears 86 times
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: String function: 0041ACE0 appears 86 times
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1972
                Source: PNO3otPYOa.exeBinary or memory string: OriginalFilename vs PNO3otPYOa.exe
                Source: PNO3otPYOa.exe, 00000000.00000000.2020714356.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs PNO3otPYOa.exe
                Source: PNO3otPYOa.exe, 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs PNO3otPYOa.exe
                Source: PNO3otPYOa.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs PNO3otPYOa.exe
                Source: PNO3otPYOa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PNO3otPYOa.exeStatic PE information: Section: ZLIB complexity 0.99894497066428
                Source: PNO3otPYOa.exeStatic PE information: Section: ZLIB complexity 0.9942434210526315
                Source: PNO3otPYOa.exeStatic PE information: Section: ZLIB complexity 0.99072265625
                Source: PNO3otPYOa.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99894497066428
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9942434210526315
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99072265625
                Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99894497066428
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9942434210526315
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99072265625
                Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/62@3/3
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2272
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2668
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3168
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: PNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: PNO3otPYOa.exe, 00000000.00000003.2610474711.000000000581C000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2611164355.0000000005809000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2594074973.0000000005818000.00000004.00000020.00020000.00000000.sdmp, b4ep9YrEJBiwLogin Data.0.dr, YWghbxCAFBJrLogin Data.6.dr, JPQQEN02i61OLogin Data.0.dr, GK7TDaUZmBPNLogin Data For Account.6.dr, b81p5RNJHBPPLogin Data.6.dr, tMEkdeo4FFLNLogin Data For Account.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PNO3otPYOa.exeReversingLabs: Detection: 54%
                Source: PNO3otPYOa.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile read: C:\Users\user\Desktop\PNO3otPYOa.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PNO3otPYOa.exe "C:\Users\user\Desktop\PNO3otPYOa.exe"
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1972
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1916
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1736
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: PNO3otPYOa.exeStatic file information: File size 3423760 > 1048576
                Source: PNO3otPYOa.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x28c600
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name: .themida
                Source: PNO3otPYOa.exeStatic PE information: section name: .boot
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name: .themida
                Source: RageMP131.exe.0.drStatic PE information: section name: .boot
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
                Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_005F6FA2 push ecx; mov dword ptr [esp], 33711A4Ah0_2_008B6662
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00433F59 push ecx; ret 6_2_00433F6C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F6FA2 push ecx; mov dword ptr [esp], 33711A4Ah6_2_008B6662
                Source: PNO3otPYOa.exeStatic PE information: section name: entropy: 7.9829541104019395
                Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.9829541104019395
                Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.9829541104019395
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Found stalling execution ending in API Sleep call
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeWindow / User API: threadDelayed 419Jump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 444
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 353
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-53262
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-53377
                Source: C:\Users\user\Desktop\PNO3otPYOa.exe TID: 5068Thread sleep count: 54 > 30Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exe TID: 5068Thread sleep count: 419 > 30Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exe TID: 5068Thread sleep time: -42319s >= -30000sJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5032Thread sleep count: 348 > 30Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5032Thread sleep time: -35148s >= -30000sJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364Thread sleep count: 347 > 30Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364Thread sleep time: -35047s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1216Thread sleep count: 60 > 30
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1216Thread sleep count: 444 > 30
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1216Thread sleep time: -44844s >= -30000s
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3748Thread sleep count: 353 > 30
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3748Thread sleep time: -35653s >= -30000s
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_004C6000
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,6_2_004E6770
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,6_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,6_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,6_2_00431F9C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,6_2_00432022
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_004938D0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696428
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r global passwords blocklistVMware20,11696428655
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHk
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696428655
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: PNO3otPYOa.exe, 00000000.00000003.2617256419.000000000581E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Amcache.hve.16.drBinary or memory string: vmci.sys
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ebrokers.co.inVMware20,11696428655d
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4468A0FF
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4468A0FFFk21
                Source: Amcache.hve.16.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.16.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.16.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@J
                Source: Amcache.hve.16.drBinary or memory string: VMware Virtual USB Mouse
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: discord.comVMware20,11696428655f
                Source: RageMP131.exe, 0000000A.00000003.2280024617.0000000000F90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116
                Source: Amcache.hve.16.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: Amcache.hve.16.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rootpagecomVMware20,11696428655o
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.portal.azure.comVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.16.drBinary or memory string: vmci.syshbin`
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: PNO3otPYOa.exe, 00000000.00000003.2070484836.0000000000F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}$
                Source: Amcache.hve.16.drBinary or memory string: \driver\vmci,\driver\pci
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageformVMware20,11696428655
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696(
                Source: MPGPH131.exe, 00000007.00000002.2824312294.0000000005C20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}FilesPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: billing_address_id.comVMware20,11696428
                Source: Amcache.hve.16.drBinary or memory string: VMware
                Source: MPGPH131.exe, 00000007.00000003.2132480957.0000000000E28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#3
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .utiitsl.comVMware20,1169642865
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: global block list test formVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F16000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: RageMP131.exe, 0000000A.00000003.2280024617.0000000000F98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169642865
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AESCPI\DSDT\VBOX__Virt
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nickname.utiitsl.comVMware20,1169642865
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: VMware20,1
                Source: Amcache.hve.16.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.16.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.16.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: Amcache.hve.16.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra Change Transaction PasswordVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: VMware VMCI Bus Device
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o.inVMware20,11696428655~
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&5
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4468A0FFT`
                Source: Amcache.hve.16.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.16.drBinary or memory string: VMware, Inc.
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428657
                Source: Amcache.hve.16.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.16.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: Amcache.hve.16.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}g,u.eg,v.eg,w.eg,x.eg,y.eg,z.eg,a.in,b.in,c.in,d.in,e.in,f.in,g.in,h.in,i.in,j.in,k.in,l.in,m.in,n.in,o.in
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}vgE
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comVMware20,11696428655o
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: Amcache.hve.16.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: Amcache.hve.16.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}g,u.ug,v.ug,w.ug,x.ug,y.ug,z.ug,a.sy,b.sy,c.sy,d.sy,e.sy,f.sy,g.sy,h.sy,i.sy,j.sy,k.sy,l.sy,m.sy,n.sy,o.sy
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW3)
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWF
                Source: Amcache.hve.16.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4468A0FF
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696x.
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]0_2_004C6D80
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00493F40 mov eax, dword ptr fs:[00000030h]0_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004C6D80 mov eax, dword ptr fs:[00000030h]6_2_004C6D80
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00493F40 mov eax, dword ptr fs:[00000030h]6_2_00493F40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,0_2_004E9A70
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0043451D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00438A64

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject threads in other processes
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,6_2_004CF280
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,0_2_004531CA
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,0_2_004533F9
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,0_2_0044B734
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,0_2_00452D5F
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: EnumSystemLocalesW,0_2_00452E51
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: EnumSystemLocalesW,0_2_00452E06
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: EnumSystemLocalesW,0_2_00452EEC
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,6_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_004531CA
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_0044B1B1
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_004532F3
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_004533F9
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_004534CF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_0044B734
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,6_2_00452B5A
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_00452D5F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00452E51
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00452E06
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00452EEC
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00452F77
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.16.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.16.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.16.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.16.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2619633459.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PNO3otPYOa.exe PID: 3168, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2272, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4956, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4440, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\J7z8s88sXcCE6j1G9cCUUTi.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\r_sRxMygZ5JYHZAcFpnL_Yd.zip, type: DROPPED
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets*
                Source: MPGPH131.exe, 00000006.00000002.2840550495.00000000057D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                Source: PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walleta_1n
                Source: PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walleta_1n
                Source: MPGPH131.exe, 00000006.00000002.2840550495.00000000057D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
                Source: PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: MPGPH131.exe, 00000006.00000002.2840550495.00000000057D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_hnfanknocfeofbddgcijnmhnfnkdnaad_0.indexeddb.leveldb\CURRENTJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2272, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2619633459.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PNO3otPYOa.exe PID: 3168, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2272, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4956, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4440, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\J7z8s88sXcCE6j1G9cCUUTi.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\r_sRxMygZ5JYHZAcFpnL_Yd.zip, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                Scheduled Task/Job                		11
                Process Injection                		3
                Obfuscated Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		1
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		2
                Software Packing                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS35
                System Information Discovery                		Distributed Component Object Model1
                Email Collection                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Query Registry                		SSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
                Virtualization/Sandbox Evasion                		Cached Domain Credentials351
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Process Injection                		DCSync13
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                System Network Configuration Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460309 Sample: PNO3otPYOa.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 46 ipinfo.io 2->46 48 db-ip.com 2->48 56 Snort IDS alert for network traffic 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 5 other signatures 2->62 8 PNO3otPYOa.exe 1 63 2->8         started        13 MPGPH131.exe 56 2->13         started        15 MPGPH131.exe 10 50 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 50 77.91.77.66, 49705, 49706, 49707 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->50 52 ipinfo.io 34.117.186.192, 443, 49718, 49719 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->52 54 db-ip.com 104.26.4.15, 443, 49721, 49722 CLOUDFLARENETUS United States 8->54 36 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->36 dropped 38 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->38 dropped 40 C:\Users\user\...\r_sRxMygZ5JYHZAcFpnL_Yd.zip, Zip 8->40 dropped 44 2 other malicious files 8->44 dropped 64 Query firmware table information (likely to detect VMs) 8->64 66 Tries to steal Mail credentials (via file / registry access) 8->66 68 Found many strings related to Crypto-Wallets (likely being stolen) 8->68 80 2 other signatures 8->80 19 WerFault.exe 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        42 C:\Users\user\...\J7z8s88sXcCE6j1G9cCUUTi.zip, Zip 13->42 dropped 70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 74 Found stalling execution ending in API Sleep call 13->74 26 WerFault.exe 13->26         started        76 Tries to harvest and steal browser information (history, passwords, etc) 15->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->78 28 WerFault.exe 15->28         started        file6 signatures7 process8 file9 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->34 dropped 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PNO3otPYOa.exe54%ReversingLabsWin32.Trojan.RiseProStealer
                PNO3otPYOa.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe58%ReversingLabsWin32.Trojan.RiseProStealer
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe58%ReversingLabsWin32.Trojan.RiseProStealer

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                http://upx.sf.net0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                https://ipinfo.io/0%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                https://t.me/risepro_botL0%Avira URL Cloudsafe
                https://ipinfo.io:443/widget/demo/8.46.123.33r0%Avira URL Cloudsafe
                https://ipinfo.io:443/widget/demo/8.46.123.330%Avira URL Cloudsafe
                http://77.91.77.81/mine/amadka.exe100%Avira URL Cloudphishing
                https://ipinfo.io/widget/demo/8.46.123.33B0%Avira URL Cloudsafe
                https://ipinfo.io/SE0%Avira URL Cloudsafe
                https://db-ip.com/~OM0%Avira URL Cloudsafe
                https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                http://77.91.77.81/cost/go.exe100%Avira URL Cloudphishing
                https://db-ip.com/0%Avira URL Cloudsafe
                https://t.zx0%Avira URL Cloudsafe
                https://t.me/risepro_botDU0%Avira URL Cloudsafe
                https://db-ip.com:443/demo/home.php?s=8.46.123.33520%Avira URL Cloudsafe
                https://t.me/risepro_botY0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33?0%Avira URL Cloudsafe
                https://db-ip.com:443/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33o0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.330%Avira URL Cloudsafe
                https://t.me/risepro_botisepro_bot0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORTF0%Avira URL Cloudsafe
                https://t.me/risepro_bot.46.123.33b0%Avira URL Cloudsafe
                https://ipinfo.io/k0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORTted880%Avira URL Cloudsafe
                https://db-ip.com/Z0%Avira URL Cloudsafe
                https://t.me/risepro_bot20%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORT;0%Avira URL Cloudsafe
                https://t.70%Avira URL Cloudsafe
                https://t.me/risepro_botrisepro0%Avira URL Cloudsafe
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                http://77.91.77.81/cost/go.exen100%Avira URL Cloudphishing
                https://ipinfo.io/T0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33x0%Avira URL Cloudsafe
                https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
                https://ipinfo.io/Mozilla/5.00%Avira URL Cloudsafe
                https://ipinfo.io:443/widget/demo/8.46.123.33G0%Avira URL Cloudsafe
                https://db-ip.com/PS0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORTJ9U0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exe/risepro100%Avira URL Cloudmalware
                https://t.me/RiseProSUPPORTp;0%Avira URL Cloudsafe
                https://t.me/risepro_bot0%Avira URL Cloudsafe
                http://77.91.77.81/mine/amadka.exeh100%Avira URL Cloudphishing
                https://db-ip.com/demo/home.php?s=8.46.123.33?20%Avira URL Cloudsafe
                https://db-ip.com/~0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exe00.1100%Avira URL Cloudphishing
                https://ipinfo.io/widget/demo/8.46.123.33OV0%Avira URL Cloudsafe
                https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
                https://ipinfo.io/uQX0%Avira URL Cloudsafe
                https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.33s0%Avira URL Cloudsafe
                http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exerracoi$100%Avira URL Cloudphishing
                https://support.mozilla.org0%Avira URL Cloudsafe
                https://t.me/risepro_bots0%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exe100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ipinfo.io
                		34.117.186.192
                		truefalse
                  		unknown
                  db-ip.com
                  		104.26.4.15
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/widget/demo/8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/false
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://77.91.77.81/mine/amadka.exeMPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://duckduckgo.com/chrome_newtabPNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io:443/widget/demo/8.46.123.33PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F16000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33BRageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io:443/widget/demo/8.46.123.33rRageMP131.exe, 0000000A.00000002.2752487929.0000000000FAB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botLPNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/go.exePNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://db-ip.com/~OMPNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/SERageMP131.exe, 0000000A.00000002.2752487929.0000000000F70000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botDURageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.zxRageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com:443/demo/home.php?s=8.46.123.3352MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botYPNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33?RageMP131.exe, 0000000A.00000002.2752487929.0000000000F38000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchPNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com:443/demo/home.php?s=8.46.123.33PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33oPNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botisepro_botRageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTFMPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/kMPGPH131.exe, 00000006.00000002.2838904205.0000000000E0F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_bot.46.123.33bMPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botriseproRageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_bot2RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORT;PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000E9E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTted88PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.7MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoPNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/ZMPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/go.exenMPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://ipinfo.io/TMPGPH131.exe, 00000007.00000002.2822679515.0000000000E33000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllPNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.16.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/RiseProSUPPORTPNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, J7z8s88sXcCE6j1G9cCUUTi.zip.6.dr, r_sRxMygZ5JYHZAcFpnL_Yd.zip.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33xMPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/PSRageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ipinfo.io/Mozilla/5.0PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F16000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FAB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io:443/widget/demo/8.46.123.33GRageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTJ9UMPGPH131.exe, 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exe/riseproPNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/risepro_botRageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTp;RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/~RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33?2MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exe00.1MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    http://77.91.77.81/mine/amadka.exehPNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://www.maxmind.com/en/locate-my-ip-addressPNO3otPYOa.exe, MPGPH131.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33OVMPGPH131.exe, 00000006.00000002.2838904205.0000000000DEB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/uQXRageMP131.exe, 00000008.00000002.2751365986.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33sRageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.winimage.com/zLibDllPNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exerracoi$PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://t.me/risepro_botsPNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exePNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    34.117.186.192
                    		ipinfo.ioUnited States
                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                    104.26.4.15
                    		db-ip.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    77.91.77.66
                    		unknownRussian Federation
                    		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1460309
                    Start date and time:2024-06-20 19:36:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 7s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:PNO3otPYOa.exe
                    renamed because original name is a hash value
                    Original Sample Name:ffccf1df9e560e259284b35348a3989f.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@14/62@3/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 67%
                    • Number of executed functions: 52
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.189.173.21
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: PNO3otPYOa.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:37:33API Interceptor156x Sleep call for process: PNO3otPYOa.exe modified
                    13:37:39API Interceptor154x Sleep call for process: MPGPH131.exe modified
                    13:37:47API Interceptor267x Sleep call for process: RageMP131.exe modified
                    13:38:15API Interceptor3x Sleep call for process: WerFault.exe modified
                    19:37:01Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                    19:37:01Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                    19:37:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                    19:37:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    34.117.186.192HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                    • ipinfo.io/
                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                    • ipinfo.io/
                    w.shGet hashmaliciousXmrigBrowse
                    • /ip
                    Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    104.26.4.15#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exeGet hashmaliciousNemty, XmrigBrowse
                    • api.db-ip.com/v2/free/102.129.152.212/countryName
                    77.91.77.66YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                      AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                        setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                          D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                            WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                              2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ipinfo.ioYnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 34.117.186.192
                                  D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                  • 34.117.186.192
                                  WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  http://telegliam.icu/Get hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  https://ingresar-365-msn.glitch.me/Get hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  Jr7B1jZMaT.exeGet hashmaliciousNovaSentinelBrowse
                                  • 34.117.186.192
                                  db-ip.comYnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 172.67.75.166
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 104.26.5.15
                                  D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                  • 104.26.4.15
                                  WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.5.15
                                  T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                  • 172.67.75.166
                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                  • 172.67.75.166
                                  https://curious-kringle-id4964-024b3b3.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
                                  • 104.26.5.15
                                  https://glist43-dase23-ac9ae33.netlify.app/dev.html/Get hashmaliciousUnknownBrowse
                                  • 104.26.5.15

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUYnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 77.91.77.81
                                  setup.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                  • 77.91.77.81
                                  FN MultiHack v2.exeGet hashmaliciousRedLineBrowse
                                  • 77.91.77.6
                                  D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                                  • 77.91.77.5
                                  https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                                  • 77.91.77.5
                                  WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  GOOGLE-AS-APGoogleAsiaPacificPteLtdSGYnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                  • 34.117.239.71
                                  https://my.visme.co/v/pvmd79je-dj6mqvGet hashmaliciousUnknownBrowse
                                  • 34.117.77.79
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 34.117.186.192
                                  D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                  • 34.117.186.192
                                  WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  http://h3200457.wixsite.com/my-site-1/Get hashmaliciousUnknownBrowse
                                  • 34.117.60.144
                                  CLOUDFLARENETUShttps://www.guidedtrack.com/programs/a4imwon/runGet hashmaliciousUnknownBrowse
                                  • 162.247.243.39
                                  trec commercial listing agreement 89746.jsGet hashmaliciousUnknownBrowse
                                  • 172.67.183.149
                                  Budget_Statement.htmGet hashmaliciousHTMLPhisherBrowse
                                  • 104.21.84.200
                                  YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 172.67.75.166
                                  https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                  • 172.64.151.101
                                  FAX_202405_136088.xhtmlGet hashmaliciousUnknownBrowse
                                  • 104.18.11.207
                                  SecuriteInfo.com.Trojan.PackedNET.2926.9666.23696.exeGet hashmaliciousAgentTeslaBrowse
                                  • 172.67.74.152
                                  ATT001_PlayVM.htmlGet hashmaliciousUnknownBrowse
                                  • 172.64.151.101
                                  Products volume.exeGet hashmaliciousFormBookBrowse
                                  • 104.21.84.156
                                  aaaaa.shtml.htmlGet hashmaliciousHTMLPhisherBrowse
                                  • 104.18.11.207

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  a0e9f5d64349fb13191bc781f81f42e1YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  Invoice.docmGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  file.exeGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  Setup.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  setup.exeGet hashmaliciousLummaCBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  setup.exeGet hashmaliciousLummaCBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  Galaxy Swapper v2.0.3.exeGet hashmaliciousLummaC, XmrigBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  setup.exeGet hashmaliciousLummaCBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  setup.exeGet hashmaliciousLummaCBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\MPGPH131\MPGPH131.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3423760
                                  Entropy (8bit):7.966391554093995
                                  Encrypted:false
                                  SSDEEP:49152:VjED/HAkn8SIKu4lB38c1uHHkZZorrS7C8ff3AY1/X0aME7FW3gElVcOQW:dQ4k8StuM3T1qHkDGOC8nwGEaMEYK0
                                  MD5:FFCCF1DF9E560E259284B35348A3989F
                                  SHA1:853AD3BEFC8423EBD10442FC1FD3D436B3656AFA
                                  SHA-256:E2DE3F42BD8737B0B825370AA662CF700B88A05832E4C26A3C7D8A3579B03227
                                  SHA-512:E6D700471A381CD17F14BA3DE4BD333088154F5079CAA06F150C19525AB9F2D97C3204542EBF24FEBD622478240330076AF7159973B9F9E21B5EE1D6DC8EEBFA
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 58%
                                  Reputation:low
                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X [...........@.................................K.4......................................a..........8....................................................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..A..........x..............`....boot.....(.. [...(..x..............`..`.reloc...............>4................@................................................................

                                  C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_ed5e56292ec6c414881791c33eaf25174464651_f4fd270f_3ab4cce7-7f94-442c-b525-21cdd011f3a8\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.0428076029088806
                                  Encrypted:false
                                  SSDEEP:192:8hh/lza8zBn8SE0M8rr6E6jj/ZrUUJcUzuiFJZ24IO8q6t:y+IB//M8rCjqUzuiFJY4IO81
                                  MD5:9EFE39D094149F62E4B822920C50DAA5
                                  SHA1:76F8F6720D68276157F19F79076F6449BC5C4F3C
                                  SHA-256:D46BB0E8623FD7D7674A7C5BF930F7AF296E0F9E541A37135F430FEA635518FE
                                  SHA-512:1057E4F88D120D83A1EEC9767E24ED0AC85E371AE22F76C9050C23280156020511DDF79CC2CE86DB030BB8437D4D466BF456B790463456B5E5540D0F08769361
                                  Malicious:false
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.7.8.6.8.0.1.2.8.8.4.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.7.8.6.8.0.7.3.8.2.1.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.b.4.c.c.e.7.-.7.f.9.4.-.4.4.2.c.-.b.5.2.5.-.2.1.c.d.d.0.1.1.f.3.a.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.c.c.6.7.3.e.-.8.4.9.6.-.4.d.9.7.-.b.0.c.8.-.c.8.4.0.8.b.6.a.f.2.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.e.0.-.0.0.0.1.-.0.0.1.4.-.6.c.4.5.-.6.f.7.5.3.8.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.8.5.3.a.d.3.b.e.f.c.8.4.2.3.e.b.d.1.0.4.4.2.f.c.1.f.d.3.d.4.3.6.b.3.6.5.6.a.f.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_ed5e56292ec6c414881791c33eaf25174464651_f4fd270f_dcff9e5d-ea84-4036-81f5-602fded4e405\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.0488163602801615
                                  Encrypted:false
                                  SSDEEP:192:oalDa8zS8SE0M8rr6E6jjsZrSfxjPzuiFJZ24IO8q6t:FuIS//M8rCjzPzuiFJY4IO81
                                  MD5:ED541BBBB4C32673B8C67990E7983086
                                  SHA1:8489D0A5FE06C2BFD5242EFD2CA8C92E1A319433
                                  SHA-256:972C669FCC18B0B76C6F8D80CB0DF2C26311C438FA1498C403D7FB3E0AEF25A9
                                  SHA-512:B083B031F1A3B36A60AF57D2891EF576DEC584A0F18F085BBE9C4FBE2E8AE0178060FE84F74F3E98AA814CEAFA656066816D08394CF41EF08970927EFAF59124
                                  Malicious:false
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.7.8.6.7.9.4.4.3.1.4.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.7.8.6.8.0.5.2.1.2.6.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.f.f.9.e.5.d.-.e.a.8.4.-.4.0.3.6.-.8.1.f.5.-.6.0.2.f.d.e.d.4.e.4.0.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.a.4.0.3.d.1.-.7.b.b.a.-.4.4.1.3.-.8.8.9.1.-.9.e.9.1.1.6.3.4.8.1.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.6.c.-.0.0.0.1.-.0.0.1.4.-.4.f.0.c.-.5.a.7.5.3.8.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.8.5.3.a.d.3.b.e.f.c.8.4.2.3.e.b.d.1.0.4.4.2.f.c.1.f.d.3.d.4.3.6.b.3.6.5.6.a.f.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PNO3otPYOa.exe_753a15f1ea62c0c59fa48519710a05b67383851_9279f546_e70db0a5-c068-42dc-be37-7da446311566\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.0503798544748257
                                  Encrypted:false
                                  SSDEEP:192:YU2fQPoHtWe0mdL11jyZrosLZuzuiFJZ24IO8q:cf2oHtWFmdL11jyuzuiFJY4IO8q
                                  MD5:167EA9DB63CF1BC59132DB9C2C77634C
                                  SHA1:D02D525D90B260F4EADE5319878CB786188C3EF1
                                  SHA-256:373B2C5047C2EB7D66F57F4389725A79140ACD395C63AD7A3B5B6FF642835434
                                  SHA-512:29E3F146A9C0D4B81443BC880B18F3408BA48DB6DDEEBCF3ECEDC22F8A9E4630339E0420597391272F84A676E1E642A4D2B7F413D8FF9F3603D07D2A645138E4
                                  Malicious:true
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.7.8.6.7.9.3.5.2.1.6.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.7.8.6.8.0.3.5.2.1.7.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.0.d.b.0.a.5.-.c.0.6.8.-.4.2.d.c.-.b.e.3.7.-.7.d.a.4.4.6.3.1.1.5.6.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.b.1.0.c.d.4.-.a.3.6.3.-.4.3.2.4.-.8.a.0.4.-.8.d.5.9.a.6.f.9.f.e.8.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.N.O.3.o.t.P.Y.O.a...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.6.0.-.0.0.0.1.-.0.0.1.4.-.b.5.7.1.-.e.a.7.1.3.8.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.8.5.3.a.d.3.b.e.f.c.8.4.2.3.e.b.d.1.0.4.4.2.f.c.1.f.d.3.d.4.3.6.b.3.6.5.6.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC90.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 17:37:59 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):104780
                                  Entropy (8bit):2.0575593105994767
                                  Encrypted:false
                                  SSDEEP:384:FT7/BSjit0VFtvQkDhHgOhoaeR+d6iB9TJfqH0By71dbtp1l6FM6d3nFXXH81XeE:FT7/AmtWFtvnZhoayiPI04re
                                  MD5:BECA162DC5610CE8E456E84B9D1634AF
                                  SHA1:7FF337E97D12E014CAEE8939864C3C1B69F2EC9C
                                  SHA-256:FD9520B613BFF14F24E4159A7DB614EC53C014B923DEE0AC967F27C9660373EF
                                  SHA-512:D24E2880778BDB55E6A0994F0158D0CC5798AD7D0691B8E36390658FF8B24E0154D8EB6BAA238AA17FF6D413C5968A7694B30B07C9BEA8A80BE635F65C9326D6
                                  Malicious:false
                                  Preview:MDMP..a..... ........htf....................................l....#...........L..........`.......8...........T...........`K...M...........#...........%..............................................................................eJ.......&......GenuineIntel............T.......`....htf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCCF.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 17:37:59 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):104260
                                  Entropy (8bit):2.0441715579868625
                                  Encrypted:false
                                  SSDEEP:384:z/rv1c0LQ5ZvgtjojYgG1m+JEuCqLqm4d1xSFZzo3dqeer8cp2pKZ+ZjR+hpNp:fvigQ5Zvgt2qJaZ9S/84c+hd
                                  MD5:18C17676D4901DA7060783F595F801FE
                                  SHA1:79AFA7EDD323B99F5943E4CD944533A7F9E98E90
                                  SHA-256:107FC577502FB59BFD28D05C9426FCF31DF2929C1A43747CFDB1E3907800BD70
                                  SHA-512:3A0428F45AA5919B1917F07B7D9045CD4C643D2501A5B8450084EF532E79DBDFF7C8AC483E33C142BC90937D429FCE5547AAB49CE7BD2CC694B72C00937DCA76
                                  Malicious:false
                                  Preview:MDMP..a..... ........htf....................................l....#...........L..........`.......8...........T...........pJ...L...........#...........%..............................................................................eJ.......&......GenuineIntel............T.......l....htf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE18.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8408
                                  Entropy (8bit):3.705993732101529
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJbj6PYdr6YEIvSU925gmf5JjfXHprh89bUZsfly8m:R6lXJf6gdr6YEQSU925gmf5JjfXUUyfe
                                  MD5:6622A1A902E4D4FB219C726FECBAE381
                                  SHA1:B52F3A2BA07D29ED3DC13E9C7973B6453BD97049
                                  SHA-256:AF34BCF1542C17EE89A2D4835C652DCF4F48CA3A7F75CBB54F93B54DF1E49232
                                  SHA-512:2E2C74D21CDADD98846CDAD2FE5457B8909151DA95779E67B5CC4B14A838B3E05B1A611C3754021375D018CBA9D11459949F9BC0E509D5CF4D69F1A8B25AAD8F
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.6.8.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE47.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):6380
                                  Entropy (8bit):3.730119993661587
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJzuO6RRCxYiJJjyUHprRo89bUxsfF8m:R6lXJ763CxYaJj/7VUqfb
                                  MD5:8BBA46EAF2E8CEDB613ED9FD62508C44
                                  SHA1:C65D9BFF24D445F6D3E150CA8F9710087AA49A10
                                  SHA-256:62DAFB8FD132B6CC3C69EFF307EBEAECC936C2B23EE57297B4D372D004C58264
                                  SHA-512:73465D1BE26838E77594C0D9D9646AA78B06B3857DF01902035EB6D52E46BB4BFDE5DD2E38C97BF989FFD5DD6C436472F050A8142CE02E86778C2C3864F45E7A
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.6.8.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE67.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4713
                                  Entropy (8bit):4.527552274411984
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zslJg77aI978VWpW8VYdYm8M4JwhInFfzHo+q8BRB825youd:uIjf/I7J8k7VpJw2zHoC82youd
                                  MD5:93A8FF81DD87DAE2AB6AB59CDFE7A40D
                                  SHA1:27537C0647B916AA2E3D62E8285A1E3F14CBD0D6
                                  SHA-256:59A17AFA49548550B3612E5A075FED4B07A7D50DA880CABF508A94F535B2D9E5
                                  SHA-512:83D2229FD3B40985555BDFF6BE0A87A846D89504334562EBD5DD5BE0F34E4F1E67196DA0B6E541E7AA3F24ECCC0DA33DDBDF4ABF64450D8328EC57C957265C59
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376360" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEB5.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4703
                                  Entropy (8bit):4.516209579424874
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zslJg77aI978VWpW8VY1Ym8M4JHFF5q+q8iE825r9Md:uIjf/I7J8k7V1JAU82r9Md
                                  MD5:067863B398B6EAF3192213417F01ABB2
                                  SHA1:1209B88B44134BDAEA842824B1D81DC377EBC96D
                                  SHA-256:BC47836BC342CF4C6C28EFF908EFB467B54236FFC5D6B5BABDEB509D6F387CEE
                                  SHA-512:B7C2E274875A8EDADBA5E13BE0799819DAA750A465A53E0F3ED905B95EF6DA81FAE6F815A91FBB5D4575FA958BAAF22FCB0F17AA7A67A8AA96368C54D85AFD7F
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376360" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF8E.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 17:38:00 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):103670
                                  Entropy (8bit):2.0458217230493223
                                  Encrypted:false
                                  SSDEEP:384:8xPsUPpmRtv1oifNA013bYUDdipDAv4Dc8gXRG6xuhJ1uOHsP4vvc:+PNBmRtvJfNK3pDzkO
                                  MD5:C519B54D5CC0319B87A8FF2554CD85D8
                                  SHA1:E3EE13ED562D3873D8310CDA37EF8587ECEAEFA3
                                  SHA-256:C4750FA2DCAB9F8686E845FE171CE27B47BA644E6021E29B5830BCB6B5F43505
                                  SHA-512:34A84B73FBF2B859255B9395948DBFBE0781327A659E88C87BAF060255780752309438B6D2908B14E84FFDE1FD37874B0DF1E5AA3F5D432D48CE13FE3FEA0C8A
                                  Malicious:false
                                  Preview:MDMP..a..... ........htf........................,...........l...$#..........rL..........`.......8...........T............I...K...........#..........|%..............................................................................eJ.......&......GenuineIntel............T............htf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0B8.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):6380
                                  Entropy (8bit):3.730178060711412
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJsun6P6MYiJJjyUHprR189bPBsf+LFm:R6lXJ16P6MYaJj/7iP6fx
                                  MD5:BB82C06CFCB46DD1D812454B2E92B759
                                  SHA1:34C561B5829644134BE0FF9A5C3953EA0BEC442A
                                  SHA-256:386B3DBBD104BAFE699DE299FCE6489177D5726BDB5CA18E7DB42ABE6DD9E5C2
                                  SHA-512:655FE1FEF08A323612147684DDFA6C867532133FA0382A002E68B9A080D5662B34825B0C0E74B7C9DD4D40AE654DD4B0D98C51D082ECA8B5DFCAE94FE660A8DE
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.7.2.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0F7.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4703
                                  Entropy (8bit):4.518034292058
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zslJg77aI978VWpW8VYSDYm8M4JHFFg+q8iRw825r9dd:uIjf/I7J8k7VaJAa82r9dd
                                  MD5:59568AA4D5EBBD1BE5B313F64E281226
                                  SHA1:8B2D8C0B5DF18F5BB01A9AC4991507F9C3F1FBAA
                                  SHA-256:90458C0B8C6F470BC400C57B8F179BA11FE019832D3131AB84AEC5A644FBF4A8
                                  SHA-512:9B2F37A332A497CEEE982F3A635746361E150A6B8F0D9B5E92044150FBF8DCA4799C89C8F9D1B60FD601B8E2C5EB9EE237A8C8FD5B1230DB2D181C9A0CC2C900
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376360" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3423760
                                  Entropy (8bit):7.966391554093995
                                  Encrypted:false
                                  SSDEEP:49152:VjED/HAkn8SIKu4lB38c1uHHkZZorrS7C8ff3AY1/X0aME7FW3gElVcOQW:dQ4k8StuM3T1qHkDGOC8nwGEaMEYK0
                                  MD5:FFCCF1DF9E560E259284B35348A3989F
                                  SHA1:853AD3BEFC8423EBD10442FC1FD3D436B3656AFA
                                  SHA-256:E2DE3F42BD8737B0B825370AA662CF700B88A05832E4C26A3C7D8A3579B03227
                                  SHA-512:E6D700471A381CD17F14BA3DE4BD333088154F5079CAA06F150C19525AB9F2D97C3204542EBF24FEBD622478240330076AF7159973B9F9E21B5EE1D6DC8EEBFA
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 58%
                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X [...........@.................................K.4......................................a..........8....................................................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..A..........x..............`....boot.....(.. [...(..x..............`..`.reloc...............>4................@................................................................

                                  C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\Users\user\AppData\Local\Temp\J7z8s88sXcCE6j1G9cCUUTi.zip

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                  Category:modified
                                  Size (bytes):2794
                                  Entropy (8bit):7.729283648439079
                                  Encrypted:false
                                  SSDEEP:48:9GaJlnPtLea1MSZ9cYcm8w9Xfc8jTUOi4QaNtMNmn3KJ6ukIOfjw:/hfM+9h39E8jAnk3KJp
                                  MD5:BD60B2EE3EF5605B1E1F2903D91A72C0
                                  SHA1:5257FB5433A975BEA6FFC6EB354E1C780D6EC189
                                  SHA-256:B7B35947233B53699C76BB200799BB698DF6537C10C630CB516F95705F7A393D
                                  SHA-512:82A46BADCB399856C8AC24E5760294C0D458AA1224B71DC92DF654E3A251955AC352924A18DC262609711A8866745B47A626BA37F6EF7A8237C63C4FC0640BBE
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\J7z8s88sXcCE6j1G9cCUUTi.zip, Author: Joe Security
                                  Preview:PK.........l.X................Cookies\..PK.........l.X........$.......Cookies\Chrome_Default.txt....P...5.........`.L2J1l..\@.k.D..M'.t.k[Op...k...=..#T......?T...y..8.!(.h.>....o?.E.<.....EvWV.A....r,.4..|...u..<..4..T..w..1....._V..a..jZ....qcY..:.T.I.................l9.u..M.n.Q.W..Y3..".i...N.....;.n....t..].|-8|....W..v.....If&xA,}.`+5~.....Yx-..3..><9.]K.)..in.. .H=.@..FEH.a..<...0.j...t.J,=>6..z.k.x...N...f*.R.+.Y...~i.I..4.....p.Wm...5j.............*....tI..t.o..E....PK.........l.X7$..c...........information.txtuX.o.F.~G..X./.Z|..6OMH...p...K.`.Xgld/.......f'."......|;...:.>..)..o..."....n......5..........J.g.;.(~Jsss.'.aR.L.}....io.'.....Y.......im.O$D..I{..Q.1czA.^@..s.........)..}?..@r..I..,.+..@P?..<G.}.A.qT..2Z...q8..]3...<.1..}Q.$.i..O+..1..E^=..V...E.e.wf.z.e....}.~...,..nF}.xR{..O.n..`..M'../.|....v.........-.i.U.}...i../U..>.F.P'..-..v..r...$_.%.?.<.<..?].o.#0...[.P..Ze..MUd.....0.....(_...L4yop..|2.Y...a.x].,....4O.I.4_$..|xw

                                  C:\Users\user\AppData\Local\Temp\r_sRxMygZ5JYHZAcFpnL_Yd.zip

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                  Category:modified
                                  Size (bytes):2796
                                  Entropy (8bit):7.724248494348411
                                  Encrypted:false
                                  SSDEEP:48:9kWak5L8DZIJ3SMeH4tRFIelsHBsBMk+pglU5AJHsNt75yjF13xn3KJ6k+kk4Okh:y2t8Du3hx4elwBLkblhHsNtdyjF13x3i
                                  MD5:AEACADAB4F1A902C160797DDEBEDEB31
                                  SHA1:25772AD981C7B64D2080A6FB1024B7EC1750D680
                                  SHA-256:00CEFAB3C386D5BB4921359A7ED121E906AD58A2D9B5303DACC1E0E06564A94E
                                  SHA-512:B201AE56B2F2544AEDA71AA0F44583C0F197F40A6D69549688E2C3FF39D1D84B5FB74B5D892EA7BB89CAA4ACF439C34230F3DF5784C043C8251D5D334F96E4DD
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\r_sRxMygZ5JYHZAcFpnL_Yd.zip, Author: Joe Security
                                  Preview:PK.........l.X................Cookies\..PK.........l.X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK.........l.X.`.p...........information.txtuX]o..}... ..G..t;iw..4h..i........l.Mw....v.f+....EQ..!).../.1q........s[....p0..'......+.......*..\..I.....|Lb.^.x..:....2.#%(c.(\fT........i($.i.&#..E).F..F..?......|...d)".^e1S.t...#A.x...%.qL&.E..<$......8.}.}....]'.....V?.y^.;.[p9y..I.pk6..W.........J.L,..fc..R...@......-./.|k....e8.~5#'g;gWyQ.c2..y...zL....dVYr.....`b7.3...l ...1..........T.....=.+..E.BnLm.].....d.m...\.5l4.hr9.|6/K.T....(.E^?..E.;...y....|..R......(N

                                  C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):13
                                  Entropy (8bit):2.8731406795131336
                                  Encrypted:false
                                  SSDEEP:3:L1UwJW:NW
                                  MD5:FF5612395580C191C4E9F3CA119A8B06
                                  SHA1:37C0A801E15EEB06303696BF566287D3BB462777
                                  SHA-256:F378241037786F4A889F87376E35A42CE36DCFD4E3B55E8D648493744AFAF56A
                                  SHA-512:885DC2E2AE492A6AADADAB8354C3170749533537C73A3E8E233B0D9669064EAA1B8D98303A7AAB3AAAABCA52C4AA5B337E34B79158177A83E20B8370B7E1F43C
                                  Malicious:false
                                  Preview:1718910927363

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\02zdBXl47cvzcookies.sqlite

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):98304
                                  Entropy (8bit):0.08235737944063153
                                  Encrypted:false
                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\0xcCzZDCkizsHistory

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):159744
                                  Entropy (8bit):0.5394293526345721
                                  Encrypted:false
                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\1KPuF2_u6oa0History

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):155648
                                  Entropy (8bit):0.5407252242845243
                                  Encrypted:false
                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\1svbu3tIycZmWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                  Category:dropped
                                  Size (bytes):196608
                                  Entropy (8bit):1.121297215059106
                                  Encrypted:false
                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\3b6N2Xdh3CYwplaces.sqlite

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):5242880
                                  Entropy (8bit):0.03859996294213402
                                  Encrypted:false
                                  SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                  MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                  SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                  SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                  SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\9QKiQirM1qXcHistory

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):159744
                                  Entropy (8bit):0.5394293526345721
                                  Encrypted:false
                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\D87fZN3R3jFeplaces.sqlite

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):5242880
                                  Entropy (8bit):0.03859996294213402
                                  Encrypted:false
                                  SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                  MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                  SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                  SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                  SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\EAcPxnGdp6toWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                  Category:dropped
                                  Size (bytes):196608
                                  Entropy (8bit):1.121297215059106
                                  Encrypted:false
                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\IK3k1Eo6e4pjWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.136413900497188
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                  MD5:429F49156428FD53EB06FC82088FD324
                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\JPQQEN02i61OLogin Data

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):51200
                                  Entropy (8bit):0.8746135976761988
                                  Encrypted:false
                                  SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                  MD5:9E68EA772705B5EC0C83C2A97BB26324
                                  SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                  SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                  SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\JiHPSJNoS6I5Cookies

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                  Category:dropped
                                  Size (bytes):20480
                                  Entropy (8bit):0.8439810553697228
                                  Encrypted:false
                                  SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                  MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                  SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                  SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                  SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\LgWikdVjWsKCHistory

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):155648
                                  Entropy (8bit):0.5407252242845243
                                  Encrypted:false
                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\Rj9znu7z1UNzWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.136413900497188
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                  MD5:429F49156428FD53EB06FC82088FD324
                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\b4ep9YrEJBiwLogin Data

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):40960
                                  Entropy (8bit):0.8553638852307782
                                  Encrypted:false
                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\lC_8C6VvGWd_Cookies

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                  Category:dropped
                                  Size (bytes):20480
                                  Entropy (8bit):0.6732424250451717
                                  Encrypted:false
                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\rxZO4CLkowTrWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                  Category:dropped
                                  Size (bytes):196608
                                  Entropy (8bit):1.121297215059106
                                  Encrypted:false
                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\tMEkdeo4FFLNLogin Data For Account

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):40960
                                  Entropy (8bit):0.8553638852307782
                                  Encrypted:false
                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7YAMvZf65d3U\vSjx5btCeh_cWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.136413900497188
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                  MD5:429F49156428FD53EB06FC82088FD324
                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\02zdBXl47cvzcookies.sqlite

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):98304
                                  Entropy (8bit):0.08235737944063153
                                  Encrypted:false
                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\3b6N2Xdh3CYwplaces.sqlite

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):5242880
                                  Entropy (8bit):0.03859996294213402
                                  Encrypted:false
                                  SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                  MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                  SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                  SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                  SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\BUCWh4DsXRZeWeb Data

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                  Category:dropped
                                  Size (bytes):196608
                                  Entropy (8bit):1.121297215059106
                                  Encrypted:false
                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\D87fZN3R3jFeplaces.sqlite

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):5242880
                                  Entropy (8bit):0.03859996294213402
                                  Encrypted:false
                                  SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                  MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                  SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                  SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                  SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\ETQM19BZ8bGnHistory

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):155648
                                  Entropy (8bit):0.5407252242845243
                                  Encrypted:false
                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\FXnU9BYdLcbYHistory

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):159744
                                  Entropy (8bit):0.5394293526345721
                                  Encrypted:false
                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\G6hWgD726jZgWeb Data

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                  Category:dropped
                                  Size (bytes):196608
                                  Entropy (8bit):1.121297215059106
                                  Encrypted:false
                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\GK7TDaUZmBPNLogin Data For Account

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):40960
                                  Entropy (8bit):0.8553638852307782
                                  Encrypted:false
                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\GREY2_eXs_bRCookies

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                  Category:dropped
                                  Size (bytes):20480
                                  Entropy (8bit):0.8439810553697228
                                  Encrypted:false
                                  SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                  MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                  SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                  SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                  SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\KJUlfwzLYDLDWeb Data

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                  Category:dropped
                                  Size (bytes):196608
                                  Entropy (8bit):1.121297215059106
                                  Encrypted:false
                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\OkfPwCov6EatWeb Data

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.136413900497188
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                  MD5:429F49156428FD53EB06FC82088FD324
                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\R5vbmWAWNRBAHistory

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):155648
                                  Entropy (8bit):0.5407252242845243
                                  Encrypted:false
                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\YWghbxCAFBJrLogin Data

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):40960
                                  Entropy (8bit):0.8553638852307782
                                  Encrypted:false
                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\b81p5RNJHBPPLogin Data

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):51200
                                  Entropy (8bit):0.8746135976761988
                                  Encrypted:false
                                  SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                  MD5:9E68EA772705B5EC0C83C2A97BB26324
                                  SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                  SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                  SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\cSR7Bpbbm4qNHistory

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):159744
                                  Entropy (8bit):0.5394293526345721
                                  Encrypted:false
                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\jfotimpUpXrDCookies

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                  Category:dropped
                                  Size (bytes):20480
                                  Entropy (8bit):0.6732424250451717
                                  Encrypted:false
                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\oRcPvxQGoX66Web Data

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.136413900497188
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                  MD5:429F49156428FD53EB06FC82088FD324
                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanPy9S1QyQDExg\y31C2U2FqEpfWeb Data

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.136413900497188
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                  MD5:429F49156428FD53EB06FC82088FD324
                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\trixy7YAMvZf65d3U\Cookies\Chrome_Default.txt

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):530
                                  Entropy (8bit):5.999391385907715
                                  Encrypted:false
                                  SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                  MD5:06ED2CD304730F55A5C7001509E128BE
                                  SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                  SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                  SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                  Malicious:false
                                  Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                  C:\Users\user\AppData\Local\Temp\trixy7YAMvZf65d3U\information.txt

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:ASCII text, with CRLF, LF line terminators
                                  Category:dropped
                                  Size (bytes):5140
                                  Entropy (8bit):5.286496591697342
                                  Encrypted:false
                                  SSDEEP:96:xLdJBORymc2KBhA6tsxODsnEV3oyCsoni4UjKdOPzPRcHTHloXdOUJ9zbQY9ZcE6:xYYmX6tsxPnEV3oyCsoni4UjKdOPzPRa
                                  MD5:6761FFDB0FE5E15DE95518FD35F142A3
                                  SHA1:67203535AC52419A0259F7D643A3CDED59E8BA62
                                  SHA-256:35C380D660DD0CA203FB7EE902FA6E32AC2C2607090C57CCD8CAA94BFF65DDBE
                                  SHA-512:E4B0CDB5A79F8A83023B5235A843BC77F8D092D5F191D80348B443BEC1F27B1F486DF8D50FE4FEFEF08A1FC2A80BE9E1E01B8A583BE7E244B38DF7CE323B7C22
                                  Malicious:false
                                  Preview:Build: tumer..Version: 2.0....Date: Thu Jun 20 13:37:58 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 02ff77ab384226fd915bcf536983079b....Path: C:\Users\user\Desktop\PNO3otPYOa.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy7YAMvZf65d3U....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 932923 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 13:37:58..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost

                                  C:\Users\user\AppData\Local\Temp\trixy7YAMvZf65d3U\passwords.txt

                                  Download File
                                  Process:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                  Category:dropped
                                  Size (bytes):4897
                                  Entropy (8bit):2.518316437186352
                                  Encrypted:false
                                  SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                  MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                  SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                  SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                  SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\trixyPy9S1QyQDExg\Cookies\Chrome_Default.txt

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):530
                                  Entropy (8bit):5.999391385907715
                                  Encrypted:false
                                  SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                  MD5:06ED2CD304730F55A5C7001509E128BE
                                  SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                  SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                  SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                  Malicious:false
                                  Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                  C:\Users\user\AppData\Local\Temp\trixyPy9S1QyQDExg\information.txt

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:ASCII text, with CRLF, LF line terminators
                                  Category:dropped
                                  Size (bytes):5116
                                  Entropy (8bit):5.2871849182596256
                                  Encrypted:false
                                  SSDEEP:96:xLPSORyUc2KBhA6tsxODsnEV3oyCsoni4UjKdOPzPRcHTHloXdOUJ9zbQY9ZcEzh:xpYUX6tsxPnEV3oyCsoni4UjKdOPzPRd
                                  MD5:DE3534F37A2DD05D29EEF315F1651FB9
                                  SHA1:4199ACA7014FED63F0EC75509DD548A81B89EAAA
                                  SHA-256:5737F9BE773E28450221F203CF7887DE809E14A153933F145B43FCF8C97DA8F3
                                  SHA-512:68E5696919338F004FA9816F95A573329058146DD8D0BAC39705DC240BF9D2F9A6D76DD456146374C871C08FDEBC349ECFBC55C7EEA998804BC7DAEC1F298E66
                                  Malicious:false
                                  Preview:Build: tumer..Version: 2.0....Date: Thu Jun 20 13:37:56 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 02ff77ab384226fd915bcf536983079b....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyPy9S1QyQDExg....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 932923 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 13:37:56..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.e

                                  C:\Users\user\AppData\Local\Temp\trixyPy9S1QyQDExg\passwords.txt

                                  Download File
                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                  Category:dropped
                                  Size (bytes):4897
                                  Entropy (8bit):2.518316437186352
                                  Encrypted:false
                                  SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                  MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                  SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                  SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                  SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.425062681519056
                                  Encrypted:false
                                  SSDEEP:6144:ASvfpi6ceLP/9skLmb0OTHWSPHaJG8nAgeMZMMhA2fX4WABlEnNH0uhiTw:rvloTHW+EZMM6DFyd03w
                                  MD5:2799838E099BE06B530414F7A0226C1A
                                  SHA1:7B9C652C2BA7E63CC6B80A785A1D8548CE7F8121
                                  SHA-256:485147C21476864F609B35D13AB84094268D128A94460DA542D70BC94B12E445
                                  SHA-512:976A75FD3E1AC2D50D35C0C20B320998723898254ABC40516ACBD3DD0559F5DAE3BABE6FBDE09C1ED8853425E6F834CBC21E2F8CB76E33E641E1B929FD4A67B4
                                  Malicious:false
                                  Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>...8................................................................................................................................................................................................................................................................................................................................................v..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.966391554093995
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:PNO3otPYOa.exe
                                  File size:3'423'760 bytes
                                  MD5:ffccf1df9e560e259284b35348a3989f
                                  SHA1:853ad3befc8423ebd10442fc1fd3d436b3656afa
                                  SHA256:e2de3f42bd8737b0b825370aa662cf700b88a05832e4c26a3c7d8a3579b03227
                                  SHA512:e6d700471a381cd17f14ba3de4bd333088154f5079caa06f150c19525ab9f2d97c3204542ebf24febd622478240330076af7159973b9f9e21b5ee1d6dc8eebfa
                                  SSDEEP:49152:VjED/HAkn8SIKu4lB38c1uHHkZZorrS7C8ff3AY1/X0aME7FW3gElVcOQW:dQ4k8StuM3T1qHkDGOC8nwGEaMEYK0
                                  TLSH:7AF533F48D252B63CDB27B39F199C2A2C555A70EFE220210D71F4B37E65944C8FA660E
                                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                  File Icon

                                  Icon Hash:8596a1a0a1a1b171

                                  Static PE Info

                                  General

                                  Entrypoint:0x9b2058
                                  Entrypoint Section:.boot
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x664C6914 [Tue May 21 09:27:48 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F7F55145F00h
                                  push ebx
                                  mov ebx, esp
                                  push ebx
                                  mov esi, dword ptr [ebx+08h]
                                  mov edi, dword ptr [ebx+10h]
                                  cld
                                  mov dl, 80h
                                  mov al, byte ptr [esi]
                                  inc esi
                                  mov byte ptr [edi], al
                                  inc edi
                                  mov ebx, 00000002h
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jnc 00007F7F55145D9Ch
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jnc 00007F7F55145E03h
                                  xor eax, eax
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jnc 00007F7F55145E97h
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  je 00007F7F55145DBAh
                                  push edi
                                  mov eax, eax
                                  sub edi, eax
                                  mov al, byte ptr [edi]
                                  pop edi
                                  mov byte ptr [edi], al
                                  inc edi
                                  mov ebx, 00000002h
                                  jmp 00007F7F55145D4Bh
                                  mov eax, 00000001h
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jc 00007F7F55145D9Ch
                                  sub eax, ebx
                                  mov ebx, 00000001h
                                  jne 00007F7F55145DDAh
                                  mov ecx, 00000001h
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc ecx, ecx
                                  add dl, dl
                                  jne 00007F7F55145DB7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jc 00007F7F55145D9Ch
                                  push esi
                                  mov esi, edi
                                  sub esi, ebp

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x19618b0x184.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000x1638.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x83f0000x10.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x1970180x18.tls
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x15bbc80x9d200704f84dc4d8bbd70ffda9fffa3164febFalse0.99894497066428data7.9829541104019395IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  0x15d0000x27e320x10a00b9b845c2e26aa804b504a540eb5289e9False0.9942434210526315data7.95626204675532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  0x1850000x49300x8006568f0d039b9cb8113af9a3f7d48baa7False0.99072265625data7.776435545825896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x18a0000x16380x1800fe6f3fdb9e7e97cba92d8ce4e4fcc95bFalse0.7220052083333334data6.54017046361188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  0x18c0000x98580x72001e9932f2b29ff172f27a610c95372196False0.9780016447368421data7.923419598084439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  .idata0x1960000x10000x4001b20e07443fa333ff9692026d1e6c6c2False0.3984375data3.42439969016873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tls0x1970000x10000x20054a50a058e0f3b6aa2fe1b22e2033106False0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .themida0x1980000x41a0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .boot0x5b20000x28c6000x28c60077e4c3ea57cd417e3d9cd40afc7fac04unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .reloc0x83f0000x10000x10f5bc99b71bad9e8a775cc32747e3ca58False1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x18a4400x1060PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.8838263358778626
                                  RT_GROUP_ICON0x18b4a00x14dataRussianRussia1.05
                                  RT_VERSION0x18a1300x310dataRussianRussia0.45408163265306123
                                  RT_MANIFEST0x18b4b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                  Imports

                                  DLLImport
                                  kernel32.dllGetModuleHandleA
                                  USER32.dllwsprintfA
                                  GDI32.dllCreateCompatibleBitmap
                                  ADVAPI32.dllRegQueryValueExA
                                  SHELL32.dllShellExecuteA
                                  ole32.dllCoInitialize
                                  WS2_32.dllWSAStartup
                                  CRYPT32.dllCryptUnprotectData
                                  SHLWAPI.dllPathFindExtensionA
                                  gdiplus.dllGdipGetImageEncoders
                                  SETUPAPI.dllSetupDiEnumDeviceInfo
                                  ntdll.dllRtlUnicodeStringToAnsiString
                                  RstrtMgr.DLLRmStartSession

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  RussianRussia
                                  EnglishUnited States

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  06/20/24-19:37:42.593714TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970758709192.168.2.577.91.77.66
                                  06/20/24-19:37:22.677810TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094971777.91.77.66192.168.2.5
                                  06/20/24-19:37:42.406359TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970658709192.168.2.577.91.77.66
                                  06/20/24-19:38:03.935564TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094971777.91.77.66192.168.2.5
                                  06/20/24-19:37:57.156294TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4971758709192.168.2.577.91.77.66
                                  06/20/24-19:37:15.832806TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094971077.91.77.66192.168.2.5
                                  06/20/24-19:37:50.390622TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4971058709192.168.2.577.91.77.66
                                  06/20/24-19:37:01.301696TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4970558709192.168.2.577.91.77.66
                                  06/20/24-19:37:47.877509TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970677.91.77.66192.168.2.5
                                  06/20/24-19:37:36.375060TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970558709192.168.2.577.91.77.66
                                  06/20/24-19:37:47.713249TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970577.91.77.66192.168.2.5
                                  06/20/24-19:37:47.917742TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094970777.91.77.66192.168.2.5
                                  06/20/24-19:37:01.927137TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970577.91.77.66192.168.2.5
                                  06/20/24-19:37:07.981504TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970677.91.77.66192.168.2.5
                                  06/20/24-19:37:08.081416TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094970777.91.77.66192.168.2.5

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 20, 2024 19:37:01.287550926 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:01.292855978 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:01.292953014 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:01.301696062 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:01.307260990 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:01.927136898 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:01.968506098 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:05.047399998 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:05.057240963 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:07.386627913 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:07.391844988 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:07.391941071 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:07.411282063 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:07.416347027 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:07.461322069 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:07.466427088 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:07.466516972 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:07.503098011 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:07.508136988 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:07.981503963 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:08.031112909 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:08.081415892 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:08.124867916 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:11.109308004 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:11.114994049 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:11.234564066 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:11.239604950 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:15.202086926 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:15.207036018 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:15.207138062 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:15.224860907 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:15.230298996 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:15.832806110 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:15.874779940 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:18.953147888 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:18.960094929 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:22.081100941 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:22.086165905 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:22.086261988 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:22.259413958 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:22.266737938 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:22.677809954 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:22.718578100 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:25.812556982 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:25.817529917 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:36.375060081 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:36.380017996 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:42.406358957 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:42.411676884 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:42.593713999 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:42.598709106 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:47.713248968 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:47.760153055 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:47.760243893 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:47.760343075 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:47.761334896 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:47.761370897 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:47.765525103 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:47.877509117 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:47.914457083 CEST49719443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:47.914489031 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:47.914551020 CEST49719443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:47.915666103 CEST49719443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:47.915682077 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:47.917742014 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:47.921751976 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:47.968658924 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.024605989 CEST49720443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.024638891 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.024714947 CEST49720443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.025751114 CEST49720443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.025768042 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.027947903 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.078007936 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.111917019 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.128631115 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.156379938 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.171849966 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.219132900 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.235811949 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.235917091 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.239931107 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.239954948 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.240298033 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.265501022 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.281120062 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.300213099 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.304678917 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.330091000 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.340532064 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.359249115 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.374874115 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.380395889 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.380549908 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.385389090 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.422669888 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.422751904 CEST49719443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.424065113 CEST49719443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.424074888 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.425168991 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.436002970 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.436315060 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.436383009 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.438431978 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.438467979 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.438534021 CEST49718443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.438554049 CEST4434971834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.450334072 CEST49721443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.450362921 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:48.450423956 CEST49721443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.450757980 CEST49721443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.450773001 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:48.465256929 CEST49719443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.466274977 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.466542959 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.471375942 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.501920938 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.502013922 CEST49720443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.503118038 CEST49720443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.503123999 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.503901005 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.507531881 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.507653952 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:48.512499094 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.512597084 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:48.540596008 CEST49720443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.588504076 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.601069927 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.601375103 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.601439953 CEST49719443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.601778030 CEST49719443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.601792097 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.601807117 CEST49719443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.601813078 CEST4434971934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.603864908 CEST49722443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.603893995 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:48.603969097 CEST49722443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.604266882 CEST49722443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.604293108 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:48.669451952 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.669748068 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.669943094 CEST49720443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.670371056 CEST49720443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.670378923 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.670391083 CEST49720443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:37:48.670396090 CEST4434972034.117.186.192192.168.2.5
                                  Jun 20, 2024 19:37:48.672796965 CEST49723443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.672894001 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:48.673062086 CEST49723443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.673360109 CEST49723443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.673398972 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:48.933823109 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:48.933877945 CEST49721443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.935532093 CEST49721443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.935537100 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:48.936021090 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:48.937170029 CEST49721443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:48.984540939 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.090873003 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.090954065 CEST49722443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.092211962 CEST49722443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.092223883 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.093290091 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.094626904 CEST49722443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.136502028 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.143208981 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.143452883 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.143522978 CEST49721443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.144642115 CEST49721443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.144659996 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.144670010 CEST49721443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.144675970 CEST44349721104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.145044088 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.147260904 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.147344112 CEST49723443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.148415089 CEST49723443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.148430109 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.148643970 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.149745941 CEST49723443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.150027037 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.192511082 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.257055044 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.257303953 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.257390976 CEST49722443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.257601023 CEST49722443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.257615089 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.257637024 CEST49722443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.257642031 CEST44349722104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.262053013 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.266906023 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.313019037 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.313246012 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.314066887 CEST49723443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.314131975 CEST49723443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.314131975 CEST49723443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:37:49.314173937 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.314196110 CEST44349723104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:37:49.314304113 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.319245100 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.510782957 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.562377930 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.587295055 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.592242956 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.618470907 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.671777964 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.684211969 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.703202963 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.708045959 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.734302998 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.750003099 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.755323887 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.817308903 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.859292030 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.921926022 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.923238993 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.926872015 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:49.968626022 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:49.981969118 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.031127930 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.031258106 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.037857056 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.078188896 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.085988045 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.152786970 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.152812004 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.152829885 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.152862072 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.152887106 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.152920008 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.152942896 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.153266907 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.153297901 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.153347969 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.153709888 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.153764009 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.153769016 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.153808117 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.153856993 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.154078960 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.154186964 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.154221058 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.154269934 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.154637098 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.154690981 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.154891014 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.154978991 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.155008078 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.155039072 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.198272943 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.269437075 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.269507885 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.269547939 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.269572020 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.269582987 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.269624949 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.269639015 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.273401022 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.273457050 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.273514986 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.273521900 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.273550987 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.273586988 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.273638964 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.273941994 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.273972034 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.273993969 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.274048090 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.274105072 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.274137974 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.274157047 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.274194956 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.274480104 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.274509907 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.274790049 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.274840117 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.274847031 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.274882078 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.274899960 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.275846958 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.275876999 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.275927067 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.312520027 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.330236912 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.330364943 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.330399036 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.330429077 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.330435991 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.330800056 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.330852985 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.330858946 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.330893993 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.330943108 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.331598043 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.331634045 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.331646919 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.331671000 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.331717968 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.331883907 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.332091093 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.332123995 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.332159996 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.332185984 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.332205057 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.332284927 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.332613945 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.332644939 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.332667112 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.335519075 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.338052034 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.359328032 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.364569902 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.390621901 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.391218901 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.391266108 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.391302109 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.391331911 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.391371965 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.391407967 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.391465902 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.391468048 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.391525984 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.396122932 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.456624031 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.456657887 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.456712961 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.456749916 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.456783056 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.456783056 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.456815958 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.456820965 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.456880093 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.468789101 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.473613024 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.515569925 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.520549059 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.641670942 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.687426090 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.687485933 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.692421913 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.716586113 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.749308109 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.765515089 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.796776056 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.796906948 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.801963091 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.843704939 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:50.849448919 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.939871073 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:50.984297037 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:51.017709970 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:51.062395096 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:51.072796106 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:51.124912024 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.127661943 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.127758980 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.132817984 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.132837057 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.132849932 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.132865906 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.132882118 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.137629986 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.363117933 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.363348961 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.368205070 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.368308067 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.368338108 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.368366957 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.368388891 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.373296976 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.773056030 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.773134947 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.778233051 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.778276920 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.778306007 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.778301001 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:56.778336048 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:56.783624887 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:57.156294107 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:57.163120031 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:59.265748978 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:59.271281958 CEST587094970577.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:59.271358013 CEST4970558709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:59.406270027 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:59.411705017 CEST587094970677.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:59.411789894 CEST4970658709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:59.859869957 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:37:59.865382910 CEST587094970777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:37:59.865484953 CEST4970758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:03.523269892 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:03.578073025 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:03.710541964 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:03.765572071 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:03.775671005 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:03.828037024 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:03.881171942 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:03.921787024 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:03.935564041 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:03.977897882 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:04.000121117 CEST49728443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.000165939 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.000236034 CEST49728443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.002515078 CEST49728443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.002535105 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.037000895 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.037034035 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.037276983 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.038769960 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.038783073 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.063477993 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:04.092104912 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:04.109298944 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:04.109535933 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:04.114363909 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:04.140547037 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:04.328336000 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:04.333369017 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:04.465363026 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.465473890 CEST49728443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.466653109 CEST49728443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.466691971 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.467365026 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.501372099 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.501517057 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.502563953 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.502573967 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.503341913 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.513350010 CEST49728443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.546816111 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.547385931 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.556529999 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.592503071 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.650101900 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.650461912 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.650531054 CEST49728443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.650651932 CEST49728443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.650688887 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.650716066 CEST49728443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.650731087 CEST4434972834.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.652188063 CEST49730443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:04.652266979 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:04.652347088 CEST49730443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:04.652658939 CEST49730443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:04.652693987 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:04.674000025 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.674298048 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.674355030 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.674493074 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.674510002 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.674521923 CEST49729443192.168.2.534.117.186.192
                                  Jun 20, 2024 19:38:04.674526930 CEST4434972934.117.186.192192.168.2.5
                                  Jun 20, 2024 19:38:04.675981998 CEST49731443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:04.676026106 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:04.676100016 CEST49731443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:04.676512957 CEST49731443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:04.676529884 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.336836100 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.336925983 CEST49730443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.338077068 CEST49730443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.338100910 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.338931084 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.340460062 CEST49730443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.368530989 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.368608952 CEST49731443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.369693041 CEST49731443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.369704008 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.370182037 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.375382900 CEST49731443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.380506992 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.416498899 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.514126062 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.514383078 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.514477968 CEST49730443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.514681101 CEST49730443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.514727116 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.514758110 CEST49730443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.514775038 CEST44349730104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.515130997 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:05.519934893 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:05.557357073 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.557650089 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.557707071 CEST49731443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.557784081 CEST49731443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.557797909 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.557811022 CEST49731443192.168.2.5104.26.4.15
                                  Jun 20, 2024 19:38:05.557816982 CEST44349731104.26.4.15192.168.2.5
                                  Jun 20, 2024 19:38:05.557997942 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:05.562764883 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:05.784842968 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:05.828068018 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:05.843800068 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:05.848582029 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:05.863140106 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:05.890779972 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:05.895553112 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:06.108272076 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:06.141623020 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:06.156208992 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:06.187556982 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:09.187539101 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:09.192991018 CEST587094971077.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:09.193049908 CEST4971058709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:09.234374046 CEST4971758709192.168.2.577.91.77.66
                                  Jun 20, 2024 19:38:09.239528894 CEST587094971777.91.77.66192.168.2.5
                                  Jun 20, 2024 19:38:09.239584923 CEST4971758709192.168.2.577.91.77.66

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 20, 2024 19:37:47.746732950 CEST5753253192.168.2.51.1.1.1
                                  Jun 20, 2024 19:37:47.755863905 CEST53575321.1.1.1192.168.2.5
                                  Jun 20, 2024 19:37:48.441241980 CEST6145853192.168.2.51.1.1.1
                                  Jun 20, 2024 19:37:48.449810028 CEST53614581.1.1.1192.168.2.5
                                  Jun 20, 2024 19:38:03.915859938 CEST5145853192.168.2.51.1.1.1
                                  Jun 20, 2024 19:38:03.924170017 CEST53514581.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jun 20, 2024 19:37:47.746732950 CEST192.168.2.51.1.1.10x4973Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                  Jun 20, 2024 19:37:48.441241980 CEST192.168.2.51.1.1.10xddefStandard query (0)db-ip.comA (IP address)IN (0x0001)false
                                  Jun 20, 2024 19:38:03.915859938 CEST192.168.2.51.1.1.10xd680Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jun 20, 2024 19:37:47.755863905 CEST1.1.1.1192.168.2.50x4973No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                  Jun 20, 2024 19:37:48.449810028 CEST1.1.1.1192.168.2.50xddefNo error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                  Jun 20, 2024 19:37:48.449810028 CEST1.1.1.1192.168.2.50xddefNo error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                  Jun 20, 2024 19:37:48.449810028 CEST1.1.1.1192.168.2.50xddefNo error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                  Jun 20, 2024 19:38:03.924170017 CEST1.1.1.1192.168.2.50xd680No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • ipinfo.io
                                  • https:
                                  • db-ip.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination Port
                                  0192.168.2.54970434.117.186.192443
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:36:50 UTC59OUTGET / HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  2024-06-20 17:36:50 UTC513INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Thu, 20 Jun 2024 17:36:50 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 319
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 2
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-20 17:36:50 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                                  Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.54971834.117.186.1924433168C:\Users\user\Desktop\PNO3otPYOa.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:37:48 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-20 17:37:48 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Thu, 20 Jun 2024 17:37:48 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 3
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-20 17:37:48 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-20 17:37:48 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.54971934.117.186.1924432668C:\ProgramData\MPGPH131\MPGPH131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:37:48 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-20 17:37:48 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Thu, 20 Jun 2024 17:37:48 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 2
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-20 17:37:48 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-20 17:37:48 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.54972034.117.186.1924432272C:\ProgramData\MPGPH131\MPGPH131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:37:48 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-20 17:37:48 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Thu, 20 Jun 2024 17:37:48 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 4
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-20 17:37:48 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-20 17:37:48 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.549721104.26.4.154433168C:\Users\user\Desktop\PNO3otPYOa.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:37:48 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-20 17:37:49 UTC657INHTTP/1.1 200 OK
                                  Date: Thu, 20 Jun 2024 17:37:49 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: AC466F1C:648C_93878F2E:0050_667468ED_14B4F0FE:7B63
                                  x-iplb-instance: 59128
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=533%2FzfARlklYQt0DHYY8%2F%2Bqd05V00pGYdOeBGHw7ahZ3QcrTAHaCVgyx9eeeSDT06B%2FCXR9ug588ETexq2o0xiaRp8E9Ij0oPlPsrDHaMj49sj5Jp9Bm8PONmA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 896d87694ee70f73-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-20 17:37:49 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                  Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                  2024-06-20 17:37:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.549722104.26.4.154432668C:\ProgramData\MPGPH131\MPGPH131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:37:49 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-20 17:37:49 UTC649INHTTP/1.1 200 OK
                                  Date: Thu, 20 Jun 2024 17:37:49 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: A29E9A1C:781E_93878F2E:0050_667468ED_14C91A01:4F34
                                  x-iplb-instance: 59215
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ICDa2LLJHOwdVxTz5gXpeBheAwugrFvp5azdxAMiN05xkx0wvcZpZBMuyATvWC4RQL0y4GgBmEjs7vt0JqW7UvFGnM0qXWbvZ2AA7nDBbTqbloN5i6m2SO1FFQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 896d876a291743c1-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-20 17:37:49 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                  Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                  2024-06-20 17:37:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.549723104.26.4.154432272C:\ProgramData\MPGPH131\MPGPH131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:37:49 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-20 17:37:49 UTC657INHTTP/1.1 200 OK
                                  Date: Thu, 20 Jun 2024 17:37:49 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: AC46729A:9CAA_93878F2E:0050_667468ED_14B4F10E:7B63
                                  x-iplb-instance: 59128
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wjSmtxHan5iM1Xx%2BumM%2FHCUxcJ4Y5yIH%2BSG03o2dbP5DKaWSIXH7u5vWMkw2viS0yZhHjA3SBN7kqQmq0UjJEZdCkhA64EWBSnIbMst5%2BY6FHeoYdomRQHrPdA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 896d876a9a3f199d-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-20 17:37:49 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                  Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                  2024-06-20 17:37:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.54972834.117.186.1924434956C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:38:04 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-20 17:38:04 UTC515INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Thu, 20 Jun 2024 17:38:04 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 11
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-20 17:38:04 UTC875INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-20 17:38:04 UTC150INData Raw: 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: "email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.54972934.117.186.1924434440C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:38:04 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-20 17:38:04 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Thu, 20 Jun 2024 17:38:04 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 2
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-20 17:38:04 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-20 17:38:04 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.549730104.26.4.154434956C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:38:05 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-20 17:38:05 UTC651INHTTP/1.1 200 OK
                                  Date: Thu, 20 Jun 2024 17:38:05 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: A29E9E02:B20A_93878F2E:0050_667468FD_14C91C1F:4F34
                                  x-iplb-instance: 59215
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QWTe5yzTIony3UO5iutKTXIxCLRWs%2BlQeiIRAADcW0Q4PEEyKtZcJlqobsYKt4EVoDJrRZGrSp98VCqQqnk1aaALoCgg2mHlSisLj2sQymol8beQ3ME25WIxcw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 896d87cfde9f41cd-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-20 17:38:05 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                  Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                  2024-06-20 17:38:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.549731104.26.4.154434440C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-20 17:38:05 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-20 17:38:05 UTC651INHTTP/1.1 200 OK
                                  Date: Thu, 20 Jun 2024 17:38:05 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: A29E9A18:3A9E_93878F2E:0050_667468FD_14B4F368:7B63
                                  x-iplb-instance: 59128
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QMF8eEyYVCoMq4wh7PFT3DQVLVQ0BJnQjLpPmITLStbzg5Z52zJzuJwulcfjXFJxyMtug5bMSZxDDMOJw0YLkZHhmDM1CB6UjJ7MEZa5bwuwcvt4I%2B9PNWzXXQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 896d87d00af243b9-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-20 17:38:05 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                  Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                  2024-06-20 17:38:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:13:36:55
                                  Start date:20/06/2024
                                  Path:C:\Users\user\Desktop\PNO3otPYOa.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\PNO3otPYOa.exe"
                                  Imagebase:0x400000
                                  File size:3'423'760 bytes
                                  MD5 hash:FFCCF1DF9E560E259284B35348A3989F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2619633459.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:13:37:00
                                  Start date:20/06/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                  Imagebase:0x6f0000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:13:37:00
                                  Start date:20/06/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:13:37:00
                                  Start date:20/06/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                  Imagebase:0x6f0000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:13:37:00
                                  Start date:20/06/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:13:37:01
                                  Start date:20/06/2024
                                  Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Imagebase:0x400000
                                  File size:3'423'760 bytes
                                  MD5 hash:FFCCF1DF9E560E259284B35348A3989F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 58%, ReversingLabs
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:13:37:01
                                  Start date:20/06/2024
                                  Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Imagebase:0x400000
                                  File size:3'423'760 bytes
                                  MD5 hash:FFCCF1DF9E560E259284B35348A3989F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:13:37:09
                                  Start date:20/06/2024
                                  Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                  Imagebase:0x400000
                                  File size:3'423'760 bytes
                                  MD5 hash:FFCCF1DF9E560E259284B35348A3989F
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 58%, ReversingLabs
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:13:37:17
                                  Start date:20/06/2024
                                  Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                  Imagebase:0x400000
                                  File size:3'423'760 bytes
                                  MD5 hash:FFCCF1DF9E560E259284B35348A3989F
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:13:37:58
                                  Start date:20/06/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1972
                                  Imagebase:0x890000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:17
                                  Start time:13:37:59
                                  Start date:20/06/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1916
                                  Imagebase:0x890000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:13:37:59
                                  Start date:20/06/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1736
                                  Imagebase:0x890000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:23.7%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:50.9%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:40
                                    execution_graph 46504 45e140 46560 40b8e0 46504->46560 46506 45e1a1 46507 41ab20 41 API calls 46506->46507 46508 45e218 CreateDirectoryA 46507->46508 46514 45e8de 46508->46514 46535 45e24c 46508->46535 46509 45f16d 46510 402df0 std::_Throw_Cpp_error 41 API calls 46509->46510 46513 45f17c 46510->46513 46511 45e8a5 46512 4163b0 std::_Throw_Cpp_error 41 API calls 46511->46512 46516 45e8b9 46512->46516 46514->46509 46515 41ab20 41 API calls 46514->46515 46517 45e962 CreateDirectoryA 46515->46517 47199 4df030 46516->47199 46519 45f15b 46517->46519 46536 45e990 46517->46536 46521 402df0 std::_Throw_Cpp_error 41 API calls 46519->46521 46521->46509 46522 45f11f 46524 4163b0 std::_Throw_Cpp_error 41 API calls 46522->46524 46523 4e6770 93 API calls 46523->46514 46525 45f136 46524->46525 47304 4d7600 46525->47304 46526 4163b0 41 API calls std::_Throw_Cpp_error 46526->46536 46530 4e6ca0 86 API calls 46530->46535 46531 45e3bf CreateDirectoryA 46531->46535 46532 402df0 41 API calls std::_Throw_Cpp_error 46532->46535 46533 45eb09 CreateDirectoryA 46533->46536 46534 4162c0 41 API calls 46534->46535 46535->46511 46535->46530 46535->46531 46535->46532 46535->46534 46540 45e4b2 CreateDirectoryA 46535->46540 46541 41ab20 41 API calls 46535->46541 46543 41ad80 41 API calls 46535->46543 46544 402cf0 std::_Throw_Cpp_error 41 API calls 46535->46544 46547 45e59f CreateDirectoryA 46535->46547 46554 45e7f4 CreateDirectoryA 46535->46554 46556 4163b0 41 API calls std::_Throw_Cpp_error 46535->46556 48163 416290 41 API calls 46535->48163 48164 41ae20 46535->48164 48167 4dff00 46535->48167 46536->46522 46536->46526 46536->46533 46537 41ad80 41 API calls 46536->46537 46538 402df0 41 API calls std::_Throw_Cpp_error 46536->46538 46542 45ebfc CreateDirectoryA 46536->46542 46545 41ab20 41 API calls 46536->46545 46549 402cf0 std::_Throw_Cpp_error 41 API calls 46536->46549 46550 45edd0 CreateDirectoryA 46536->46550 46551 45ece9 CreateDirectoryA 46536->46551 46553 41ae20 41 API calls 46536->46553 46555 4e6ca0 86 API calls 46536->46555 46557 45f050 CreateDirectoryA 46536->46557 46559 4dff00 205 API calls 46536->46559 48402 4162c0 46536->48402 48406 416290 41 API calls 46536->48406 46537->46536 46538->46536 46540->46535 46541->46535 46542->46536 46543->46535 46544->46535 46545->46536 46547->46535 46549->46536 46550->46536 46551->46536 46553->46536 46554->46535 46555->46536 46556->46535 46557->46536 46559->46536 46561 40b916 46560->46561 46562 40c004 46561->46562 46563 41ab20 41 API calls 46561->46563 46564 40f393 46562->46564 46566 41ab20 41 API calls 46562->46566 46565 40b9e7 CreateDirectoryA 46563->46565 46567 411da6 46564->46567 46572 41ab20 41 API calls 46564->46572 46569 40bff2 46565->46569 46570 40ba12 46565->46570 46571 40c0ab CreateDirectoryA 46566->46571 46568 412294 46567->46568 46574 41ab20 41 API calls 46567->46574 46568->46506 46575 402df0 std::_Throw_Cpp_error 41 API calls 46569->46575 46576 41ab20 41 API calls 46570->46576 46577 40f381 46571->46577 46578 40c0d6 46571->46578 46573 40f43a CreateDirectoryA 46572->46573 46580 411d94 46573->46580 46581 40f465 46573->46581 46582 411e4d CreateDirectoryA 46574->46582 46575->46562 46583 40bab4 CreateDirectoryA 46576->46583 46584 402df0 std::_Throw_Cpp_error 41 API calls 46577->46584 46579 41ab20 41 API calls 46578->46579 46585 40c178 CreateDirectoryA 46579->46585 46586 402df0 std::_Throw_Cpp_error 41 API calls 46580->46586 46587 41ab20 41 API calls 46581->46587 46588 412282 46582->46588 46589 411e78 46582->46589 46590 40bae2 __fread_nolock 46583->46590 46591 40bc4c 46583->46591 46584->46564 46592 40c1a0 46585->46592 46593 40c4b9 46585->46593 46586->46567 46594 40f507 CreateDirectoryA 46587->46594 46597 402df0 std::_Throw_Cpp_error 41 API calls 46588->46597 46596 41ab20 41 API calls 46589->46596 46604 40baf5 SHGetFolderPathA 46590->46604 46595 41ab20 41 API calls 46591->46595 46598 402cf0 std::_Throw_Cpp_error 41 API calls 46592->46598 46603 41ab20 41 API calls 46593->46603 46599 40f877 46594->46599 46600 40f52f 46594->46600 46601 40bcea CreateDirectoryA 46595->46601 46602 411fa0 CreateDirectoryA 46596->46602 46597->46568 46606 40c2be 46598->46606 46605 41ab20 41 API calls 46599->46605 46625 403040 std::_Throw_Cpp_error 41 API calls 46600->46625 46607 40bd12 __fread_nolock 46601->46607 46608 40bfbf 46601->46608 46609 411fc8 46602->46609 46835 41225e 46602->46835 46610 40c557 CreateDirectoryA 46603->46610 46611 402cf0 std::_Throw_Cpp_error 41 API calls 46604->46611 46613 40f915 CreateDirectoryA 46605->46613 46632 41ace0 41 API calls 46606->46632 46626 40bd25 SHGetFolderPathA 46607->46626 46614 40bfd1 46608->46614 46622 4e6770 93 API calls 46608->46622 46637 403040 std::_Throw_Cpp_error 41 API calls 46609->46637 46616 40d1de 46610->46616 46617 40c57f 46610->46617 46612 40bba1 46611->46612 46619 41ace0 41 API calls 46612->46619 46620 40fb99 46613->46620 46621 40f93d 46613->46621 46623 402df0 std::_Throw_Cpp_error 41 API calls 46614->46623 46615 4e6770 93 API calls 46624 412270 46615->46624 46627 41ab20 41 API calls 46616->46627 46618 402cf0 std::_Throw_Cpp_error 41 API calls 46617->46618 46628 40c727 46618->46628 46629 40bbb7 46619->46629 46636 41ab20 41 API calls 46620->46636 46630 402cf0 std::_Throw_Cpp_error 41 API calls 46621->46630 46622->46614 46631 40bfe3 46623->46631 46642 402df0 std::_Throw_Cpp_error 41 API calls 46624->46642 46633 40f704 46625->46633 46634 402cf0 std::_Throw_Cpp_error 41 API calls 46626->46634 46635 40d27c CreateDirectoryA 46627->46635 46654 41ace0 41 API calls 46628->46654 46638 402df0 std::_Throw_Cpp_error 41 API calls 46629->46638 46639 40fa5b 46630->46639 46640 402df0 std::_Throw_Cpp_error 41 API calls 46631->46640 46641 40c367 46632->46641 46659 41ace0 41 API calls 46633->46659 46643 40be57 46634->46643 46644 40d2a4 46635->46644 46645 40d63c 46635->46645 46646 40fc37 CreateDirectoryA 46636->46646 46647 41211c 46637->46647 46648 40bbc9 46638->46648 46665 41ace0 41 API calls 46639->46665 46640->46569 46650 402df0 std::_Throw_Cpp_error 41 API calls 46641->46650 46642->46588 46651 41ace0 41 API calls 46643->46651 46671 402cf0 std::_Throw_Cpp_error 41 API calls 46644->46671 46649 41ab20 41 API calls 46645->46649 46652 40fe35 46646->46652 46653 40fc5f 46646->46653 46662 41ace0 41 API calls 46647->46662 46655 4e6ca0 86 API calls 46648->46655 46657 40d6da CreateDirectoryA 46649->46657 46658 40c379 46650->46658 46660 40be6d 46651->46660 46656 41ab20 41 API calls 46652->46656 46661 402cf0 std::_Throw_Cpp_error 41 API calls 46653->46661 46663 40c7d0 46654->46663 46664 40bbe2 46655->46664 46666 40fed3 CreateDirectoryA 46656->46666 46667 40d702 46657->46667 46668 40da1b 46657->46668 46669 402cf0 std::_Throw_Cpp_error 41 API calls 46658->46669 46680 40f7b1 46659->46680 46670 402df0 std::_Throw_Cpp_error 41 API calls 46660->46670 46694 40fcf7 46661->46694 46672 4121c9 46662->46672 46674 402df0 std::_Throw_Cpp_error 41 API calls 46663->46674 46688 4163b0 std::_Throw_Cpp_error 41 API calls 46664->46688 46767 40bc21 46664->46767 46675 40fb04 46665->46675 46676 410e56 46666->46676 46677 40fefb 46666->46677 46678 402cf0 std::_Throw_Cpp_error 41 API calls 46667->46678 46673 41ab20 41 API calls 46668->46673 46679 40c39b 46669->46679 46682 40be7f 46670->46682 46683 40d3bb 46671->46683 46695 402df0 std::_Throw_Cpp_error 41 API calls 46672->46695 46686 40dab9 CreateDirectoryA 46673->46686 46687 40c7e2 46674->46687 46696 402df0 std::_Throw_Cpp_error 41 API calls 46675->46696 46693 41ab20 41 API calls 46676->46693 46689 402cf0 std::_Throw_Cpp_error 41 API calls 46677->46689 46690 40d820 46678->46690 46691 4e6d70 78 API calls 46679->46691 46681 40f7d6 46680->46681 46697 402fe0 std::_Throw_Cpp_error 41 API calls 46680->46697 46685 4e6ca0 86 API calls 46681->46685 46684 402cf0 std::_Throw_Cpp_error 41 API calls 46682->46684 46720 41ace0 41 API calls 46683->46720 46698 40bea1 46684->46698 46699 40f80d 46685->46699 46700 40de80 46686->46700 46701 40dae1 46686->46701 46702 402cf0 std::_Throw_Cpp_error 41 API calls 46687->46702 46703 40bbfa 46688->46703 46704 40ff97 46689->46704 46732 41ace0 41 API calls 46690->46732 46705 40c3a8 46691->46705 46692 4e6770 93 API calls 46706 40bc28 46692->46706 46707 410ef4 CreateDirectoryA 46693->46707 46708 41ace0 41 API calls 46694->46708 46709 4121db 46695->46709 46710 40fb16 46696->46710 46697->46681 48407 4e6d70 46698->48407 46713 40f84c 46699->46713 46726 4163b0 std::_Throw_Cpp_error 41 API calls 46699->46726 46712 41ab20 41 API calls 46700->46712 46714 402cf0 std::_Throw_Cpp_error 41 API calls 46701->46714 46715 40c804 46702->46715 46716 4163b0 std::_Throw_Cpp_error 41 API calls 46703->46716 46749 41ace0 41 API calls 46704->46749 46717 40c49b 46705->46717 46733 41ab20 41 API calls 46705->46733 46734 402df0 std::_Throw_Cpp_error 41 API calls 46706->46734 46718 411842 46707->46718 46719 410f1c 46707->46719 46721 40fda0 46708->46721 46722 4e6ca0 86 API calls 46709->46722 46723 4e6ca0 86 API calls 46710->46723 46725 40df1e CreateDirectoryA 46712->46725 46731 4e6770 93 API calls 46713->46731 46748 40f853 46713->46748 46727 40dc85 46714->46727 46729 4e6d70 78 API calls 46715->46729 46730 40bc12 46716->46730 46739 4e6770 93 API calls 46717->46739 46728 41ab20 41 API calls 46718->46728 46735 402cf0 std::_Throw_Cpp_error 41 API calls 46719->46735 46736 40d464 46720->46736 46737 402df0 std::_Throw_Cpp_error 41 API calls 46721->46737 46738 4121f4 46722->46738 46740 40fb2f 46723->46740 46742 40df46 46725->46742 46743 40e638 46725->46743 46744 40f825 46726->46744 46784 41ace0 41 API calls 46727->46784 46745 4118e6 CreateDirectoryA 46728->46745 46746 40c811 46729->46746 46747 4dff00 205 API calls 46730->46747 46731->46748 46750 40d8c9 46732->46750 46751 40c451 46733->46751 46734->46591 46752 410fb9 46735->46752 46753 402df0 std::_Throw_Cpp_error 41 API calls 46736->46753 46754 40fdb2 46737->46754 46755 412233 46738->46755 46774 4163b0 std::_Throw_Cpp_error 41 API calls 46738->46774 46756 40c4a7 46739->46756 46757 40fb6e 46740->46757 46776 4163b0 std::_Throw_Cpp_error 41 API calls 46740->46776 46741 40bfa1 46766 4e6770 93 API calls 46741->46766 46759 402cf0 std::_Throw_Cpp_error 41 API calls 46742->46759 46760 41ab20 41 API calls 46743->46760 46761 4163b0 std::_Throw_Cpp_error 41 API calls 46744->46761 46763 411d25 46745->46763 46764 41190e 46745->46764 46765 40c98c 46746->46765 46785 41ab20 41 API calls 46746->46785 46747->46767 46787 402df0 std::_Throw_Cpp_error 41 API calls 46748->46787 46768 410040 46749->46768 46769 402df0 std::_Throw_Cpp_error 41 API calls 46750->46769 46770 40c460 46751->46770 46771 40c462 CopyFileA 46751->46771 46811 41ace0 41 API calls 46752->46811 46772 40d476 46753->46772 46773 4e6ca0 86 API calls 46754->46773 46775 4e6770 93 API calls 46755->46775 46777 41223a 46755->46777 46796 402df0 std::_Throw_Cpp_error 41 API calls 46756->46796 46762 4e6770 93 API calls 46757->46762 46783 40fb75 46757->46783 46758 41ab20 41 API calls 46779 40bf57 46758->46779 46780 40dfe3 46759->46780 46781 40e6dc CreateDirectoryA 46760->46781 46782 40f83d 46761->46782 46762->46783 46789 411d37 46763->46789 46806 4e6770 93 API calls 46763->46806 46822 403040 std::_Throw_Cpp_error 41 API calls 46764->46822 46792 402cf0 std::_Throw_Cpp_error 41 API calls 46765->46792 46786 40bfad 46766->46786 46767->46692 46767->46706 46788 402df0 std::_Throw_Cpp_error 41 API calls 46768->46788 46790 40d8db 46769->46790 46770->46771 46791 402df0 std::_Throw_Cpp_error 41 API calls 46771->46791 46793 402cf0 std::_Throw_Cpp_error 41 API calls 46772->46793 46794 40fdcb 46773->46794 46795 41220c 46774->46795 46775->46777 46778 40fb47 46776->46778 46815 402df0 std::_Throw_Cpp_error 41 API calls 46777->46815 46797 4163b0 std::_Throw_Cpp_error 41 API calls 46778->46797 46798 40bf66 46779->46798 46799 40bf68 CopyFileA 46779->46799 46847 41ace0 41 API calls 46780->46847 46800 40f2fd 46781->46800 46801 40e704 46781->46801 46802 4dff00 205 API calls 46782->46802 46820 402df0 std::_Throw_Cpp_error 41 API calls 46783->46820 46803 40dd2e 46784->46803 46804 40c940 46785->46804 46787->46599 46805 410052 46788->46805 46808 402df0 std::_Throw_Cpp_error 41 API calls 46789->46808 46807 402cf0 std::_Throw_Cpp_error 41 API calls 46790->46807 46809 40c491 46791->46809 46810 40cb30 46792->46810 46812 40d498 46793->46812 46813 40fe0a 46794->46813 46833 4163b0 std::_Throw_Cpp_error 41 API calls 46794->46833 46814 4163b0 std::_Throw_Cpp_error 41 API calls 46795->46814 46796->46593 46816 40fb5f 46797->46816 46798->46799 46832 40f315 46800->46832 46844 4e6770 93 API calls 46800->46844 46819 402cf0 std::_Throw_Cpp_error 41 API calls 46801->46819 46802->46713 46821 402df0 std::_Throw_Cpp_error 41 API calls 46803->46821 46823 40c951 CopyFileA 46804->46823 46824 40c94f 46804->46824 46826 4e6ca0 86 API calls 46805->46826 46806->46789 46827 40d8fd 46807->46827 46828 411d49 46808->46828 46809->46717 46829 40c495 46809->46829 46861 41ace0 41 API calls 46810->46861 46830 411062 46811->46830 46831 4e6d70 78 API calls 46812->46831 46817 4e6770 93 API calls 46813->46817 46836 40fe11 46813->46836 46834 412224 46814->46834 46815->46835 46846 4dff00 205 API calls 46816->46846 46817->46836 46848 40e826 46819->46848 46820->46620 46838 40dd40 46821->46838 46849 4119dc 46822->46849 46839 402df0 std::_Throw_Cpp_error 41 API calls 46823->46839 46824->46823 46840 41006b 46826->46840 46850 4e6d70 78 API calls 46827->46850 46841 402df0 std::_Throw_Cpp_error 41 API calls 46828->46841 46829->46756 46842 402df0 std::_Throw_Cpp_error 41 API calls 46830->46842 46843 40d4a5 46831->46843 46845 402df0 std::_Throw_Cpp_error 41 API calls 46832->46845 46851 40fde3 46833->46851 46852 4dff00 205 API calls 46834->46852 46835->46615 46835->46624 46866 402df0 std::_Throw_Cpp_error 41 API calls 46836->46866 46856 402cf0 std::_Throw_Cpp_error 41 API calls 46838->46856 46857 40c980 46839->46857 46858 410e32 46840->46858 46869 41ab20 41 API calls 46840->46869 46862 411074 46842->46862 46863 40d61e 46843->46863 46873 41ab20 41 API calls 46843->46873 46844->46832 46846->46757 46853 40e08c 46847->46853 46887 41ace0 41 API calls 46849->46887 46859 40d90a 46850->46859 46864 4163b0 std::_Throw_Cpp_error 41 API calls 46851->46864 46852->46755 46876 402df0 std::_Throw_Cpp_error 41 API calls 46853->46876 46868 40dd62 46856->46868 46857->46765 46867 4e6770 93 API calls 46858->46867 46883 410e44 46858->46883 46878 40d9fd 46859->46878 46889 41ab20 41 API calls 46859->46889 46871 40cbd9 46861->46871 46872 4163b0 std::_Throw_Cpp_error 41 API calls 46862->46872 46875 4e6770 93 API calls 46863->46875 46879 40fdfb 46864->46879 46866->46652 46867->46883 46888 410111 46869->46888 46891 402df0 std::_Throw_Cpp_error 41 API calls 46871->46891 46893 40d5d4 46873->46893 46882 40d62a 46875->46882 46894 4dff00 205 API calls 46879->46894 46910 402df0 std::_Throw_Cpp_error 41 API calls 46882->46910 46906 411a89 46887->46906 46899 40cbeb 46891->46899 46901 40d5e3 46893->46901 46902 40d5e5 CopyFileA 46893->46902 46894->46813 46901->46902 46922 402df0 std::_Throw_Cpp_error 41 API calls 46902->46922 46910->46645 47200 4359b0 __fread_nolock 47199->47200 47201 4df088 SHGetFolderPathA 47200->47201 47202 4df150 47201->47202 47202->47202 47203 403040 std::_Throw_Cpp_error 41 API calls 47202->47203 47204 4df16c 47203->47204 47205 41fbf0 41 API calls 47204->47205 47206 4df19d 47205->47206 47208 4dfed9 47206->47208 47209 4df210 std::ios_base::_Ios_base_dtor 47206->47209 47207 4e6ca0 86 API calls 47210 4df245 47207->47210 47212 438c70 std::_Throw_Cpp_error 41 API calls 47208->47212 47209->47207 47211 4dfe6b 47210->47211 47214 41ab20 41 API calls 47210->47214 47213 4dfe9b std::ios_base::_Ios_base_dtor 47211->47213 47221 4dfede 47211->47221 47212->47221 47215 402df0 std::_Throw_Cpp_error 41 API calls 47213->47215 47216 4df2e8 47214->47216 47217 45e8c9 47215->47217 47218 4e6ca0 86 API calls 47216->47218 47217->46514 47217->46523 47220 4df308 47218->47220 47219 438c70 std::_Throw_Cpp_error 41 API calls 47222 4dfef2 47219->47222 47223 4df312 CreateDirectoryA 47220->47223 47225 4df333 47220->47225 47221->47219 47223->47225 47225->47221 47305 4d7636 __fread_nolock 47304->47305 47306 4d7654 SHGetFolderPathA 47305->47306 47307 4359b0 __fread_nolock 47306->47307 47308 4d7681 SHGetFolderPathA 47307->47308 47309 4d77c8 47308->47309 47309->47309 47310 403040 std::_Throw_Cpp_error 41 API calls 47309->47310 47311 4d77e4 47310->47311 47312 41ace0 41 API calls 47311->47312 47316 4d7800 std::ios_base::_Ios_base_dtor 47312->47316 47313 4e6ca0 86 API calls 47314 4d7875 47313->47314 47317 4d79fb 47314->47317 47319 41ab20 41 API calls 47314->47319 47315 4de427 47318 438c70 std::_Throw_Cpp_error 41 API calls 47315->47318 47316->47313 47316->47315 47320 4de42c 47318->47320 48163->46535 48730 41e710 48164->48730 48166 41ae54 48166->46535 48168 41ab20 41 API calls 48167->48168 48171 4e005f 48168->48171 48169 402df0 std::_Throw_Cpp_error 41 API calls 48170 4e00f2 FindFirstFileA 48169->48170 48180 4e058f std::ios_base::_Ios_base_dtor 48170->48180 48247 4e011f std::locale::_Locimp::_Locimp 48170->48247 48172 4e06bc 48171->48172 48173 4e009f std::ios_base::_Ios_base_dtor 48171->48173 48174 438c70 std::_Throw_Cpp_error 41 API calls 48172->48174 48173->48169 48176 4e06c1 48174->48176 48175 4e0564 FindNextFileA 48177 4e057b FindClose GetLastError 48175->48177 48175->48247 48179 438c70 std::_Throw_Cpp_error 41 API calls 48176->48179 48177->48180 48178 41e8a0 41 API calls 48178->48247 48181 4e06cb 48179->48181 48180->48176 48182 4e0670 std::ios_base::_Ios_base_dtor 48180->48182 48186 41ab20 41 API calls 48181->48186 48183 402df0 std::_Throw_Cpp_error 41 API calls 48182->48183 48184 4e0698 48183->48184 48185 402df0 std::_Throw_Cpp_error 41 API calls 48184->48185 48187 4e06a7 48185->48187 48188 4e083a 48186->48188 48187->46535 48189 439820 43 API calls 48188->48189 48190 4e08e8 48189->48190 48191 4e4585 48190->48191 48735 4e71e0 GetCurrentProcess IsWow64Process 48190->48735 48192 4163b0 std::_Throw_Cpp_error 41 API calls 48191->48192 48194 4e45a8 48192->48194 48808 4e7640 48194->48808 48197 403350 78 API calls 48199 4e09c4 48197->48199 48201 403350 78 API calls 48199->48201 48204 4e0a6e 48201->48204 48202 418f00 41 API calls std::_Throw_Cpp_error 48202->48247 48737 44196b GetSystemTimeAsFileTime 48204->48737 48208 402df0 41 API calls std::_Throw_Cpp_error 48208->48247 48220 4e053f CopyFileA 48223 4e05a0 GetLastError 48220->48223 48220->48247 48223->48180 48224 4e6ca0 86 API calls 48224->48247 48226 4e03cd CreateDirectoryA 48226->48223 48226->48247 48240 4032d0 41 API calls std::_Throw_Cpp_error 48240->48247 48245 4dff00 155 API calls 48245->48247 48247->48175 48247->48176 48247->48178 48247->48180 48247->48202 48247->48208 48247->48220 48247->48224 48247->48226 48247->48240 48247->48245 48403 4162d3 48402->48403 48404 4162ce 48402->48404 48403->46536 48405 402df0 std::_Throw_Cpp_error 41 API calls 48404->48405 48405->48403 48406->46536 48408 439820 43 API calls 48407->48408 48409 4e6e2f 48408->48409 48410 4e6e3c 48409->48410 48411 43d0a8 78 API calls 48409->48411 48412 402df0 std::_Throw_Cpp_error 41 API calls 48410->48412 48411->48410 48413 40beae 48412->48413 48413->46741 48413->46758 48731 41e753 48730->48731 48732 4032d0 std::_Throw_Cpp_error 41 API calls 48731->48732 48733 41e758 std::locale::_Locimp::_Locimp 48731->48733 48734 41e843 std::locale::_Locimp::_Locimp 48732->48734 48733->48166 48734->48166 48736 4e0900 48735->48736 48736->48197 48809 439820 43 API calls 48808->48809 48810 4e7740 48809->48810 48824 4e77b9 48810->48824 48898 43d5f6 48810->48898 49145 45f740 49146 45f794 49145->49146 49147 4602fc 49145->49147 49148 41ab20 41 API calls 49146->49148 49149 41ab20 41 API calls 49147->49149 49150 45f876 49148->49150 49151 4603de 49149->49151 49152 4e6ca0 86 API calls 49150->49152 49153 4e6ca0 86 API calls 49151->49153 49154 45f89c 49152->49154 49155 460404 49153->49155 49157 4e6c10 85 API calls 49154->49157 49159 45f8bf 49154->49159 49162 460427 49155->49162 49292 4e6c10 49155->49292 49157->49159 49158 4602cf 49163 4602ea 49158->49163 49168 4e6770 93 API calls 49158->49168 49159->49158 49159->49163 49164 41b260 41 API calls 49159->49164 49160 461b1b 49165 402df0 std::_Throw_Cpp_error 41 API calls 49160->49165 49161 461b00 49161->49160 49169 4e6770 93 API calls 49161->49169 49162->49160 49162->49161 49304 41b260 49162->49304 49166 402df0 std::_Throw_Cpp_error 41 API calls 49163->49166 49206 45f8ef 49164->49206 49170 461b2d 49165->49170 49166->49147 49168->49163 49169->49160 49171 4602c0 49340 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49171->49340 49172 461af1 49343 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49172->49343 49175 4130f0 41 API calls 49175->49206 49176 4130f0 41 API calls 49207 460457 std::ios_base::_Ios_base_dtor 49176->49207 49177 413200 41 API calls 49177->49206 49178 41b260 41 API calls 49178->49206 49179 41b260 41 API calls 49179->49207 49182 4163b0 41 API calls std::_Throw_Cpp_error 49182->49207 49183 4163b0 41 API calls std::_Throw_Cpp_error 49183->49206 49184 41ac50 41 API calls 49184->49206 49185 41ac50 41 API calls 49185->49207 49187 416240 41 API calls 49187->49206 49189 4e6c10 85 API calls 49189->49206 49190 4e6ca0 86 API calls 49190->49206 49191 4e6ca0 86 API calls 49191->49207 49192 439820 43 API calls 49192->49206 49193 439820 43 API calls 49193->49207 49194 4e6c10 85 API calls 49194->49207 49195 41ae20 41 API calls 49195->49206 49196 41ae20 41 API calls 49196->49207 49197 41abb0 41 API calls 49197->49206 49198 41abb0 41 API calls 49198->49207 49199 402df0 41 API calls std::_Throw_Cpp_error 49199->49207 49200 416240 41 API calls 49200->49207 49201 413200 41 API calls 49201->49207 49202 43d0a8 78 API calls 49202->49207 49203 43d0a8 78 API calls 49203->49206 49204 402cf0 41 API calls std::_Throw_Cpp_error 49204->49207 49205 402cf0 41 API calls std::_Throw_Cpp_error 49205->49206 49206->49171 49206->49175 49206->49177 49206->49178 49206->49183 49206->49184 49206->49187 49206->49189 49206->49190 49206->49192 49206->49195 49206->49197 49206->49203 49206->49205 49208 402df0 41 API calls std::_Throw_Cpp_error 49206->49208 49209 41af80 41 API calls 49206->49209 49211 403350 78 API calls 49206->49211 49336 416210 41 API calls std::_Throw_Cpp_error 49206->49336 49337 41b400 41 API calls 49206->49337 49338 41bae0 41 API calls std::_Throw_Cpp_error 49206->49338 49339 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49206->49339 49207->49172 49207->49176 49207->49179 49207->49182 49207->49185 49207->49191 49207->49193 49207->49194 49207->49196 49207->49198 49207->49199 49207->49200 49207->49201 49207->49202 49207->49204 49213 41b400 41 API calls 49207->49213 49215 403040 std::_Throw_Cpp_error 41 API calls 49207->49215 49216 416260 41 API calls 49207->49216 49217 41ace0 41 API calls 49207->49217 49218 41af80 41 API calls 49207->49218 49219 4162c0 41 API calls 49207->49219 49220 461e04 49207->49220 49228 403350 78 API calls 49207->49228 49325 4219a0 49207->49325 49341 416210 41 API calls std::_Throw_Cpp_error 49207->49341 49342 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49207->49342 49208->49206 49209->49206 49211->49206 49213->49207 49215->49207 49216->49207 49217->49207 49218->49207 49219->49207 49221 438c70 std::_Throw_Cpp_error 41 API calls 49220->49221 49222 461e09 49221->49222 49223 41ab20 41 API calls 49222->49223 49224 461f34 49223->49224 49225 4e6ca0 86 API calls 49224->49225 49226 461f5a 49225->49226 49227 4e6c10 85 API calls 49226->49227 49230 461f7d 49226->49230 49227->49230 49228->49207 49229 46299f 49233 4629be 49229->49233 49230->49229 49231 41b260 41 API calls 49230->49231 49230->49233 49293 432b99 12 API calls 49292->49293 49294 4e6c3d 49293->49294 49295 4e6c44 49294->49295 49296 4e6c82 49294->49296 49297 4e6c89 49295->49297 49298 4e6c50 CreateDirectoryA 49295->49298 49299 432534 std::_Throw_Cpp_error 76 API calls 49296->49299 49300 432534 std::_Throw_Cpp_error 76 API calls 49297->49300 49301 432baa RtlReleaseSRWLockExclusive 49298->49301 49299->49297 49302 4e6c9a 49300->49302 49303 4e6c6e 49301->49303 49303->49162 49305 433672 std::_Facet_Register 3 API calls 49304->49305 49306 41b2b8 49305->49306 49307 41b2e2 49306->49307 49308 41b3b4 49306->49308 49309 433672 std::_Facet_Register 3 API calls 49307->49309 49311 402cf0 std::_Throw_Cpp_error 41 API calls 49308->49311 49310 41b2f7 49309->49310 49350 42e7e0 49310->49350 49312 41b3c4 49311->49312 49313 41ace0 41 API calls 49312->49313 49315 41b3d9 49313->49315 49317 407cf0 41 API calls 49315->49317 49316 41b33b 49318 41b352 49316->49318 49320 41d1d0 41 API calls 49316->49320 49319 41b3ee 49317->49319 49362 41d1d0 49318->49362 49322 4351fb std::_Throw_Cpp_error RaiseException 49319->49322 49320->49318 49323 41b3ff 49322->49323 49324 41b390 std::ios_base::_Ios_base_dtor 49324->49207 49326 4219f5 49325->49326 49327 4219d0 49325->49327 49328 402cf0 std::_Throw_Cpp_error 41 API calls 49326->49328 49327->49207 49329 421a03 49328->49329 49330 41ace0 41 API calls 49329->49330 49331 421a18 49330->49331 49332 407cf0 41 API calls 49331->49332 49333 421a2d 49332->49333 49334 4351fb std::_Throw_Cpp_error RaiseException 49333->49334 49336->49206 49337->49206 49338->49206 49339->49206 49340->49158 49341->49207 49342->49207 49343->49161 49356 42e82a 49350->49356 49361 42e9ff 49350->49361 49352 4163b0 41 API calls std::_Throw_Cpp_error 49352->49356 49353 42ea1a 49400 407260 RaiseException 49353->49400 49354 433672 std::_Facet_Register 3 API calls 49354->49356 49356->49352 49356->49353 49356->49354 49358 402df0 std::_Throw_Cpp_error 41 API calls 49356->49358 49356->49361 49367 413d50 49356->49367 49357 42ea1f 49359 42ea3d 49357->49359 49401 42d6a0 41 API calls std::_Throw_Cpp_error 49357->49401 49358->49356 49359->49316 49361->49316 49363 41d24d 49362->49363 49366 41d1f8 std::ios_base::_Ios_base_dtor 49362->49366 49363->49324 49364 41d1d0 41 API calls 49364->49366 49365 402df0 std::_Throw_Cpp_error 41 API calls 49365->49366 49366->49363 49366->49364 49366->49365 49368 413d8f 49367->49368 49398 413df7 std::locale::_Locimp::_Locimp 49367->49398 49369 413d96 49368->49369 49370 413e69 49368->49370 49371 413f7d 49368->49371 49372 413f1e 49368->49372 49368->49398 49374 433672 std::_Facet_Register 3 API calls 49369->49374 49373 433672 std::_Facet_Register 3 API calls 49370->49373 49375 433672 std::_Facet_Register 3 API calls 49371->49375 49414 417e80 41 API calls 2 library calls 49372->49414 49377 413e73 49373->49377 49378 413da0 49374->49378 49379 413f8a 49375->49379 49381 42bf30 41 API calls 49377->49381 49377->49398 49380 433672 std::_Facet_Register 3 API calls 49378->49380 49383 413fd3 49379->49383 49384 41408e 49379->49384 49379->49398 49382 413dd2 49380->49382 49385 413eb1 49381->49385 49402 42f460 49382->49402 49388 414004 49383->49388 49389 413fdb 49383->49389 49415 403330 RaiseException 49384->49415 49395 413d50 41 API calls 49385->49395 49385->49398 49392 433672 std::_Facet_Register 3 API calls 49388->49392 49390 414093 49389->49390 49391 413fe6 49389->49391 49416 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 49390->49416 49394 433672 std::_Facet_Register 3 API calls 49391->49394 49392->49398 49396 413fec 49394->49396 49395->49385 49397 438c70 std::_Throw_Cpp_error 41 API calls 49396->49397 49396->49398 49399 41409d 49397->49399 49398->49356 49400->49357 49401->49357 49403 42f498 49402->49403 49413 42f53f 49402->49413 49404 433672 std::_Facet_Register 3 API calls 49403->49404 49405 42f4ba 49404->49405 49406 4163b0 std::_Throw_Cpp_error 41 API calls 49405->49406 49407 42f4d0 49406->49407 49408 413d50 41 API calls 49407->49408 49409 42f4e0 49408->49409 49413->49398 49414->49398 49416->49396 49417 46aa80 49645 46aaba 49417->49645 49418 478b27 49419 46aae1 49420 4163b0 std::_Throw_Cpp_error 41 API calls 49419->49420 49421 4163b0 std::_Throw_Cpp_error 41 API calls 49419->49421 49420->49419 49422 46ab3c 49421->49422 49423 46abc4 49422->49423 49425 46abde 49423->49425 49424 403040 std::_Throw_Cpp_error 41 API calls 49424->49425 49425->49424 49426 403040 std::_Throw_Cpp_error 41 API calls 49425->49426 49427 46ad59 49426->49427 49429 46ad84 49427->49429 50764 47721c 49427->50764 50765 4aa200 49427->50765 49432 46ad96 49429->49432 49430 47722a 49431 47724c 49430->49431 49435 4163b0 std::_Throw_Cpp_error 41 API calls 49431->49435 49433 46adb8 49432->49433 49434 4163b0 std::_Throw_Cpp_error 41 API calls 49433->49434 49436 46adc0 49434->49436 49437 47725b 49435->49437 49438 46adda 49436->49438 49445 477278 49437->49445 49439 46ade1 49438->49439 49441 4163b0 std::_Throw_Cpp_error 41 API calls 49439->49441 49440 4163b0 std::_Throw_Cpp_error 41 API calls 49440->49445 49442 46ade9 49441->49442 49444 402cf0 std::_Throw_Cpp_error 41 API calls 49442->49444 49443 402cf0 std::_Throw_Cpp_error 41 API calls 49443->49445 49446 46ae63 49444->49446 49445->49440 49445->49443 49453 47747b 49445->49453 49448 402cf0 std::_Throw_Cpp_error 41 API calls 49446->49448 49447 402cf0 std::_Throw_Cpp_error 41 API calls 49447->49453 49449 46af8d 49448->49449 49450 4aa200 222 API calls 49449->49450 49452 46afa8 49450->49452 49451 4aa200 222 API calls 49451->49453 49456 46afbd 49452->49456 49453->49447 49453->49451 49454 4774af 49453->49454 49455 4774d1 49454->49455 49458 4163b0 std::_Throw_Cpp_error 41 API calls 49455->49458 49457 46afdf 49456->49457 49459 4163b0 std::_Throw_Cpp_error 41 API calls 49457->49459 49460 4774e0 49458->49460 49461 46afe7 49459->49461 49469 4774fd 49460->49469 49462 46b001 49461->49462 49463 46b008 49462->49463 49465 4163b0 std::_Throw_Cpp_error 41 API calls 49465->49469 49468 402cf0 std::_Throw_Cpp_error 41 API calls 49468->49469 49469->49465 49469->49468 49476 477700 49469->49476 49471 402cf0 std::_Throw_Cpp_error 41 API calls 49471->49476 49474 4aa200 222 API calls 49474->49476 49476->49471 49476->49474 49478 477734 49476->49478 49480 477756 49478->49480 49483 4163b0 std::_Throw_Cpp_error 41 API calls 49480->49483 49484 477765 49483->49484 49493 477782 49484->49493 49488 4163b0 std::_Throw_Cpp_error 41 API calls 49488->49493 49491 402cf0 std::_Throw_Cpp_error 41 API calls 49491->49493 49493->49488 49493->49491 49500 477985 49493->49500 49496 402cf0 std::_Throw_Cpp_error 41 API calls 49496->49500 49499 4aa200 222 API calls 49499->49500 49500->49496 49500->49499 49502 4779b9 49500->49502 49503 4779db 49502->49503 49639 402cf0 std::_Throw_Cpp_error 41 API calls 49639->49645 49643 4aa200 222 API calls 49643->49645 49645->49418 49645->49419 49645->49639 49645->49643 50764->49430 50766 4359b0 __fread_nolock 50765->50766 50767 4aa25b SHGetFolderPathA 50766->50767 51726 41ac50 50767->51726 50769 4aa28f 50770 4aa2ad 50769->50770 50771 4ab3c5 50769->50771 50772 4163b0 std::_Throw_Cpp_error 41 API calls 50770->50772 50773 4152b0 41 API calls 50771->50773 50774 4aa2be 50772->50774 50775 4ab411 50773->50775 50776 4c6000 45 API calls 50774->50776 50777 402df0 std::_Throw_Cpp_error 41 API calls 50775->50777 50778 4aa2d1 50776->50778 50779 4ab3c3 50777->50779 50780 4aa2eb 50778->50780 51034 4aa355 std::locale::_Locimp::_Locimp 50778->51034 50784 4242a0 41 API calls 50779->50784 50787 4ab46b 50779->50787 51035 4ab490 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 50779->51035 50782 4185d0 76 API calls 50780->50782 50781 4ab3b4 50785 4185d0 76 API calls 50781->50785 50783 4aa2f7 50782->50783 50786 4185d0 76 API calls 50783->50786 50784->50787 50785->50779 50788 4aa303 50786->50788 50789 402df0 std::_Throw_Cpp_error 41 API calls 50787->50789 50790 402df0 std::_Throw_Cpp_error 41 API calls 50788->50790 50789->51035 50792 4aa30f 50790->50792 50791 4adb0c 50796 417ef0 41 API calls 50791->50796 50793 402df0 std::_Throw_Cpp_error 41 API calls 50792->50793 50798 4adb7a 50796->50798 50800 4140c0 41 API calls 50798->50800 50802 4adba4 50800->50802 51734 41af80 50802->51734 50806 402df0 41 API calls std::_Throw_Cpp_error 50806->51035 50813 4adb07 50816 438c70 std::_Throw_Cpp_error 41 API calls 50813->50816 50816->50791 50823 41e8a0 41 API calls 50823->51035 50837 41ad80 41 API calls 50837->51035 50856 41e8a0 41 API calls 50856->51034 50868 41ab20 41 API calls 50868->51035 50869 418f00 41 API calls std::_Throw_Cpp_error 50869->51034 50886 418f00 std::_Throw_Cpp_error 41 API calls 50886->51035 50891 41abb0 41 API calls 50891->51035 50904 41abb0 41 API calls 50904->51034 50920 4e6d70 78 API calls 50920->51035 50935 403040 41 API calls std::_Throw_Cpp_error 50935->51035 50947 4032d0 41 API calls std::_Throw_Cpp_error 50947->51035 50968 41e710 41 API calls 50968->51035 50981 4163b0 41 API calls std::_Throw_Cpp_error 50981->51035 50993 4235f0 41 API calls 50993->51035 50996 402df0 41 API calls std::_Throw_Cpp_error 50996->51034 51001 402fe0 41 API calls std::_Throw_Cpp_error 51001->51035 51003 4098e0 41 API calls 51003->51035 51012 4032d0 std::_Throw_Cpp_error 41 API calls 51012->51034 51022 4163b0 41 API calls std::_Throw_Cpp_error 51022->51034 51034->50781 51034->50791 51034->50856 51034->50869 51034->50904 51034->50996 51034->51012 51034->51022 51036 4e6d70 78 API calls 51034->51036 51901 424400 44 API calls 4 library calls 51034->51901 51035->50783 51035->50791 51035->50806 51035->50813 51035->50823 51035->50837 51035->50868 51035->50886 51035->50891 51035->50920 51035->50935 51035->50947 51035->50968 51035->50981 51035->50993 51035->51001 51035->51003 51036->51034 51727 41ac81 51726->51727 51727->51727 51728 41ac9b 51727->51728 51731 41acd3 51727->51731 51729 41e8a0 41 API calls 51728->51729 51730 41acb2 51729->51730 51730->50769 51731->51731 51732 41fbf0 41 API calls 51731->51732 51733 41ad24 51732->51733 51733->50769 51901->51034 52605 46a140 52616 46a17b 52605->52616 52606 46aa60 52607 4163b0 41 API calls std::_Throw_Cpp_error 52607->52616 52611 41af80 41 API calls 52611->52616 52612 413d50 41 API calls 52612->52616 52613 4138b0 41 API calls 52613->52616 52616->52606 52616->52607 52616->52611 52616->52612 52616->52613 52617 49f0d0 52616->52617 52709 49d3a0 52616->52709 52789 49af60 52616->52789 52870 4986b0 52616->52870 52947 4963b0 52616->52947 52618 49f106 52617->52618 52619 417ef0 41 API calls 52618->52619 52620 49f12f 52619->52620 52621 4140c0 41 API calls 52620->52621 52622 49f159 52621->52622 52623 41af80 41 API calls 52622->52623 52624 49f1f4 __fread_nolock 52623->52624 52625 49f212 SHGetFolderPathA 52624->52625 52626 41ac50 41 API calls 52625->52626 52627 49f23f 52626->52627 52628 41ab20 41 API calls 52627->52628 52629 49f2e4 __fread_nolock 52628->52629 52630 49f2fe GetPrivateProfileSectionNamesA 52629->52630 52683 49f331 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 52630->52683 52632 4a348d lstrlen 52633 4a34a3 52632->52633 52632->52683 52635 402df0 std::_Throw_Cpp_error 41 API calls 52633->52635 52634 49f422 GetPrivateProfileStringA 52634->52683 52636 4a34b2 52635->52636 52637 402df0 std::_Throw_Cpp_error 41 API calls 52636->52637 52638 4a34c1 52637->52638 52639 402df0 std::_Throw_Cpp_error 41 API calls 52638->52639 52640 4a34cd 52639->52640 52643 402df0 std::_Throw_Cpp_error 41 API calls 52640->52643 52641 4a34fb 52646 402cf0 std::_Throw_Cpp_error 41 API calls 52641->52646 52642 41abb0 41 API calls 52642->52683 52644 4a34d9 52643->52644 52645 402df0 std::_Throw_Cpp_error 41 API calls 52644->52645 52647 4a34e5 52645->52647 52648 4a3514 52646->52648 52647->52616 52649 41ace0 41 API calls 52648->52649 52650 4a3529 52649->52650 52651 407cf0 41 API calls 52650->52651 52652 4a3541 52651->52652 52653 4351fb std::_Throw_Cpp_error RaiseException 52652->52653 52654 4a3555 52653->52654 52655 438c70 std::_Throw_Cpp_error 41 API calls 52654->52655 52656 4a355a 52655->52656 52659 402cf0 std::_Throw_Cpp_error 41 API calls 52656->52659 52657 41e8a0 41 API calls 52657->52683 52658 4e7640 87 API calls 52658->52683 52661 4a356d 52659->52661 52660 4d6790 148 API calls 52660->52683 52664 41ace0 41 API calls 52661->52664 52662 4032d0 std::_Throw_Cpp_error 41 API calls 52662->52683 52663 41b430 53 API calls 52663->52683 52665 4a3582 52664->52665 52668 407cf0 41 API calls 52665->52668 52666 402df0 41 API calls std::_Throw_Cpp_error 52666->52683 52667 417ef0 41 API calls 52667->52683 52669 4a359a 52668->52669 52671 4351fb std::_Throw_Cpp_error RaiseException 52669->52671 52670 4d65f0 87 API calls 52670->52683 52672 4a35ae 52671->52672 52673 402cf0 std::_Throw_Cpp_error 41 API calls 52672->52673 52674 4a35c2 52673->52674 52675 41ace0 41 API calls 52674->52675 52676 4a35d7 52675->52676 52677 407cf0 41 API calls 52676->52677 52678 4a35ef 52677->52678 52679 4351fb std::_Throw_Cpp_error RaiseException 52678->52679 52680 4a3603 52679->52680 52682 4e6ca0 86 API calls 52682->52683 52683->52632 52683->52634 52683->52641 52683->52642 52683->52654 52683->52656 52683->52657 52683->52658 52683->52660 52683->52662 52683->52663 52683->52666 52683->52667 52683->52670 52683->52672 52683->52682 52684 4a1c5f CreateDirectoryA 52683->52684 52686 41af80 41 API calls 52683->52686 52687 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 52683->52687 52688 41ab20 41 API calls 52683->52688 52689 41ad80 41 API calls 52683->52689 52690 413d50 41 API calls 52683->52690 52691 403040 41 API calls std::_Throw_Cpp_error 52683->52691 52692 41b0e0 41 API calls 52683->52692 52693 4a1f46 CreateDirectoryA 52683->52693 52694 4e6d70 78 API calls 52683->52694 52695 402fe0 41 API calls std::_Throw_Cpp_error 52683->52695 52696 439820 43 API calls 52683->52696 52697 402cf0 std::_Throw_Cpp_error 41 API calls 52683->52697 52699 41ace0 41 API calls 52683->52699 52700 41b7b0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection 52683->52700 52701 413980 41 API calls 52683->52701 52703 426db0 41 API calls 52683->52703 52704 4a3610 154 API calls 52683->52704 52705 4130f0 41 API calls 52683->52705 52707 441628 75 API calls 52683->52707 52708 43d0a8 78 API calls 52683->52708 53026 440fae 52683->53026 53040 42c080 41 API calls 2 library calls 52683->53040 53041 424900 41 API calls 52683->53041 53042 413200 52683->53042 53057 41b9d0 41 API calls 2 library calls 52683->53057 53058 4136c0 41 API calls std::_Throw_Cpp_error 52683->53058 52684->52683 52686->52683 52687->52683 52688->52683 52689->52683 52690->52683 52691->52683 52692->52683 52693->52683 52694->52683 52695->52683 52696->52683 52697->52683 52699->52683 52700->52683 52701->52683 52703->52683 52704->52683 52705->52683 52707->52683 52708->52683 52710 49d3d6 52709->52710 52711 417ef0 41 API calls 52710->52711 52712 49d3ff 52711->52712 52713 4140c0 41 API calls 52712->52713 52714 49d429 52713->52714 52715 41af80 41 API calls 52714->52715 52716 49d4c4 __fread_nolock 52715->52716 52717 49d4e2 SHGetFolderPathA 52716->52717 52718 41ac50 41 API calls 52717->52718 52719 49d50f 52718->52719 52720 41ab20 41 API calls 52719->52720 52721 49d5b4 __fread_nolock 52720->52721 52722 49d5ce GetPrivateProfileSectionNamesA 52721->52722 52783 49d601 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 52722->52783 52723 440fae 50 API calls 52723->52783 52724 49ef31 lstrlen 52725 49ef47 52724->52725 52724->52783 52727 402df0 std::_Throw_Cpp_error 41 API calls 52725->52727 52726 49d6f2 GetPrivateProfileStringA 52726->52783 52728 49ef56 52727->52728 52729 402df0 std::_Throw_Cpp_error 41 API calls 52728->52729 52730 49ef65 52729->52730 52733 402df0 std::_Throw_Cpp_error 41 API calls 52730->52733 52731 49f068 52736 438c70 std::_Throw_Cpp_error 41 API calls 52731->52736 52732 41e8a0 41 API calls 52732->52783 52734 49ef71 52733->52734 52734->52616 52735 41abb0 41 API calls 52735->52783 52737 49f072 52736->52737 52738 402cf0 std::_Throw_Cpp_error 41 API calls 52737->52738 52739 49f089 52738->52739 52740 41ace0 41 API calls 52739->52740 52741 49f09e 52740->52741 52742 407cf0 41 API calls 52741->52742 52743 49f0b6 52742->52743 52745 4351fb std::_Throw_Cpp_error RaiseException 52743->52745 52744 41ab20 41 API calls 52744->52783 52746 49f0ca 52745->52746 52747 439820 43 API calls 52747->52783 52748 43d0a8 78 API calls 52748->52783 52749 403040 41 API calls std::_Throw_Cpp_error 52749->52783 52750 402df0 41 API calls std::_Throw_Cpp_error 52750->52783 52751 4140c0 41 API calls 52751->52783 52752 4e64d0 44 API calls 52752->52783 52754 49efc0 52758 402cf0 std::_Throw_Cpp_error 41 API calls 52754->52758 52755 4032d0 41 API calls std::_Throw_Cpp_error 52755->52783 52756 4185d0 76 API calls 52756->52783 52757 4180a0 41 API calls 52757->52783 52759 49efd7 52758->52759 52761 41ace0 41 API calls 52759->52761 52760 416130 41 API calls 52760->52783 52762 49efec 52761->52762 52764 407cf0 41 API calls 52762->52764 52763 4d6790 148 API calls 52763->52783 52765 49f004 52764->52765 52766 4351fb std::_Throw_Cpp_error RaiseException 52765->52766 52766->52731 52767 49ef86 52769 402cf0 std::_Throw_Cpp_error 41 API calls 52767->52769 52768 4d65f0 87 API calls 52768->52783 52770 49ef99 52769->52770 52771 41ace0 41 API calls 52770->52771 52777 49ee87 52771->52777 52772 407cf0 41 API calls 52772->52765 52773 49ee5e 52774 402cf0 std::_Throw_Cpp_error 41 API calls 52773->52774 52775 49ee72 52774->52775 52776 41ace0 41 API calls 52775->52776 52776->52777 52777->52772 52779 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 52779->52783 52780 426db0 41 API calls 52780->52783 52781 49f014 52785 402cf0 std::_Throw_Cpp_error 41 API calls 52781->52785 52782 417ef0 41 API calls 52782->52783 52783->52723 52783->52724 52783->52726 52783->52731 52783->52732 52783->52735 52783->52737 52783->52744 52783->52747 52783->52748 52783->52749 52783->52750 52783->52751 52783->52752 52783->52754 52783->52755 52783->52756 52783->52757 52783->52760 52783->52763 52783->52767 52783->52768 52783->52773 52783->52779 52783->52780 52783->52781 52783->52782 52784 424900 41 API calls 52783->52784 52786 413d50 41 API calls 52783->52786 53066 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 52783->53066 53067 423f40 102 API calls 4 library calls 52783->53067 52784->52783 52787 49f027 52785->52787 52786->52783 52788 41ace0 41 API calls 52787->52788 52788->52777 52790 49af96 52789->52790 52791 417ef0 41 API calls 52790->52791 52792 49afbf 52791->52792 52793 4140c0 41 API calls 52792->52793 52794 49afe9 52793->52794 52795 41af80 41 API calls 52794->52795 52796 49b128 __fread_nolock 52795->52796 52797 49b146 SHGetFolderPathA 52796->52797 52798 41ac50 41 API calls 52797->52798 52799 49b173 52798->52799 52800 41ab20 41 API calls 52799->52800 52801 49b227 __fread_nolock 52800->52801 52802 49b241 GetPrivateProfileSectionNamesA 52801->52802 52858 49b274 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 52802->52858 52803 440fae 50 API calls 52803->52858 52804 49d22c lstrlen 52805 49d242 52804->52805 52804->52858 52806 402df0 std::_Throw_Cpp_error 41 API calls 52805->52806 52808 49d251 52806->52808 52807 49b365 GetPrivateProfileStringA 52807->52858 52809 402df0 std::_Throw_Cpp_error 41 API calls 52808->52809 52811 49d260 52809->52811 52810 49d329 52816 438c70 std::_Throw_Cpp_error 41 API calls 52810->52816 52813 402df0 std::_Throw_Cpp_error 41 API calls 52811->52813 52812 41e8a0 41 API calls 52812->52858 52814 49d26c 52813->52814 52814->52616 52815 41abb0 41 API calls 52815->52858 52817 49d333 52816->52817 53069 419e60 RaiseException 52817->53069 52818 402df0 41 API calls std::_Throw_Cpp_error 52818->52858 52820 49d338 52821 402cf0 std::_Throw_Cpp_error 41 API calls 52820->52821 52822 49d34f 52821->52822 52823 41ace0 41 API calls 52822->52823 52824 49d364 52823->52824 52826 407cf0 41 API calls 52824->52826 52825 41ab20 41 API calls 52825->52858 52827 49d37c 52826->52827 52828 4351fb std::_Throw_Cpp_error RaiseException 52827->52828 52830 49d390 52828->52830 52829 439820 43 API calls 52829->52858 52831 43d0a8 78 API calls 52831->52858 52832 4140c0 41 API calls 52832->52858 52833 4e64d0 44 API calls 52833->52858 52834 4032d0 41 API calls std::_Throw_Cpp_error 52834->52858 52836 49d281 52838 402cf0 std::_Throw_Cpp_error 41 API calls 52836->52838 52837 4185d0 76 API calls 52837->52858 52840 49d298 52838->52840 52839 416130 41 API calls 52839->52858 52841 41ace0 41 API calls 52840->52841 52842 49d2ad 52841->52842 52844 407cf0 41 API calls 52842->52844 52843 4d6790 148 API calls 52843->52858 52845 49d2c5 52844->52845 52847 4351fb std::_Throw_Cpp_error RaiseException 52845->52847 52846 41af80 41 API calls 52846->52858 52847->52810 52848 49d0d3 52851 402cf0 std::_Throw_Cpp_error 41 API calls 52848->52851 52849 417ef0 41 API calls 52849->52858 52850 4d65f0 87 API calls 52850->52858 52852 49d0e6 52851->52852 52853 41ace0 41 API calls 52852->52853 52869 49d0fb 52853->52869 52854 407cf0 41 API calls 52854->52845 52855 41fbf0 41 API calls 52855->52858 52856 418f00 std::_Throw_Cpp_error 41 API calls 52856->52858 52857 403040 41 API calls std::_Throw_Cpp_error 52857->52858 52858->52803 52858->52804 52858->52807 52858->52810 52858->52812 52858->52815 52858->52817 52858->52818 52858->52820 52858->52825 52858->52829 52858->52831 52858->52832 52858->52833 52858->52834 52858->52836 52858->52837 52858->52839 52858->52843 52858->52846 52858->52848 52858->52849 52858->52850 52858->52855 52858->52856 52858->52857 52859 426db0 41 API calls 52858->52859 52860 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 52858->52860 52861 4163b0 std::_Throw_Cpp_error 41 API calls 52858->52861 52862 4180a0 41 API calls 52858->52862 52863 49d2d5 52858->52863 52864 413d50 41 API calls 52858->52864 52865 424900 41 API calls 52858->52865 53068 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 52858->53068 52859->52858 52860->52858 52861->52858 52862->52858 52866 402cf0 std::_Throw_Cpp_error 41 API calls 52863->52866 52864->52858 52865->52858 52867 49d2e8 52866->52867 52868 41ace0 41 API calls 52867->52868 52868->52869 52869->52854 52871 4986e6 52870->52871 52872 417ef0 41 API calls 52871->52872 52873 49870f 52872->52873 52874 4140c0 41 API calls 52873->52874 52875 498739 52874->52875 52876 41af80 41 API calls 52875->52876 52877 4987d4 __fread_nolock 52876->52877 52878 4987f2 SHGetFolderPathA 52877->52878 52879 41ac50 41 API calls 52878->52879 52880 49881f 52879->52880 52881 41ab20 41 API calls 52880->52881 52882 4988c4 __fread_nolock 52881->52882 52883 4988de GetPrivateProfileSectionNamesA 52882->52883 52936 498914 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 52883->52936 52884 440fae 50 API calls 52884->52936 52885 49ae10 lstrlen 52886 49ae29 52885->52886 52885->52936 52888 402df0 std::_Throw_Cpp_error 41 API calls 52886->52888 52887 498a05 GetPrivateProfileStringA 52887->52936 52889 49ae38 52888->52889 52890 402df0 std::_Throw_Cpp_error 41 API calls 52889->52890 52892 49ae47 52890->52892 52891 49aef7 52897 438c70 std::_Throw_Cpp_error 41 API calls 52891->52897 52893 402df0 std::_Throw_Cpp_error 41 API calls 52892->52893 52895 49ae53 52893->52895 52894 41e8a0 41 API calls 52894->52936 52895->52616 52896 41abb0 41 API calls 52896->52936 52898 49af01 52897->52898 52899 402cf0 std::_Throw_Cpp_error 41 API calls 52898->52899 52900 49af15 52899->52900 52901 41ace0 41 API calls 52900->52901 52902 49af2a 52901->52902 52903 407cf0 41 API calls 52902->52903 52904 49af42 52903->52904 52905 4351fb std::_Throw_Cpp_error RaiseException 52904->52905 52907 49af56 52905->52907 52906 41ab20 41 API calls 52906->52936 52908 439820 43 API calls 52908->52936 52909 43d0a8 78 API calls 52909->52936 52910 402df0 41 API calls std::_Throw_Cpp_error 52910->52936 52911 402fe0 41 API calls std::_Throw_Cpp_error 52911->52936 52912 4140c0 41 API calls 52912->52936 52913 4e64d0 44 API calls 52913->52936 52915 49ae68 52918 402cf0 std::_Throw_Cpp_error 41 API calls 52915->52918 52916 4032d0 41 API calls std::_Throw_Cpp_error 52916->52936 52917 4185d0 76 API calls 52917->52936 52920 49ae7f 52918->52920 52919 416130 41 API calls 52919->52936 52921 41ace0 41 API calls 52920->52921 52923 49ad42 52921->52923 52922 4d6790 148 API calls 52922->52936 52924 407cf0 41 API calls 52923->52924 52925 49aee3 52924->52925 52927 4351fb std::_Throw_Cpp_error RaiseException 52925->52927 52926 41af80 41 API calls 52926->52936 52927->52891 52928 417ef0 41 API calls 52928->52936 52929 4d65f0 87 API calls 52929->52936 52930 49ad1a 52931 402cf0 std::_Throw_Cpp_error 41 API calls 52930->52931 52932 49ad2d 52931->52932 52933 41ace0 41 API calls 52932->52933 52933->52923 52934 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 52934->52936 52935 426db0 41 API calls 52935->52936 52936->52884 52936->52885 52936->52887 52936->52891 52936->52894 52936->52896 52936->52898 52936->52906 52936->52908 52936->52909 52936->52910 52936->52911 52936->52912 52936->52913 52936->52915 52936->52916 52936->52917 52936->52919 52936->52922 52936->52926 52936->52928 52936->52929 52936->52930 52936->52934 52936->52935 52937 4412f6 50 API calls 52936->52937 52938 403040 41 API calls std::_Throw_Cpp_error 52936->52938 52940 4180a0 41 API calls 52936->52940 52941 49aea3 52936->52941 52942 413d50 41 API calls 52936->52942 52943 424900 41 API calls 52936->52943 53070 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 52936->53070 53071 42c080 41 API calls 2 library calls 52936->53071 52937->52936 52938->52936 52940->52936 52944 402cf0 std::_Throw_Cpp_error 41 API calls 52941->52944 52942->52936 52943->52936 52945 49aeb6 52944->52945 52946 41ace0 41 API calls 52945->52946 52946->52923 52948 4963e6 52947->52948 52949 417ef0 41 API calls 52948->52949 52950 49640f 52949->52950 52951 4140c0 41 API calls 52950->52951 52952 496439 52951->52952 52953 41af80 41 API calls 52952->52953 52954 4964d4 __fread_nolock 52953->52954 52955 4964f2 SHGetFolderPathA 52954->52955 52956 41ac50 41 API calls 52955->52956 52957 49651f 52956->52957 52958 41ab20 41 API calls 52957->52958 52959 4965c4 __fread_nolock 52958->52959 52960 4965de GetPrivateProfileSectionNamesA 52959->52960 52961 496611 std::ios_base::_Ios_base_dtor __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::locale::_Locimp::_Locimp 52960->52961 52962 440fae 50 API calls 52961->52962 52963 49854e lstrlen 52961->52963 52966 496702 GetPrivateProfileStringA 52961->52966 52969 49864b 52961->52969 52971 41e8a0 41 API calls 52961->52971 52975 41abb0 41 API calls 52961->52975 52976 498655 52961->52976 52983 41ab20 41 API calls 52961->52983 52986 439820 43 API calls 52961->52986 52987 43d0a8 78 API calls 52961->52987 52988 402df0 41 API calls std::_Throw_Cpp_error 52961->52988 52989 4140c0 41 API calls 52961->52989 52990 4032d0 41 API calls std::_Throw_Cpp_error 52961->52990 52991 4e64d0 44 API calls 52961->52991 52993 4985a3 52961->52993 52994 4185d0 76 API calls 52961->52994 52995 416130 41 API calls 52961->52995 53000 4d6790 148 API calls 52961->53000 53003 41af80 41 API calls 52961->53003 53005 417ef0 41 API calls 52961->53005 53006 4d65f0 87 API calls 52961->53006 53007 4983f5 52961->53007 53013 41fbf0 41 API calls 52961->53013 53014 418f00 std::_Throw_Cpp_error 41 API calls 52961->53014 53015 433672 std::_Facet_Register 3 API calls 52961->53015 53016 403040 41 API calls std::_Throw_Cpp_error 52961->53016 53017 426db0 41 API calls 52961->53017 53018 4412f6 50 API calls 52961->53018 53019 4180a0 41 API calls 52961->53019 53020 4985f7 52961->53020 53022 413d50 41 API calls 52961->53022 53023 424900 41 API calls 52961->53023 53072 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 52961->53072 52962->52961 52963->52961 52964 498564 52963->52964 52965 402df0 std::_Throw_Cpp_error 41 API calls 52964->52965 52967 498573 52965->52967 52966->52961 52968 402df0 std::_Throw_Cpp_error 41 API calls 52967->52968 52970 498582 52968->52970 52974 438c70 std::_Throw_Cpp_error 41 API calls 52969->52974 52972 402df0 std::_Throw_Cpp_error 41 API calls 52970->52972 52971->52961 52973 49858e 52972->52973 52973->52616 52974->52976 52975->52961 52977 402cf0 std::_Throw_Cpp_error 41 API calls 52976->52977 52978 49866c 52977->52978 52979 41ace0 41 API calls 52978->52979 52980 498681 52979->52980 52981 407cf0 41 API calls 52980->52981 52982 498699 52981->52982 52984 4351fb std::_Throw_Cpp_error RaiseException 52982->52984 52983->52961 52985 4986ad 52984->52985 52986->52961 52987->52961 52988->52961 52989->52961 52990->52961 52991->52961 52996 402cf0 std::_Throw_Cpp_error 41 API calls 52993->52996 52994->52961 52995->52961 52997 4985ba 52996->52997 52998 41ace0 41 API calls 52997->52998 52999 4985cf 52998->52999 53001 407cf0 41 API calls 52999->53001 53000->52961 53002 4985e7 53001->53002 53004 4351fb std::_Throw_Cpp_error RaiseException 53002->53004 53003->52961 53004->52969 53005->52961 53006->52961 53008 402cf0 std::_Throw_Cpp_error 41 API calls 53007->53008 53009 498408 53008->53009 53010 41ace0 41 API calls 53009->53010 53011 49841d 53010->53011 53012 407cf0 41 API calls 53011->53012 53012->53002 53013->52961 53014->52961 53015->52961 53016->52961 53017->52961 53018->52961 53019->52961 53021 402cf0 std::_Throw_Cpp_error 41 API calls 53020->53021 53024 49860a 53021->53024 53022->52961 53023->52961 53025 41ace0 41 API calls 53024->53025 53025->53011 53027 441005 53026->53027 53028 440fbd 53026->53028 53063 44101b 50 API calls 3 library calls 53027->53063 53030 440fc3 53028->53030 53031 440fe0 53028->53031 53059 4416ff 14 API calls __dosmaperr 53030->53059 53039 440ffe 53031->53039 53061 4416ff 14 API calls __dosmaperr 53031->53061 53032 440fd3 53032->52683 53034 440fc8 53060 438c60 41 API calls __fread_nolock 53034->53060 53037 440fef 53062 438c60 41 API calls __fread_nolock 53037->53062 53039->52683 53040->52683 53041->52683 53043 41325c 53042->53043 53046 413225 53042->53046 53044 402cf0 std::_Throw_Cpp_error 41 API calls 53043->53044 53045 413269 53044->53045 53064 407b10 41 API calls 3 library calls 53045->53064 53047 413235 53046->53047 53049 402cf0 std::_Throw_Cpp_error 41 API calls 53046->53049 53047->52683 53051 41329f 53049->53051 53050 413281 53052 4351fb std::_Throw_Cpp_error RaiseException 53050->53052 53065 407b10 41 API calls 3 library calls 53051->53065 53052->53046 53054 4132b7 53055 4351fb std::_Throw_Cpp_error RaiseException 53054->53055 53056 4132c8 53055->53056 53057->52683 53058->52683 53059->53034 53060->53032 53061->53037 53062->53032 53063->53032 53064->53050 53065->53054 53066->52783 53067->52783 53068->52858 53070->52936 53071->52936 53072->52961 53258 4c7b00 53259 4c7ecc 53258->53259 53262 4c7b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 53258->53262 53260 4c7b87 setsockopt recv WSAGetLastError 53260->53259 53260->53262 53262->53260 53263 4c7e15 recv 53262->53263 53265 4c7eb7 Sleep 53262->53265 53266 4c7eaf Sleep 53262->53266 53267 418dc0 41 API calls 53262->53267 53270 409280 44 API calls 53262->53270 53271 4c7ee1 53262->53271 53272 4163b0 std::_Throw_Cpp_error 41 API calls 53262->53272 53273 4c7cd6 setsockopt recv 53262->53273 53274 418dc0 41 API calls 53262->53274 53278 4c8590 WSAStartup 53262->53278 53291 4c7ef0 53262->53291 53363 433069 53262->53363 53263->53266 53265->53259 53265->53262 53266->53265 53268 4c7c2d recv 53267->53268 53268->53262 53269 4c7c4e recv 53268->53269 53269->53262 53270->53262 53275 438c70 std::_Throw_Cpp_error 41 API calls 53271->53275 53272->53262 53273->53262 53274->53273 53276 4c7ee6 53275->53276 53279 4c8696 53278->53279 53281 4c85c8 53278->53281 53279->53262 53280 4c85fe getaddrinfo 53282 4c8646 53280->53282 53283 4c8690 WSACleanup 53280->53283 53281->53279 53281->53280 53284 4c86a4 FreeAddrInfoW 53282->53284 53286 4c8654 socket 53282->53286 53283->53279 53284->53283 53285 4c86b0 53284->53285 53285->53262 53286->53283 53287 4c866a connect 53286->53287 53288 4c867c closesocket 53287->53288 53289 4c86a0 53287->53289 53288->53286 53290 4c8686 FreeAddrInfoW 53288->53290 53289->53284 53290->53283 53292 4c7f6c 53291->53292 53293 4c7f3e 53291->53293 53295 4c7f8e 53292->53295 53296 4c7f74 53292->53296 53294 402cf0 std::_Throw_Cpp_error 41 API calls 53293->53294 53297 4c7f50 53294->53297 53299 4c7f96 53295->53299 53300 4c7fb0 53295->53300 53366 416290 41 API calls 53296->53366 53303 409280 44 API calls 53297->53303 53367 416290 41 API calls 53299->53367 53301 4c7fb8 53300->53301 53302 4c7fd5 53300->53302 53333 4c7f64 53301->53333 53368 416290 41 API calls 53301->53368 53305 4c7fdd 53302->53305 53309 4c7ffb 53302->53309 53303->53333 53369 4412b7 50 API calls __fread_nolock 53305->53369 53308 402df0 std::_Throw_Cpp_error 41 API calls 53310 4c84f1 53308->53310 53311 4c801b 53309->53311 53312 4c82c0 53309->53312 53309->53333 53310->53262 53370 405400 85 API calls std::_Throw_Cpp_error 53311->53370 53313 4c82c8 53312->53313 53314 4c831b 53312->53314 53316 41b430 53 API calls 53313->53316 53317 4c8376 53314->53317 53318 4c8323 53314->53318 53316->53333 53320 4c837e 53317->53320 53321 4c83d1 53317->53321 53319 41b430 53 API calls 53318->53319 53319->53333 53324 41b430 53 API calls 53320->53324 53322 4c842c 53321->53322 53323 4c83d9 53321->53323 53328 4c8484 53322->53328 53329 4c8434 53322->53329 53327 41b430 53 API calls 53323->53327 53324->53333 53325 4c82a5 53330 432baa RtlReleaseSRWLockExclusive 53325->53330 53326 402cf0 std::_Throw_Cpp_error 41 API calls 53340 4c8040 53326->53340 53327->53333 53328->53333 53375 458b00 50 API calls 2 library calls 53328->53375 53331 41b430 53 API calls 53329->53331 53330->53333 53331->53333 53333->53308 53334 4c849a 53335 4162c0 41 API calls 53334->53335 53337 4c84a9 53335->53337 53336 41ace0 41 API calls 53336->53340 53338 402df0 std::_Throw_Cpp_error 41 API calls 53337->53338 53338->53333 53339 402df0 41 API calls std::_Throw_Cpp_error 53339->53340 53340->53325 53340->53326 53340->53336 53340->53339 53341 4c810b 53340->53341 53371 402d30 41 API calls std::_Throw_Cpp_error 53341->53371 53343 4c812f 53372 4d62c0 43 API calls 5 library calls 53343->53372 53345 4c8140 53346 402df0 std::_Throw_Cpp_error 41 API calls 53345->53346 53347 4c814f 53346->53347 53348 4c81b2 GetCurrentProcess 53347->53348 53352 4c81e5 53347->53352 53349 4163b0 std::_Throw_Cpp_error 41 API calls 53348->53349 53350 4c81ce 53349->53350 53373 4cf280 61 API calls 3 library calls 53350->53373 53353 439820 43 API calls 53352->53353 53355 4c8247 53353->53355 53354 4c81dd 53356 4c8279 53354->53356 53355->53356 53358 441628 75 API calls 53355->53358 53374 415230 41 API calls std::_Throw_Cpp_error 53356->53374 53360 4c8273 53358->53360 53359 4c8296 53361 402df0 std::_Throw_Cpp_error 41 API calls 53359->53361 53362 43d0a8 78 API calls 53360->53362 53361->53325 53362->53356 53376 43361d 53363->53376 53366->53333 53367->53333 53368->53333 53369->53333 53370->53340 53371->53343 53372->53345 53373->53354 53374->53359 53375->53334 53377 433659 GetSystemTimeAsFileTime 53376->53377 53378 43364d GetSystemTimePreciseAsFileTime 53376->53378 53379 433077 53377->53379 53378->53379 53379->53262 53381 419950 53382 419968 53381->53382 53383 419978 std::ios_base::_Ios_base_dtor 53381->53383 53382->53383 53384 438c70 std::_Throw_Cpp_error 41 API calls 53382->53384 53385 41998d 53384->53385 53386 419a4f 53385->53386 53393 432b74 53385->53393 53390 4199dd 53400 41c430 74 API calls 4 library calls 53390->53400 53392 419a04 53395 432af7 53393->53395 53394 4199cc 53394->53386 53399 4183b0 41 API calls 53394->53399 53395->53394 53396 43d5f6 75 API calls 53395->53396 53397 432b5e 53396->53397 53397->53394 53398 43d0a8 78 API calls 53397->53398 53398->53394 53399->53390 53400->53392 53401 420ad0 53406 4214a0 53401->53406 53403 420b2a 53404 420ae0 53404->53403 53405 429e20 41 API calls 53404->53405 53405->53403 53407 4214cb 53406->53407 53408 4214ee 53407->53408 53409 429e20 41 API calls 53407->53409 53408->53404 53410 42150b 53409->53410 53410->53404 53411 45dcd0 53412 45de11 53411->53412 53413 45dd1d 53411->53413 53414 41ab20 41 API calls 53412->53414 53415 41ab20 41 API calls 53413->53415 53416 45de6d 53414->53416 53417 45dd79 53415->53417 53418 4163b0 std::_Throw_Cpp_error 41 API calls 53416->53418 53498 41b980 41 API calls 53417->53498 53420 45de88 53418->53420 53431 481c10 53420->53431 53421 45ddd0 53499 4e5ff0 11 API calls 53421->53499 53425 402df0 std::_Throw_Cpp_error 41 API calls 53428 45dea7 53425->53428 53426 45ddf0 53427 4188d0 41 API calls 53426->53427 53429 45de02 53427->53429 53430 402df0 std::_Throw_Cpp_error 41 API calls 53429->53430 53430->53412 53432 4e6ca0 86 API calls 53431->53432 53452 481c6c __fread_nolock std::locale::_Locimp::_Locimp 53432->53452 53433 48443c 53434 402df0 std::_Throw_Cpp_error 41 API calls 53433->53434 53435 45de95 53434->53435 53435->53425 53436 48449d 53437 402cf0 std::_Throw_Cpp_error 41 API calls 53436->53437 53438 4844ad 53437->53438 53582 407b10 41 API calls 3 library calls 53438->53582 53440 4844c8 53443 4351fb std::_Throw_Cpp_error RaiseException 53440->53443 53441 484598 53442 402cf0 std::_Throw_Cpp_error 41 API calls 53441->53442 53444 4845a8 53442->53444 53445 4844dc 53443->53445 53585 407b10 41 API calls 3 library calls 53444->53585 53447 438c70 std::_Throw_Cpp_error 41 API calls 53445->53447 53450 4844e1 53447->53450 53448 48445e 53451 402cf0 std::_Throw_Cpp_error 41 API calls 53448->53451 53449 4845c3 53453 4351fb std::_Throw_Cpp_error RaiseException 53449->53453 53583 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 53450->53583 53455 48446e 53451->53455 53452->53433 53452->53436 53452->53441 53452->53445 53452->53448 53452->53450 53457 4844e6 53452->53457 53462 41b0e0 41 API calls 53452->53462 53463 4844eb 53452->53463 53467 41af80 41 API calls 53452->53467 53470 484544 53452->53470 53482 4e64d0 44 API calls 53452->53482 53483 482793 SHGetFolderPathA 53452->53483 53484 482a95 SHGetFolderPathA 53452->53484 53485 482d93 SHGetFolderPathA 53452->53485 53486 4830f3 SHGetFolderPathA 53452->53486 53487 403040 41 API calls std::_Throw_Cpp_error 53452->53487 53488 48341b SHGetFolderPathA 53452->53488 53489 483725 SHGetFolderPathA 53452->53489 53490 4032d0 41 API calls std::_Throw_Cpp_error 53452->53490 53492 4185d0 76 API calls 53452->53492 53493 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53452->53493 53494 4163b0 41 API calls std::_Throw_Cpp_error 53452->53494 53495 402fe0 41 API calls std::_Throw_Cpp_error 53452->53495 53496 402df0 41 API calls std::_Throw_Cpp_error 53452->53496 53497 418b00 41 API calls 53452->53497 53500 4412b7 50 API calls __fread_nolock 53452->53500 53501 4845e0 53452->53501 53580 416130 41 API calls 2 library calls 53452->53580 53456 4845d7 53453->53456 53581 407b10 41 API calls 3 library calls 53455->53581 53584 403330 RaiseException 53457->53584 53460 484489 53461 4351fb std::_Throw_Cpp_error RaiseException 53460->53461 53461->53436 53462->53452 53464 402cf0 std::_Throw_Cpp_error 41 API calls 53463->53464 53465 484503 53464->53465 53466 41ace0 41 API calls 53465->53466 53468 484518 53466->53468 53467->53452 53469 407cf0 41 API calls 53468->53469 53471 484530 53469->53471 53474 402cf0 std::_Throw_Cpp_error 41 API calls 53470->53474 53473 4351fb std::_Throw_Cpp_error RaiseException 53471->53473 53473->53470 53476 484557 53474->53476 53477 41ace0 41 API calls 53476->53477 53478 48456c 53477->53478 53479 407cf0 41 API calls 53478->53479 53480 484584 53479->53480 53481 4351fb std::_Throw_Cpp_error RaiseException 53480->53481 53481->53441 53482->53452 53483->53452 53484->53452 53485->53452 53486->53452 53487->53452 53488->53452 53489->53452 53490->53452 53492->53452 53493->53452 53494->53452 53495->53452 53496->53452 53497->53452 53498->53421 53499->53426 53500->53452 53502 484641 53501->53502 53503 485d64 53501->53503 53504 4e6ca0 86 API calls 53502->53504 53506 485dda 53502->53506 53615 4339b3 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive SleepConditionVariableSRW 53503->53615 53509 484651 53504->53509 53616 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 53506->53616 53508 485ddf 53617 403330 RaiseException 53508->53617 53511 484a38 53509->53511 53514 4163b0 std::_Throw_Cpp_error 41 API calls 53509->53514 53519 485c79 53509->53519 53515 4163b0 std::_Throw_Cpp_error 41 API calls 53511->53515 53511->53519 53512 485de4 53520 438c70 std::_Throw_Cpp_error 41 API calls 53512->53520 53513 485ce9 53523 485d0c 53513->53523 53524 485d15 53513->53524 53516 4846b0 53514->53516 53517 484a58 53515->53517 53521 4c6000 45 API calls 53516->53521 53518 4c6000 45 API calls 53517->53518 53578 484a6f std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 53518->53578 53519->53513 53519->53519 53527 403040 std::_Throw_Cpp_error 41 API calls 53519->53527 53522 485dee 53520->53522 53542 4846c7 53521->53542 53613 413340 41 API calls 2 library calls 53523->53613 53614 413340 41 API calls 2 library calls 53524->53614 53526 485c67 53533 4185d0 76 API calls 53526->53533 53531 485cc7 53527->53531 53528 484a26 53532 4185d0 76 API calls 53528->53532 53530 485d11 53535 402df0 std::_Throw_Cpp_error 41 API calls 53530->53535 53534 4e6770 93 API calls 53531->53534 53532->53511 53533->53519 53536 485cd7 53534->53536 53538 485d28 53535->53538 53539 402df0 std::_Throw_Cpp_error 41 API calls 53536->53539 53537 4163b0 std::_Throw_Cpp_error 41 API calls 53537->53542 53541 402df0 std::_Throw_Cpp_error 41 API calls 53538->53541 53539->53513 53543 485d34 53541->53543 53542->53528 53542->53537 53552 48474a 53542->53552 53586 415350 53542->53586 53609 485fa0 76 API calls std::_Throw_Cpp_error 53542->53609 53545 4185d0 76 API calls 53543->53545 53547 485d40 53545->53547 53548 4185d0 76 API calls 53547->53548 53549 485d4f 53548->53549 53549->53452 53550 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53550->53578 53551 41ab20 41 API calls 53551->53552 53552->53551 53554 41ad80 41 API calls 53552->53554 53555 402df0 std::_Throw_Cpp_error 41 API calls 53552->53555 53553 4163b0 41 API calls std::_Throw_Cpp_error 53553->53578 53554->53552 53556 484870 CreateDirectoryA 53555->53556 53557 41ab20 41 API calls 53556->53557 53564 484961 53557->53564 53558 4163b0 std::_Throw_Cpp_error 41 API calls 53558->53564 53559 41ad80 41 API calls 53559->53564 53560 415350 41 API calls 53560->53578 53561 41e8a0 41 API calls 53561->53578 53562 415350 41 API calls 53562->53564 53564->53558 53564->53559 53564->53562 53566 4845e0 133 API calls 53564->53566 53565 41ad80 41 API calls 53565->53578 53566->53542 53567 4e7220 79 API calls 53567->53578 53568 485032 CreateDirectoryA 53568->53578 53569 485bbc CopyFileA 53570 485bdf 53569->53570 53569->53578 53570->53578 53571 402df0 41 API calls std::_Throw_Cpp_error 53571->53578 53573 4852f2 CoInitialize 53573->53578 53574 403040 41 API calls std::_Throw_Cpp_error 53574->53578 53575 4188d0 41 API calls 53575->53578 53576 4854fe PathFindExtensionA 53576->53578 53577 4032d0 41 API calls std::_Throw_Cpp_error 53577->53578 53578->53506 53578->53508 53578->53512 53578->53526 53578->53550 53578->53553 53578->53560 53578->53561 53578->53565 53578->53567 53578->53568 53578->53569 53578->53571 53578->53573 53578->53574 53578->53575 53578->53576 53578->53577 53579 418b00 41 API calls 53578->53579 53610 485fa0 76 API calls std::_Throw_Cpp_error 53578->53610 53611 485df0 104 API calls std::_Throw_Cpp_error 53578->53611 53612 4d3320 43 API calls 53578->53612 53579->53578 53580->53452 53581->53460 53582->53440 53583->53457 53585->53449 53587 4153a0 53586->53587 53599 415439 53586->53599 53588 415469 53587->53588 53589 4153ab 53587->53589 53625 403330 RaiseException 53588->53625 53590 4153e2 53589->53590 53591 4153b9 53589->53591 53597 433672 std::_Facet_Register 3 API calls 53590->53597 53598 4153d7 53590->53598 53593 4153c4 53591->53593 53594 41546e 53591->53594 53595 433672 std::_Facet_Register 3 API calls 53593->53595 53626 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 53594->53626 53600 4153ca 53595->53600 53597->53598 53598->53599 53604 4163b0 std::_Throw_Cpp_error 41 API calls 53598->53604 53599->53542 53600->53598 53601 415473 53600->53601 53602 438c70 std::_Throw_Cpp_error 41 API calls 53601->53602 53603 415478 53602->53603 53618 419c20 53603->53618 53604->53598 53608 4154d5 53609->53542 53610->53578 53611->53578 53612->53578 53613->53530 53614->53530 53615->53502 53616->53508 53619 419c76 53618->53619 53620 419c4a 53618->53620 53621 419c82 53619->53621 53627 4150e0 41 API calls std::_Throw_Cpp_error 53619->53627 53622 404900 std::_Throw_Cpp_error 41 API calls 53620->53622 53621->53608 53624 419c63 53622->53624 53624->53608 53626->53601 53627->53621 53628 461e10 53629 461e60 53628->53629 53630 41ab20 41 API calls 53629->53630 53631 461f34 53630->53631 53632 4e6ca0 86 API calls 53631->53632 53633 461f5a 53632->53633 53634 4e6c10 85 API calls 53633->53634 53636 461f7d 53633->53636 53634->53636 53635 46299f 53638 4e6770 93 API calls 53635->53638 53639 4629be 53635->53639 53636->53635 53637 41b260 41 API calls 53636->53637 53636->53639 53677 461fad 53637->53677 53638->53639 53640 41ab20 41 API calls 53639->53640 53642 462aa3 53640->53642 53641 462990 53700 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53641->53700 53644 4e6ca0 86 API calls 53642->53644 53645 462ac9 53644->53645 53646 4e6c10 85 API calls 53645->53646 53649 462aec 53645->53649 53646->53649 53647 463529 53650 402df0 std::_Throw_Cpp_error 41 API calls 53647->53650 53648 46350e 53648->53647 53654 4e6770 93 API calls 53648->53654 53649->53647 53649->53648 53651 41b260 41 API calls 53649->53651 53652 46353b 53650->53652 53674 462b1c 53651->53674 53655 402df0 std::_Throw_Cpp_error 41 API calls 53652->53655 53653 4130f0 41 API calls 53653->53677 53654->53647 53657 46354a 53655->53657 53656 4634ff 53703 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53656->53703 53659 41b260 41 API calls 53659->53677 53661 4163b0 41 API calls std::_Throw_Cpp_error 53661->53677 53662 413200 41 API calls 53662->53674 53663 41b260 41 API calls 53663->53674 53664 416240 41 API calls 53664->53677 53667 4e6ca0 86 API calls 53667->53677 53668 439820 43 API calls 53668->53677 53669 4163b0 41 API calls std::_Throw_Cpp_error 53669->53674 53670 41ac50 41 API calls 53670->53677 53671 4e6c10 85 API calls 53671->53677 53672 41ae20 41 API calls 53672->53677 53673 41abb0 41 API calls 53673->53677 53674->53656 53674->53662 53674->53663 53674->53669 53675 4e6ca0 86 API calls 53674->53675 53678 416240 41 API calls 53674->53678 53681 439820 43 API calls 53674->53681 53682 41ac50 41 API calls 53674->53682 53685 4e6c10 85 API calls 53674->53685 53686 41ae20 41 API calls 53674->53686 53687 41abb0 41 API calls 53674->53687 53689 4130f0 41 API calls 53674->53689 53690 43d0a8 78 API calls 53674->53690 53691 402df0 41 API calls std::_Throw_Cpp_error 53674->53691 53692 402cf0 41 API calls std::_Throw_Cpp_error 53674->53692 53695 41af80 41 API calls 53674->53695 53696 403350 78 API calls 53674->53696 53697 41b400 41 API calls 53674->53697 53701 416210 41 API calls std::_Throw_Cpp_error 53674->53701 53702 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53674->53702 53675->53674 53677->53641 53677->53653 53677->53659 53677->53661 53677->53664 53677->53667 53677->53668 53677->53670 53677->53671 53677->53672 53677->53673 53679 43d0a8 78 API calls 53677->53679 53680 413200 41 API calls 53677->53680 53683 402cf0 41 API calls std::_Throw_Cpp_error 53677->53683 53684 402df0 41 API calls std::_Throw_Cpp_error 53677->53684 53688 41af80 41 API calls 53677->53688 53693 41b400 41 API calls 53677->53693 53694 403350 78 API calls 53677->53694 53698 416210 41 API calls std::_Throw_Cpp_error 53677->53698 53699 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53677->53699 53678->53674 53679->53677 53680->53677 53681->53674 53682->53674 53683->53677 53684->53677 53685->53674 53686->53674 53687->53674 53688->53677 53689->53674 53690->53674 53691->53674 53692->53674 53693->53677 53694->53677 53695->53674 53696->53674 53697->53674 53698->53677 53699->53677 53700->53635 53701->53674 53702->53674 53703->53648 45658 45f460 45659 45f4cc 45658->45659 45660 45f4ad 45658->45660 45664 4163b0 45660->45664 45662 45f4bf 45669 493f40 45662->45669 45665 4163d8 45664->45665 45666 4163e7 45665->45666 45806 4032d0 45665->45806 45666->45662 45668 41642a std::locale::_Locimp::_Locimp 45668->45662 45840 4359b0 45669->45840 45672 494100 45672->45672 45842 403040 45672->45842 45674 49411c 45848 41fbf0 45674->45848 45677 495779 45680 438c70 std::_Throw_Cpp_error 41 API calls 45677->45680 45678 49414d std::ios_base::_Ios_base_dtor 45678->45677 45857 4e6ca0 45678->45857 45682 49577e 45680->45682 45872 417ef0 45682->45872 45689 4957dd 45891 4140c0 45689->45891 45697 417ef0 41 API calls 45807 4032e2 45806->45807 45809 403306 45806->45809 45810 4032e9 45807->45810 45811 40331f 45807->45811 45808 403318 45808->45668 45809->45808 45812 433672 std::_Facet_Register 3 API calls 45809->45812 45820 433672 45810->45820 45828 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 45811->45828 45815 403310 45812->45815 45815->45668 45816 4032ef 45818 4032f8 45816->45818 45829 438c70 45816->45829 45818->45668 45823 433677 45820->45823 45821 433691 45821->45816 45823->45821 45825 402b50 Concurrency::cancel_current_task 45823->45825 45837 445a89 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45823->45837 45824 43369d 45824->45824 45825->45824 45834 4351fb 45825->45834 45827 402b6c ___std_exception_copy 45827->45816 45828->45816 45838 438bac 41 API calls __fread_nolock 45829->45838 45831 438c7f 45839 438c8d 11 API calls std::locale::_Setgloballocale 45831->45839 45833 438c8c 45835 435242 RaiseException 45834->45835 45836 435215 45834->45836 45835->45827 45836->45835 45837->45823 45838->45831 45839->45833 45841 4359c7 SHGetFolderPathA 45840->45841 45841->45672 45843 4030c8 45842->45843 45845 403052 45842->45845 45844 403057 std::locale::_Locimp::_Locimp 45844->45674 45845->45844 45846 4032d0 std::_Throw_Cpp_error 41 API calls 45845->45846 45847 4030a3 std::locale::_Locimp::_Locimp 45846->45847 45847->45674 45850 41fc12 std::locale::_Locimp::_Locimp 45848->45850 45851 41fc8d 45848->45851 45849 41fd5e 45850->45678 45851->45849 45852 4032d0 std::_Throw_Cpp_error 41 API calls 45851->45852 45853 41fce1 std::locale::_Locimp::_Locimp 45852->45853 45854 41fd3a std::locale::_Locimp::_Locimp 45853->45854 46057 402fe0 45853->46057 45854->45678 45856 41fd27 45856->45678 46062 432b99 45857->46062 45860 4e6d4d 46068 432534 45860->46068 45861 4e6cd7 45863 4e6d54 45861->45863 45864 4e6ce3 45861->45864 45865 432534 std::_Throw_Cpp_error 76 API calls 45863->45865 45869 4e6cfb GetFileAttributesA 45864->45869 45871 4e6d12 45864->45871 45866 4e6d65 45865->45866 45870 4e6d07 GetLastError 45869->45870 45869->45871 45870->45871 46065 432baa 45871->46065 45873 418034 45872->45873 45874 417f1d 45872->45874 45882 402cf0 std::_Throw_Cpp_error 41 API calls 45873->45882 45885 417f29 45873->45885 45875 417f83 45874->45875 45876 417f24 45874->45876 45877 417fcb 45874->45877 45878 417f2b 45874->45878 45879 417f7c 45874->45879 45884 433672 std::_Facet_Register 3 API calls 45875->45884 46200 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45876->46200 45877->45689 45881 433672 std::_Facet_Register 3 API calls 45878->45881 46201 41cf80 41 API calls 2 library calls 45879->46201 45881->45885 45886 41804f 45882->45886 45884->45885 45885->45689 46202 407f90 41 API calls 2 library calls 45886->46202 45888 418062 45889 4351fb std::_Throw_Cpp_error RaiseException 45888->45889 45890 418073 45889->45890 45894 4140ff 45891->45894 45892 433672 std::_Facet_Register 3 API calls 45893 41412e 45892->45893 45895 4141ac 45893->45895 46203 42bf30 45893->46203 45894->45892 45895->45697 46058 403017 std::ios_base::_Ios_base_dtor 46057->46058 46059 403007 46057->46059 46058->45856 46059->46058 46060 438c70 std::_Throw_Cpp_error 41 API calls 46059->46060 46061 403036 46060->46061 46076 432bc8 GetCurrentThreadId 46062->46076 46066 432bb6 RtlReleaseSRWLockExclusive 46065->46066 46067 432bc4 46065->46067 46066->46067 46067->45682 46069 43254a std::_Throw_Cpp_error 46068->46069 46100 4324e7 46069->46100 46077 432bf2 46076->46077 46078 432c11 46076->46078 46081 432bf7 RtlAcquireSRWLockExclusive 46077->46081 46082 432c07 46077->46082 46079 432c31 46078->46079 46080 432c1a 46078->46080 46084 432c90 46079->46084 46090 432c49 46079->46090 46080->46082 46083 432c25 RtlAcquireSRWLockExclusive 46080->46083 46081->46082 46091 433d77 46082->46091 46083->46082 46084->46082 46086 432c97 RtlTryAcquireSRWLockExclusive 46084->46086 46086->46082 46087 432ba6 46087->45860 46087->45861 46089 432c80 RtlTryAcquireSRWLockExclusive 46089->46082 46089->46090 46090->46082 46090->46089 46098 43302b GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 46090->46098 46092 433d80 IsProcessorFeaturePresent 46091->46092 46093 433d7f 46091->46093 46095 43455a 46092->46095 46093->46087 46099 43451d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46095->46099 46097 43463d 46097->46087 46098->46090 46099->46097 46101 4324f3 __EH_prolog3_GS 46100->46101 46200->45885 46201->45885 46202->45888 53073 466d20 53074 466d6a 53073->53074 53075 41ab20 41 API calls 53074->53075 53077 468712 53074->53077 53082 46974b 53074->53082 53079 466e01 53075->53079 53076 469b34 53190 492440 53076->53190 53080 41ab20 41 API calls 53077->53080 53081 4e6ca0 86 API calls 53079->53081 53083 4687eb 53080->53083 53085 466e27 53081->53085 53082->53076 53087 41ab20 41 API calls 53082->53087 53089 439820 43 API calls 53083->53089 53084 469e50 53233 412c30 41 API calls 2 library calls 53084->53233 53091 4e6c10 85 API calls 53085->53091 53096 466e4a 53085->53096 53092 469838 53087->53092 53088 469e62 53093 468813 53089->53093 53090 469b42 53090->53084 53098 41ab20 41 API calls 53090->53098 53091->53096 53097 439820 43 API calls 53092->53097 53094 402df0 std::_Throw_Cpp_error 41 API calls 53093->53094 53106 46882a 53094->53106 53095 468700 53099 402df0 std::_Throw_Cpp_error 41 API calls 53095->53099 53096->53095 53100 41b260 41 API calls 53096->53100 53105 467b0b 53096->53105 53101 469860 53097->53101 53102 469c31 53098->53102 53099->53077 53185 466e79 53100->53185 53103 402df0 std::_Throw_Cpp_error 41 API calls 53101->53103 53108 439820 43 API calls 53102->53108 53115 46987a 53103->53115 53104 4686e5 53104->53095 53113 4e6770 93 API calls 53104->53113 53105->53104 53107 41b260 41 API calls 53105->53107 53106->53082 53111 403350 78 API calls 53106->53111 53188 467b2e 53107->53188 53112 469c59 53108->53112 53109 467afc 53228 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53109->53228 53119 4688bd 53111->53119 53114 402df0 std::_Throw_Cpp_error 41 API calls 53112->53114 53113->53095 53122 469c73 53114->53122 53115->53076 53118 403350 78 API calls 53115->53118 53116 4686d6 53230 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53116->53230 53140 469911 53118->53140 53121 41b260 41 API calls 53119->53121 53128 469003 53119->53128 53168 4688e3 53121->53168 53122->53084 53124 403350 78 API calls 53122->53124 53123 469b2e 53127 43d0a8 78 API calls 53123->53127 53141 469d0a 53124->53141 53125 4130f0 41 API calls 53125->53188 53126 413200 41 API calls 53126->53185 53127->53076 53129 469743 53128->53129 53132 41b260 41 API calls 53128->53132 53131 43d0a8 78 API calls 53129->53131 53130 468ff4 53231 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53130->53231 53131->53082 53170 469026 53132->53170 53133 469e4a 53136 43d0a8 78 API calls 53133->53136 53134 402cf0 41 API calls std::_Throw_Cpp_error 53134->53185 53136->53084 53137 413200 41 API calls 53137->53188 53138 469734 53232 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53138->53232 53140->53123 53142 403350 78 API calls 53140->53142 53141->53133 53144 403350 78 API calls 53141->53144 53142->53140 53143 4130f0 41 API calls 53143->53168 53144->53141 53145 402cf0 41 API calls std::_Throw_Cpp_error 53145->53188 53146 4130f0 41 API calls 53146->53170 53147 413200 41 API calls 53147->53168 53148 413200 41 API calls 53148->53170 53149 41af80 41 API calls 53149->53188 53150 402cf0 41 API calls std::_Throw_Cpp_error 53150->53170 53151 402cf0 41 API calls std::_Throw_Cpp_error 53151->53168 53152 41af80 41 API calls 53152->53170 53153 41af80 41 API calls 53153->53185 53154 41b400 41 API calls 53154->53170 53155 41b400 41 API calls 53155->53185 53156 41b400 41 API calls 53156->53168 53157 4163b0 41 API calls std::_Throw_Cpp_error 53157->53188 53158 41ac50 41 API calls 53158->53185 53159 41b400 41 API calls 53159->53188 53160 41ac50 41 API calls 53160->53188 53161 402df0 41 API calls std::_Throw_Cpp_error 53161->53188 53162 4e6ca0 86 API calls 53162->53185 53163 41af80 41 API calls 53163->53168 53164 403350 78 API calls 53164->53168 53165 4e6c10 85 API calls 53165->53185 53166 4163b0 41 API calls std::_Throw_Cpp_error 53166->53185 53167 402df0 41 API calls std::_Throw_Cpp_error 53167->53168 53168->53130 53168->53143 53168->53147 53168->53151 53168->53156 53168->53163 53168->53164 53168->53167 53169 403350 78 API calls 53169->53170 53170->53138 53170->53146 53170->53148 53170->53150 53170->53152 53170->53154 53170->53169 53171 402df0 41 API calls std::_Throw_Cpp_error 53170->53171 53171->53170 53174 416240 41 API calls 53174->53188 53175 4e6d70 78 API calls 53175->53185 53177 402df0 41 API calls std::_Throw_Cpp_error 53177->53185 53178 4e6d70 78 API calls 53178->53188 53179 4e6ca0 86 API calls 53179->53188 53180 439820 43 API calls 53180->53185 53181 4e6c10 85 API calls 53181->53188 53182 439820 43 API calls 53182->53188 53183 403350 78 API calls 53183->53185 53184 416240 41 API calls 53184->53185 53185->53109 53185->53126 53185->53134 53185->53153 53185->53155 53185->53158 53185->53162 53185->53165 53185->53166 53185->53175 53185->53177 53185->53180 53185->53183 53185->53184 53186 43d0a8 78 API calls 53185->53186 53217 4130f0 53185->53217 53226 4e6470 41 API calls 53185->53226 53227 416210 41 API calls std::_Throw_Cpp_error 53185->53227 53186->53185 53187 403350 78 API calls 53187->53188 53188->53116 53188->53125 53188->53137 53188->53145 53188->53149 53188->53157 53188->53159 53188->53160 53188->53161 53188->53174 53188->53178 53188->53179 53188->53181 53188->53182 53188->53187 53189 43d0a8 78 API calls 53188->53189 53229 416210 41 API calls std::_Throw_Cpp_error 53188->53229 53189->53188 53234 493b60 53190->53234 53192 4924ad 53192->53090 53193 4924a7 53193->53192 53194 403040 std::_Throw_Cpp_error 41 API calls 53193->53194 53195 4924ee 53194->53195 53197 418f00 std::_Throw_Cpp_error 41 API calls 53195->53197 53198 4925a0 53197->53198 53252 4938d0 45 API calls 2 library calls 53198->53252 53200 492a33 53201 4185d0 76 API calls 53200->53201 53202 492a49 53201->53202 53204 402df0 std::_Throw_Cpp_error 41 API calls 53202->53204 53203 492a74 53206 438c70 std::_Throw_Cpp_error 41 API calls 53203->53206 53204->53192 53205 41e8a0 41 API calls 53216 4925c7 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 53205->53216 53208 492a7e 53206->53208 53207 41ad80 41 API calls 53207->53216 53209 41ab20 41 API calls 53209->53216 53212 4032d0 std::_Throw_Cpp_error 41 API calls 53212->53216 53213 4163b0 41 API calls std::_Throw_Cpp_error 53213->53216 53215 402df0 41 API calls std::_Throw_Cpp_error 53215->53216 53216->53200 53216->53203 53216->53205 53216->53207 53216->53209 53216->53212 53216->53213 53216->53215 53253 493080 46 API calls 4 library calls 53216->53253 53254 492a80 50 API calls 5 library calls 53216->53254 53255 422ac0 41 API calls 4 library calls 53216->53255 53218 413114 53217->53218 53219 41316c 53217->53219 53218->53185 53220 402cf0 std::_Throw_Cpp_error 41 API calls 53219->53220 53221 413179 53220->53221 53257 407b10 41 API calls 3 library calls 53221->53257 53223 413191 53224 4351fb std::_Throw_Cpp_error RaiseException 53223->53224 53225 4131a2 53224->53225 53226->53185 53227->53185 53228->53105 53229->53188 53230->53104 53231->53128 53232->53129 53233->53088 53235 493ba5 __fread_nolock 53234->53235 53236 493bd7 RegOpenKeyExA 53235->53236 53237 493f1b 53236->53237 53238 493d97 RegQueryValueExA RegCloseKey 53236->53238 53237->53193 53238->53237 53239 493dc5 53238->53239 53240 403040 std::_Throw_Cpp_error 41 API calls 53239->53240 53241 493dea 53240->53241 53242 493e19 53241->53242 53243 493f30 53241->53243 53244 403040 std::_Throw_Cpp_error 41 API calls 53242->53244 53256 419e60 RaiseException 53243->53256 53246 493e35 std::locale::_Locimp::_Locimp 53244->53246 53247 438c70 std::_Throw_Cpp_error 41 API calls 53246->53247 53249 493e97 std::ios_base::_Ios_base_dtor 53246->53249 53247->53249 53248 438c70 std::_Throw_Cpp_error 41 API calls 53250 493f3f 53248->53250 53249->53248 53251 493ee9 std::ios_base::_Ios_base_dtor 53249->53251 53251->53193 53252->53216 53253->53216 53254->53216 53255->53216 53257->53223 53704 463830 53710 463879 53704->53710 53705 463891 53706 465b82 53705->53706 53707 402df0 std::_Throw_Cpp_error 41 API calls 53705->53707 53709 41ab20 41 API calls 53706->53709 53707->53705 53708 41ab20 41 API calls 53708->53710 53711 465c69 53709->53711 53710->53705 53710->53708 53715 4e6c10 85 API calls 53710->53715 53721 41b260 41 API calls 53710->53721 53728 408ab0 41 API calls 53710->53728 53731 4e6770 93 API calls 53710->53731 53742 413200 41 API calls 53710->53742 53745 4163b0 41 API calls std::_Throw_Cpp_error 53710->53745 53748 4e6ca0 86 API calls 53710->53748 53750 416210 41 API calls 53710->53750 53752 402cf0 41 API calls std::_Throw_Cpp_error 53710->53752 53753 439820 43 API calls 53710->53753 53756 41ac50 41 API calls 53710->53756 53760 41ae20 41 API calls 53710->53760 53762 41abb0 41 API calls 53710->53762 53763 4130f0 41 API calls 53710->53763 53764 416240 41 API calls 53710->53764 53767 402df0 41 API calls std::_Throw_Cpp_error 53710->53767 53768 43d0a8 78 API calls 53710->53768 53774 41af80 41 API calls 53710->53774 53776 41bae0 41 API calls 53710->53776 53777 41b400 41 API calls 53710->53777 53778 41b1e0 41 API calls 53710->53778 53779 403350 78 API calls 53710->53779 53712 4e6ca0 86 API calls 53711->53712 53713 465c8f 53712->53713 53714 465c93 CreateDirectoryA 53713->53714 53717 465cbe 53713->53717 53714->53717 53719 4667d7 53714->53719 53715->53710 53716 402df0 std::_Throw_Cpp_error 41 API calls 53718 466a3b 53716->53718 53720 41b260 41 API calls 53717->53720 53730 4667bc 53717->53730 53722 4185d0 76 API calls 53718->53722 53726 41ab20 41 API calls 53719->53726 53738 466a29 53719->53738 53773 465ce6 53720->53773 53721->53710 53724 466a47 53722->53724 53723 4e6770 93 API calls 53723->53719 53725 4667ad 53783 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53725->53783 53727 466922 53726->53727 53732 439820 43 API calls 53727->53732 53728->53710 53730->53719 53730->53723 53731->53710 53733 46694a 53732->53733 53734 402df0 std::_Throw_Cpp_error 41 API calls 53733->53734 53739 466964 53734->53739 53735 466a23 53737 43d0a8 78 API calls 53735->53737 53736 4130f0 41 API calls 53736->53773 53737->53738 53738->53716 53739->53735 53739->53738 53740 403350 78 API calls 53739->53740 53740->53739 53741 41b260 41 API calls 53741->53773 53742->53710 53744 4163b0 41 API calls std::_Throw_Cpp_error 53744->53773 53745->53710 53746 4e6ca0 86 API calls 53746->53773 53748->53710 53749 465ea9 CreateDirectoryA 53749->53773 53750->53710 53751 439820 43 API calls 53751->53773 53752->53710 53753->53710 53754 41ac50 41 API calls 53754->53773 53755 465fb8 CreateDirectoryA 53755->53773 53756->53710 53757 41ae20 41 API calls 53757->53773 53758 41abb0 41 API calls 53758->53773 53759 402df0 41 API calls std::_Throw_Cpp_error 53759->53773 53760->53710 53761 416240 41 API calls 53761->53773 53762->53710 53763->53710 53764->53710 53765 413200 41 API calls 53765->53773 53766 43d0a8 78 API calls 53766->53773 53767->53710 53768->53710 53769 402cf0 41 API calls std::_Throw_Cpp_error 53769->53773 53770 41b400 41 API calls 53770->53773 53771 41af80 41 API calls 53771->53773 53772 403350 78 API calls 53772->53773 53773->53725 53773->53736 53773->53741 53773->53744 53773->53746 53773->53749 53773->53751 53773->53754 53773->53755 53773->53757 53773->53758 53773->53759 53773->53761 53773->53765 53773->53766 53773->53769 53773->53770 53773->53771 53773->53772 53780 416210 41 API calls std::_Throw_Cpp_error 53773->53780 53781 415310 44 API calls std::_Throw_Cpp_error 53773->53781 53782 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53773->53782 53774->53710 53776->53710 53777->53710 53778->53710 53779->53710 53780->53773 53781->53773 53782->53773 53783->53730

                                    Executed Functions

                                    Function 0040B8E0 Relevance: 65.9, APIs: 40, Instructions: 5855fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BAD2
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040BF80
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C47A
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C575
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C969
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040CD72
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D17B
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D29A
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D6F8
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D9DC
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DAD7
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040DE41
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 0040E55A
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040ECF6
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040EEEA
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F45B
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F525
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 004101ED
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410580
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0041088D
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00410DC4
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 0041173C
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411904
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00411CD7
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411E6E
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411FBE
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410B14
                                      • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00410F12
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FEF1
                                      • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FC55
                                      • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F933
                                      • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                      • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                      • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                      • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                      • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040E6FA
                                      • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                      • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 0042910D
                                      • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00429155
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DF3C
                                      • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                      • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                                      • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                                      • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D5FD
                                      • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BB07
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BD08
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BD37
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C0CC
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C196
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Directory$Create$File$Copy$Find$Cpp_errorThrow_std::_$AttributesErrorFirstLast$FolderPath___std_fs_convert_narrow_to_wide@20$CloseDeleteNextRemove
                                    • String ID:
                                    • API String ID: 1172780710-0
                                    • Opcode ID: 34ca7d61199ade8f9b9f8bb2510be09db286ba1594c6de4f038b9ce6806e0909
                                    • Instruction ID: 57087eddf2f8576e704702d152c9cc5b4e2b87ff67a8e07952ed474be97f1841
                                    • Opcode Fuzzy Hash: 34ca7d61199ade8f9b9f8bb2510be09db286ba1594c6de4f038b9ce6806e0909
                                    • Instruction Fuzzy Hash: 56F3E2B4D0425D8BDF25CF99C981AEEBBB1BF18304F1041AAD849B7341DB385A85CF69
                                    Function 004AA200 Relevance: 56.8, APIs: 10, Strings: 11, Instructions: 20001COMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 004AA277
                                      • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: FileFindFirstFolderPath
                                    • String ID: ;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$Jzv"$WUa5$X<b.$cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 2195519125-383699475
                                    • Opcode ID: 16f782408abad2313021a9bdaf6694d228d992e2eba5a686fc6ee3378a0a0371
                                    • Instruction ID: d5c29c46e18a526762dbfc7c8aed9f945ae13eab665394adbd88e65e82b678fb
                                    • Opcode Fuzzy Hash: 16f782408abad2313021a9bdaf6694d228d992e2eba5a686fc6ee3378a0a0371
                                    • Instruction Fuzzy Hash: 29B433B0D052698BDB25CF68C984BEEBBB1BF49304F1081DAD449A7281DB746F84CF95
                                    Function 004D7600 Relevance: 52.8, APIs: 31, Instructions: 6337fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,0055B192,000000FF), ref: 004D766C
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004D7693
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7959
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7CBB
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004D8DF7
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D9992
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA31E
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DA3EF
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA712
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAA7D
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DAB4E
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAE39
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 004DB0C9
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB27C
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB556
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB93C
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 004DBCF1
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DBEA4
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC17E
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC564
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9FB3
                                      • Part of subcall function 004DFF00: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004E0556
                                      • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E05A0
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC99C
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DCAF3
                                      • Part of subcall function 004DE430: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9C53
                                      • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                      • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                      • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                      • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                      • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                      • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 004D9648
                                      • Part of subcall function 004DFF00: FindNextFileA.KERNEL32(00000000,?), ref: 004E056C
                                      • Part of subcall function 004DFF00: FindClose.KERNEL32(00000000), ref: 004E057C
                                      • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E0582
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004D91DD
                                      • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                      • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                                      • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                                      • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 004D896A
                                      • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D8B1D
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004D8362
                                      • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 004D8623
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D801B
                                      • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Directory$Create$File$Find$ErrorLast$CopyCpp_errorThrow_std::_$AttributesFolderPath$CloseFirstNext$DeleteRemove
                                    • String ID:
                                    • API String ID: 1140557632-0
                                    • Opcode ID: fa1e81d83961fe38e85dc82033a4d740d6e75d93fa40464b700955af23bd6f68
                                    • Instruction ID: 6b404ecdfd53acb60f6cf5d734e717c5294ca690171ae70fa85b8f1a38f34a58
                                    • Opcode Fuzzy Hash: fa1e81d83961fe38e85dc82033a4d740d6e75d93fa40464b700955af23bd6f68
                                    • Instruction Fuzzy Hash: 76F3F2B4D0525A8BCF15CFA9C9916EEBBB0BF18304F20419AD549B7341DB346B84CFA6
                                    Function 00490440 Relevance: 28.0, APIs: 13, Strings: 2, Instructions: 1749registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?), ref: 0049083B
                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0049086F
                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00490895
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490A2C
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490CB3
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490DA0
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490EE1
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490FCB
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 004910B5
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 0049119F
                                    • RegCloseKey.ADVAPI32(?), ref: 0049229B
                                    • RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 004922D1
                                    • RegCloseKey.ADVAPI32(?), ref: 004922E5
                                    Strings
                                    • cannot use operator[] with a string argument with , xrefs: 0049239E, 004923F3
                                    • cannot use push_back() with , xrefs: 00492345
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: QueryValue$CloseEnumOpen
                                    • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 2041898428-3306948993
                                    • Opcode ID: f785b7c88d275c23fa54bfc851b74a6c6a3d83138168e293f58669b0b68ffe8b
                                    • Instruction ID: 6d5f253b48c5edfa20594e0b0a8a78ae050bf84d77acb07cc1b8e3b44561805a
                                    • Opcode Fuzzy Hash: f785b7c88d275c23fa54bfc851b74a6c6a3d83138168e293f58669b0b68ffe8b
                                    • Instruction Fuzzy Hash: 511322B0C042698BDB25CF68CD84BEEBBB4BF49304F1042EAD549A7241EB756B85CF54
                                    Function 00493F40 Relevance: 26.5, APIs: 12, Strings: 2, Instructions: 1966fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00493FA7
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0049455F
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0049496C
                                    • FindClose.KERNEL32(00000000), ref: 0049497C
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494A53
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494B19
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00494C9D
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494E44
                                    • CopyFileA.KERNEL32(00000000,?,00000000), ref: 004950F8
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00495638
                                    • CredEnumerateA.SECHOST(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000004), ref: 004959FD
                                    • LocalFree.KERNELBASE(00000000,?,?,?,00000004), ref: 004962D7
                                      • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,0041ABA8,?,?,?,00431D09,0041ABA8,005799D8,00000000,0041ABA8), ref: 0043525B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: File$CopyCreateDirectoryFind$Cpp_errorThrow_std::_$AttributesCloseCredEnumerateErrorExceptionFirstFolderFreeLastLocalNextPathRaise
                                    • String ID: cannot use operator[] with a string argument with $tmX
                                    • API String ID: 3528249430-2011928656
                                    • Opcode ID: 67c875fc519223ade0bc42f043923fb92dda2c9050681a3232cc41151ad3c11d
                                    • Instruction ID: 1c5c2bc117abc336d538eb0f3ab0e4b698252c7f2e821ac10c87ad1798346723
                                    • Opcode Fuzzy Hash: 67c875fc519223ade0bc42f043923fb92dda2c9050681a3232cc41151ad3c11d
                                    • Instruction Fuzzy Hash: 0E3310B4C042698BDB25CFA8C994BEDBBB0BF18304F1041EAD849A7351EB346B85CF55
                                    Function 00481C10 Relevance: 21.5, APIs: 7, Strings: 4, Instructions: 2202COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 004827AB
                                    • SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00482AA7
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00482DA5
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00483105
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00483433
                                    • SHGetFolderPathA.SHELL32(00000000,00000008,00000000,00000000,?), ref: 00483737
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 004844E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: FolderPath$AttributesConcurrency::cancel_current_taskErrorFileLast
                                    • String ID: cannot compare iterators of different containers$cannot get value$type must be boolean, but is $type must be string, but is
                                    • API String ID: 1974481932-2698695959
                                    • Opcode ID: 8c8394144ca38a63eb9d008626406e27d1e09b60dce3b0f21157d948b8cc9afc
                                    • Instruction ID: 7d592af2553ac1c7978d8671279e796c0dcb22ab630186640302ddbce1f3b4fb
                                    • Opcode Fuzzy Hash: 8c8394144ca38a63eb9d008626406e27d1e09b60dce3b0f21157d948b8cc9afc
                                    • Instruction Fuzzy Hash: D74334B0C042698BDB25DF28C994BEEBBB5BF48304F1082DAD449A7281DB756F84CF55
                                    Function 004E6770 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 334fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7670 4e6770-4e67c3 call 432b99 7673 4e67c9-4e67d3 7670->7673 7674 4e6be5-4e6be7 call 432534 7670->7674 7675 4e6bec-4e6bf8 call 432534 7673->7675 7676 4e67d9-4e6822 7673->7676 7674->7675 7678 4e6bfd call 402c60 7675->7678 7676->7678 7679 4e6828-4e682e 7676->7679 7684 4e6c02 call 438c70 7678->7684 7682 4e6832-4e6854 call 41e8a0 7679->7682 7683 4e6830 7679->7683 7689 4e6856-4e6862 7682->7689 7690 4e6882-4e68f1 call 402df0 FindFirstFileA 7682->7690 7683->7682 7688 4e6c07-4e6c0f call 438c70 7684->7688 7692 4e6878-4e687f call 4338f3 7689->7692 7693 4e6864-4e6872 7689->7693 7699 4e6b2a 7690->7699 7700 4e68f7 7690->7700 7692->7690 7693->7684 7693->7692 7701 4e6b2c-4e6b36 7699->7701 7702 4e6900-4e6909 7700->7702 7704 4e6b38-4e6b44 7701->7704 7705 4e6b64-4e6b80 7701->7705 7703 4e6910-4e6915 7702->7703 7703->7703 7706 4e6917-4e6922 7703->7706 7709 4e6b5a-4e6b61 call 4338f3 7704->7709 7710 4e6b46-4e6b54 7704->7710 7707 4e6baa-4e6be4 call 432baa 7705->7707 7708 4e6b82-4e6b8e 7705->7708 7712 4e692d-4e6930 7706->7712 7713 4e6924-4e6927 7706->7713 7714 4e6ba0-4e6ba7 call 4338f3 7708->7714 7715 4e6b90-4e6b9e 7708->7715 7709->7705 7710->7688 7710->7709 7719 4e6932-4e6935 7712->7719 7720 4e6943-4e6969 7712->7720 7713->7712 7718 4e6aae-4e6ac1 FindNextFileA 7713->7718 7714->7707 7715->7688 7715->7714 7718->7702 7726 4e6ac7-4e6adb FindClose GetLastError 7718->7726 7719->7720 7723 4e6937-4e693d 7719->7723 7720->7678 7724 4e696f-4e6975 7720->7724 7723->7718 7723->7720 7727 4e6979-4e69a1 call 41e8a0 7724->7727 7728 4e6977 7724->7728 7726->7701 7729 4e6add-4e6ae3 7726->7729 7738 4e69a4-4e69a9 7727->7738 7728->7727 7731 4e6ae7-4e6af5 SetFileAttributesA 7729->7731 7732 4e6ae5 7729->7732 7733 4e6af7-4e6b00 7731->7733 7734 4e6b02-4e6b06 7731->7734 7732->7731 7733->7701 7736 4e6b0a-4e6b13 RemoveDirectoryA 7734->7736 7737 4e6b08 7734->7737 7736->7699 7740 4e6b15-4e6b1e 7736->7740 7737->7736 7738->7738 7741 4e69ab-4e6a59 call 418f00 call 402df0 * 3 7738->7741 7740->7701 7751 4e6a5b-4e6a6e call 4e6770 7741->7751 7752 4e6a79-4e6a92 SetFileAttributesA 7741->7752 7751->7701 7757 4e6a74-4e6a77 7751->7757 7754 4e6a98-4e6aac DeleteFileA 7752->7754 7755 4e6b20-4e6b28 GetLastError 7752->7755 7754->7718 7754->7755 7755->7701 7757->7718
                                    APIs
                                    • FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                    • DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                    • FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                    • FindClose.KERNEL32(?), ref: 004E6ACA
                                    • GetLastError.KERNEL32 ref: 004E6AD0
                                    • SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                    • RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                    • GetLastError.KERNEL32 ref: 004E6B20
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: File$Find$AttributesCpp_errorErrorLastThrow_std::_$CloseDeleteDirectoryFirstNextRemove
                                    • String ID: \*.*
                                    • API String ID: 460640838-1173974218
                                    • Opcode ID: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                                    • Instruction ID: d809dff945c313677263d2cc5f51936a643c350294cf92fd29307912c56e1fe7
                                    • Opcode Fuzzy Hash: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                                    • Instruction Fuzzy Hash: EDD11670C00288CFDB10DFA9C9487EEBBB1FF65305F20425AE454BB292D7786A89DB55
                                    Function 0049F0D0 Relevance: 20.7, APIs: 6, Strings: 4, Instructions: 3171stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049F224
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049F322
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049F515
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1C76
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1F5D
                                    • lstrlen.KERNEL32(?), ref: 004A348E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
                                    • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with $~]d
                                    • API String ID: 2833034228-1763774129
                                    • Opcode ID: c64df62777c97d322a5cfea44e0c75d64a67c7a654b7d1bd474a30beca6b1a32
                                    • Instruction ID: 3f98b5ef17dcfaa8f689e4fcb5a5d7fbbd5e2711f2842c60bb6495c93d0a2e70
                                    • Opcode Fuzzy Hash: c64df62777c97d322a5cfea44e0c75d64a67c7a654b7d1bd474a30beca6b1a32
                                    • Instruction Fuzzy Hash: 2793DCB4D052A98ADB65CF29C990BEDBBB1BF59304F0081EAD84DA7241DB742BC4CF45
                                    Function 004963B0 Relevance: 17.5, APIs: 5, Strings: 4, Instructions: 1775stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00496504
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00496602
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 004967F5
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498078
                                    • lstrlen.KERNEL32(?), ref: 0049854F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$FolderNamesPathSectionStringUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                    • String ID: ;Yb.$Tz}9$cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 3203477177-4100205650
                                    • Opcode ID: 8d3e6dffdf2035ca745c78a717b1314b7f03d1281217fdc69459905b70fe160b
                                    • Instruction ID: 6b3be8cf9a559e92d133cc3b6572ed682d4dab2050fd03768d9c929fe5be15d2
                                    • Opcode Fuzzy Hash: 8d3e6dffdf2035ca745c78a717b1314b7f03d1281217fdc69459905b70fe160b
                                    • Instruction Fuzzy Hash: 352300B0D052688BDB25CF28C9947EDBBB5BF49304F1082EAE449A7281DB746BC4CF55
                                    Function 004986B0 Relevance: 16.1, APIs: 4, Strings: 4, Instructions: 2129stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00498804
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00498902
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00498AF8
                                    • lstrlen.KERNEL32(?), ref: 0049AE11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                    • String ID: ;Yb.$AN|5$cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 1311570089-1903585501
                                    • Opcode ID: c61fd068785eb5706be2d1d881a19459dd5c1f669e93ebd6238c48153861a5dd
                                    • Instruction ID: e112265f5291f7fbed9e5ebb381307dd27655726dfd0f1f0b2bb5fda635101ca
                                    • Opcode Fuzzy Hash: c61fd068785eb5706be2d1d881a19459dd5c1f669e93ebd6238c48153861a5dd
                                    • Instruction Fuzzy Hash: D44322B0D052688BDB25CF28C8947EEBBB5BF49304F1082EAD449A7242DB756BC4CF55
                                    Function 0049AF60 Relevance: 14.1, APIs: 4, Strings: 3, Instructions: 1876stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049B158
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049B265
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049B458
                                    • lstrlen.KERNEL32(?), ref: 0049D22D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                    • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 1311570089-747751661
                                    • Opcode ID: eb01e7d3c7b4992ac3b5486cd6d724a57ea9d84b3281afa8dc1199d7da462e03
                                    • Instruction ID: b2dbe3f5757ef5304a2bca7f4d9e3a7c922558eb406562d1b13ccbd165419304
                                    • Opcode Fuzzy Hash: eb01e7d3c7b4992ac3b5486cd6d724a57ea9d84b3281afa8dc1199d7da462e03
                                    • Instruction Fuzzy Hash: BF2321B0D042688BDB25CF28C9947EDBBB1BF59304F1082EAE449A7281DB746BC4CF55
                                    Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 9717 4c8590-4c85c2 WSAStartup 9718 4c85c8-4c85f2 call 4ea420 * 2 9717->9718 9719 4c8696-4c869f 9717->9719 9724 4c85fe-4c8644 getaddrinfo 9718->9724 9725 4c85f4-4c85f8 9718->9725 9726 4c8646-4c864c 9724->9726 9727 4c8690 WSACleanup 9724->9727 9725->9719 9725->9724 9728 4c864e 9726->9728 9729 4c86a4-4c86ae FreeAddrInfoW 9726->9729 9727->9719 9731 4c8654-4c8668 socket 9728->9731 9729->9727 9730 4c86b0-4c86b8 9729->9730 9731->9727 9732 4c866a-4c867a connect 9731->9732 9733 4c867c-4c8684 closesocket 9732->9733 9734 4c86a0 9732->9734 9733->9731 9735 4c8686-4c868a FreeAddrInfoW 9733->9735 9734->9729 9735->9727
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                    • String ID:
                                    • API String ID: 448659506-0
                                    • Opcode ID: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                    • Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
                                    • Opcode Fuzzy Hash: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                    • Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7
                                    Function 0049D3A0 Relevance: 12.1, APIs: 4, Strings: 2, Instructions: 1570stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049D4F4
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049D5F2
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049D7E5
                                    • lstrlen.KERNEL32(?), ref: 0049EF32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                    • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 1311570089-3306948993
                                    • Opcode ID: ee728b382585ddabe51e7070e1f48f47b718005594f77a8fe89f200b105bf760
                                    • Instruction ID: d38aed82ee4788d52106214de1412b854dd9129e0c255bb6c7140376d04d8967
                                    • Opcode Fuzzy Hash: ee728b382585ddabe51e7070e1f48f47b718005594f77a8fe89f200b105bf760
                                    • Instruction Fuzzy Hash: 570334B0D042688BDB25CF28C9947EEBBB4BF59304F1042EED449A7281EB746B84CF55
                                    Function 004C6D80 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 535fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 12753 4c6d80-4c6ddc 12754 4c7004-4c7018 call 4339b3 12753->12754 12755 4c6de2-4c6df1 call 432b99 12753->12755 12754->12755 12760 4c701e-4c704a call 408710 call 4338de call 433962 12754->12760 12761 4c704f-4c7051 call 432534 12755->12761 12762 4c6df7-4c6e01 12755->12762 12760->12755 12765 4c7056-4c71ad call 432534 call 41ae80 call 4163b0 call 4e74c0 DeleteFileA call 4359b0 call 435270 call 4359b0 call 435270 call 4359b0 call 435270 12761->12765 12762->12765 12766 4c6e07-4c6eff call 4ea420 call 41ab20 call 41ad80 call 409280 call 402df0 12762->12766 12823 4c71af-4c71b6 12765->12823 12824 4c71c0-4c71c5 call 418dc0 12765->12824 12793 4c6fb5-4c7003 call 4163b0 call 432baa call 402df0 * 2 12766->12793 12794 4c6f05-4c6f0c 12766->12794 12794->12793 12797 4c6f12-4c6f1e GetPEB 12794->12797 12800 4c6f20-4c6f34 12797->12800 12803 4c6f36-4c6f3b 12800->12803 12804 4c6f87-4c6f89 12800->12804 12803->12804 12807 4c6f3d-4c6f43 12803->12807 12804->12800 12810 4c6f45-4c6f5a 12807->12810 12813 4c6f5c 12810->12813 12814 4c6f7d-4c6f85 12810->12814 12817 4c6f60-4c6f73 12813->12817 12814->12804 12814->12810 12817->12817 12820 4c6f75-4c6f7b 12817->12820 12820->12814 12821 4c6f8b-4c6faf 12820->12821 12821->12793 12821->12797 12825 4c71b8 12823->12825 12826 4c71ba-4c71be 12823->12826 12829 4c71ca-4c71d1 12824->12829 12825->12826 12826->12829 12830 4c71d5-4c71e9 12829->12830 12831 4c71d3 12829->12831 12832 4c71ed-4c7204 12830->12832 12833 4c71eb 12830->12833 12831->12830 12834 4c7208-4c7224 12832->12834 12835 4c7206 12832->12835 12833->12832 12836 4c7228-4c722f 12834->12836 12837 4c7226 12834->12837 12835->12834 12838 4c7231 12836->12838 12839 4c7233-4c72ef call 435270 call 4ea420 12836->12839 12837->12836 12838->12839 12844 4c72f2-4c72f7 12839->12844 12844->12844 12845 4c72f9-4c7347 call 403040 call 409280 call 4ea420 12844->12845 12852 4c734d-4c7413 call 408f20 call 4ea420 12845->12852 12853 4c7349 12845->12853 12858 4c7416-4c741b 12852->12858 12853->12852 12858->12858 12859 4c741d-4c7438 call 403040 call 409280 12858->12859 12863 4c743d-4c744c 12859->12863 12864 4c746d-4c7476 12863->12864 12865 4c744e-4c7455 12863->12865 12867 4c7478-4c747f 12864->12867 12868 4c7496-4c74c3 call 402df0 * 2 12864->12868 12865->12864 12866 4c7457-4c7464 12865->12866 12866->12864 12875 4c7466-4c7468 12866->12875 12867->12868 12870 4c7481-4c748d 12867->12870 12870->12868 12876 4c748f-4c7491 12870->12876 12875->12864 12876->12868
                                    APIs
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004C7051
                                      • Part of subcall function 00432534: __EH_prolog3.LIBCMT ref: 00432570
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004C7062
                                      • Part of subcall function 004E74C0: __fread_nolock.LIBCMT ref: 004E7609
                                    • DeleteFileA.KERNELBASE(?), ref: 004C70EB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_$DeleteFileH_prolog3__fread_nolock
                                    • String ID: 131$tumer
                                    • API String ID: 3880692912-4027956295
                                    • Opcode ID: 35ff39eefd4f96a7143577d97fbeb18272b86d3c7c318b3f640f6ce58d8c7bc0
                                    • Instruction ID: 7966019704e3fd473910eda9b3190c6326d4c2da0caac65bea49cbac806563d6
                                    • Opcode Fuzzy Hash: 35ff39eefd4f96a7143577d97fbeb18272b86d3c7c318b3f640f6ce58d8c7bc0
                                    • Instruction Fuzzy Hash: 1E32ACB4D04248CFCB04DFA8C985BAEBBB1BF58304F14419EE8056B392D779AA45CF95
                                    Function 004FAD00 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 12878 4fad00-4fad1e call 4fbf00 12881 4fb35e-4fb364 12878->12881 12882 4fad24-4fad2d 12878->12882 12883 4fad2f-4fad31 12882->12883 12884 4fad33-4fad39 12882->12884 12885 4fad53-4fad59 12883->12885 12886 4fad3f-4fad50 12884->12886 12887 4fad3b-4fad3d 12884->12887 12888 4fad5b-4fad61 12885->12888 12889 4fad63-4fad6a 12885->12889 12886->12885 12887->12885 12890 4fad72-4fad8f call 54a0f0 12888->12890 12889->12890 12891 4fad6c 12889->12891 12894 4fb348 12890->12894 12895 4fad95-4fada7 call 4359b0 12890->12895 12891->12890 12897 4fb34a 12894->12897 12900 4fadeb-4fadf0 12895->12900 12901 4fada9-4fadb0 12895->12901 12899 4fb34f-4fb354 call 54b110 12897->12899 12910 4fb356-4fb35b 12899->12910 12905 4fadfc-4faeb4 call 54a8c0 12900->12905 12906 4fadf2-4fadf9 12900->12906 12903 4fadc9-4fadd9 12901->12903 12904 4fadb2-4fadc4 call 549d90 12901->12904 12903->12900 12917 4faddb-4fade6 call 549d90 12903->12917 12904->12897 12915 4faf19-4faf88 call 4fb370 * 4 12905->12915 12916 4faeb6-4faec4 call 5475d0 12905->12916 12906->12905 12910->12881 12927 4faec9-4faece 12915->12927 12941 4faf8e 12915->12941 12925 4faec7 12916->12925 12917->12897 12925->12927 12929 4faeda-4faee2 12927->12929 12930 4faed0-4faed7 12927->12930 12932 4fb31b-4fb321 12929->12932 12933 4faee8-4faeed 12929->12933 12930->12929 12932->12897 12935 4fb323-4fb32c 12932->12935 12933->12932 12937 4faef3-4faef8 12933->12937 12935->12899 12939 4fb32e-4fb330 12935->12939 12937->12932 12940 4faefe-4faf18 12937->12940 12939->12910 12942 4fb332-4fb347 12939->12942 12943 4faf93-4faf97 12941->12943 12943->12943 12944 4faf99-4fafaf 12943->12944 12945 4fafb1-4fafbd 12944->12945 12946 4fb000 12944->12946 12948 4fafbf-4fafc1 12945->12948 12949 4faff0-4faffe 12945->12949 12947 4fb002-4fb015 call 5461b0 12946->12947 12954 4fb01c 12947->12954 12955 4fb017-4fb01a 12947->12955 12951 4fafc3-4fafe2 12948->12951 12949->12947 12951->12951 12953 4fafe4-4fafed 12951->12953 12953->12949 12956 4fb01e-4fb063 call 4fb370 call 4fb5d0 12954->12956 12955->12956 12961 4fb065-4fb07e call 5475d0 12956->12961 12962 4fb083-4fb0d1 call 51ba20 * 2 12956->12962 12961->12925 12962->12925 12969 4fb0d7-4fb102 call 5475d0 call 4fb710 12962->12969 12974 4fb108-4fb10d 12969->12974 12975 4fb1a4-4fb1b2 12969->12975 12976 4fb110-4fb114 12974->12976 12977 4fb1b8-4fb1bd 12975->12977 12978 4fb2c1-4fb2cb 12975->12978 12976->12976 12980 4fb116-4fb127 12976->12980 12979 4fb1c0-4fb1c7 12977->12979 12981 4fb2df-4fb2e3 12978->12981 12982 4fb2cd-4fb2d2 12978->12982 12983 4fb1cd-4fb1dc 12979->12983 12984 4fb1c9-4fb1cb 12979->12984 12985 4fb129-4fb130 12980->12985 12986 4fb133-4fb14b call 51bbd0 12980->12986 12981->12927 12988 4fb2e9-4fb2ef 12981->12988 12982->12981 12987 4fb2d4-4fb2d9 12982->12987 12990 4fb1e8-4fb1ee 12983->12990 13001 4fb1de-4fb1e5 12983->13001 12984->12990 12985->12986 12998 4fb14d-4fb166 call 4fb710 12986->12998 12999 4fb169-4fb16e 12986->12999 12987->12927 12987->12981 12988->12927 12989 4fb2f5-4fb30e call 5475d0 call 4fbbd0 12988->12989 13012 4fb313-4fb316 12989->13012 12995 4fb1f7-4fb1fc 12990->12995 12996 4fb1f0-4fb1f5 12990->12996 13002 4fb1ff-4fb201 12995->13002 12996->13002 12998->12999 13005 4fb185-4fb18f 12999->13005 13006 4fb170-4fb180 call 5475d0 12999->13006 13001->12990 13007 4fb20d-4fb214 13002->13007 13008 4fb203-4fb20a 13002->13008 13015 4fb19b-4fb19e 13005->13015 13016 4fb191-4fb198 13005->13016 13006->13005 13009 4fb216-4fb227 13007->13009 13010 4fb242-4fb244 13007->13010 13008->13007 13026 4fb23f 13009->13026 13027 4fb229-4fb23c call 5475d0 13009->13027 13018 4fb246-4fb24d 13010->13018 13019 4fb2b0-4fb2bb 13010->13019 13012->12927 13015->12975 13020 4fb1a0 13015->13020 13016->13015 13023 4fb24f-4fb256 13018->13023 13024 4fb2a6 13018->13024 13019->12978 13019->12979 13020->12975 13028 4fb258-4fb25f 13023->13028 13029 4fb262-4fb282 13023->13029 13031 4fb2ad 13024->13031 13026->13010 13027->13026 13028->13029 13035 4fb28a-4fb29b 13029->13035 13036 4fb284 13029->13036 13031->13019 13035->13019 13038 4fb29d-4fb2a4 13035->13038 13036->13035 13038->13031
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
                                    • API String ID: 0-1885142750
                                    • Opcode ID: e2c48bff61029cb8dffcca509652bd956934744efff426072cedd2183155d05b
                                    • Instruction ID: 5912c9be0b5fe0253428befa1510005b8e6d21b15bd6994098c8da1f87b2af15
                                    • Opcode Fuzzy Hash: e2c48bff61029cb8dffcca509652bd956934744efff426072cedd2183155d05b
                                    • Instruction Fuzzy Hash: 510258B0A007089BEB209F15DC4577B7BE4EF51304F14442EEA4A9B391EBB9E944CBC6
                                    Function 004DF030 Relevance: 8.4, APIs: 5, Instructions: 876COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 13710 4df030-4df14d call 4359b0 SHGetFolderPathA 13713 4df150-4df155 13710->13713 13713->13713 13714 4df157-4df179 call 403040 13713->13714 13717 4df180-4df185 13714->13717 13717->13717 13718 4df187-4df1e9 call 41fbf0 13717->13718 13721 4df1eb-4df1fa 13718->13721 13722 4df21a-4df247 call 4e6ca0 13718->13722 13723 4df1fc-4df20a 13721->13723 13724 4df210-4df217 call 4338f3 13721->13724 13730 4df24d-4df310 call 41ab20 call 4e6ca0 13722->13730 13731 4dfe6b-4dfe7b 13722->13731 13723->13724 13726 4dfed9 call 438c70 13723->13726 13724->13722 13736 4dfede call 402c60 13726->13736 13752 4df333-4df3c3 13730->13752 13753 4df312-4df32d CreateDirectoryA 13730->13753 13733 4dfe7d-4dfe89 13731->13733 13734 4dfea5-4dfed8 call 402df0 13731->13734 13737 4dfe9b-4dfea2 call 4338f3 13733->13737 13738 4dfe8b-4dfe99 13733->13738 13746 4dfee3 call 402c60 13736->13746 13737->13734 13738->13737 13742 4dfeed-4dfef2 call 438c70 13738->13742 13754 4dfee8 call 402c60 13746->13754 13757 4df3c6-4df3cb 13752->13757 13753->13752 13756 4dfe59 13753->13756 13754->13742 13758 4dfe5c-4dfe66 call 402df0 13756->13758 13757->13757 13759 4df3cd-4df3dd 13757->13759 13758->13731 13759->13736 13760 4df3e3-4df44b call 41e8a0 call 4e6ca0 call 402df0 13759->13760 13768 4df65e-4df6ee 13760->13768 13769 4df451-4df511 call 41ab20 call 4e6ca0 13760->13769 13771 4df6f1-4df6f6 13768->13771 13779 4df534-4df603 call 4163b0 call 41ab20 call 4dff00 13769->13779 13780 4df513-4df52e CreateDirectoryA 13769->13780 13771->13771 13773 4df6f8-4df703 13771->13773 13773->13746 13774 4df709-4df76b call 41e8a0 call 4e6ca0 call 402df0 13773->13774 13792 4df771-4df831 call 41ab20 call 4e6ca0 13774->13792 13793 4df982-4dfa9b 13774->13793 13797 4df60d-4df64a call 402cf0 call 4e6770 call 402df0 13779->13797 13798 4df605-4df60b 13779->13798 13780->13779 13782 4df64f-4df659 call 402df0 13780->13782 13782->13768 13809 4df858-4df927 call 4163b0 call 41ab20 call 4dff00 13792->13809 13810 4df833-4df852 CreateDirectoryA 13792->13810 13796 4dfaa0-4dfaa5 13793->13796 13796->13796 13800 4dfaa7-4dfab0 13796->13800 13797->13782 13798->13782 13800->13754 13801 4dfab6-4dfb18 call 41e8a0 call 4e6ca0 call 402df0 13800->13801 13801->13758 13824 4dfb1e-4dfc64 call 41ab20 call 4e6ca0 13801->13824 13827 4df929-4df92f 13809->13827 13828 4df931-4df96e call 402cf0 call 4e6770 call 402df0 13809->13828 13810->13809 13813 4df973-4df97d call 402df0 13810->13813 13813->13793 13835 4dfc8b-4dfdfe call 4163b0 call 41ab20 call 4dff00 13824->13835 13836 4dfc66-4dfc85 CreateDirectoryA 13824->13836 13827->13813 13828->13813 13847 4dfe08-4dfe45 call 402cf0 call 4e6770 call 402df0 13835->13847 13848 4dfe00-4dfe06 13835->13848 13836->13835 13838 4dfe4a-4dfe54 call 402df0 13836->13838 13838->13756 13847->13838 13848->13838
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DF09A
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF329
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF52A
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF84A
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DFC7D
                                      • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesErrorFindFirstFolderLastPath
                                    • String ID:
                                    • API String ID: 2127212259-0
                                    • Opcode ID: ea0b199c4fb4af4dfba1c20444169e6b1e2b83d792ff13a09952086f6a1055c0
                                    • Instruction ID: 8e27dc709fe3b7ff7b62f4d1f71842afe3ac2492894b6e8ccfd466f18f63ab33
                                    • Opcode Fuzzy Hash: ea0b199c4fb4af4dfba1c20444169e6b1e2b83d792ff13a09952086f6a1055c0
                                    • Instruction Fuzzy Hash: DBA202B4D0425D8BDF25CFA8C995AEEBBB0BF18304F2041AAD949B7351D7341A84CFA5
                                    Function 004DE430 Relevance: 8.2, APIs: 5, Instructions: 731fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 13854 4de430-4de53b call 4359b0 SHGetFolderPathA 13857 4de540-4de545 13854->13857 13857->13857 13858 4de547-4de563 call 403040 13857->13858 13861 4de566-4de56b 13858->13861 13861->13861 13862 4de56d-4de64d call 41fbf0 call 418f00 13861->13862 13867 4de64f-4de65e 13862->13867 13868 4de67e-4de6a6 13862->13868 13869 4de674-4de67b call 4338f3 13867->13869 13870 4de660-4de66e 13867->13870 13871 4de6a8-4de6b7 13868->13871 13872 4de6d7-4de70a call 4e6ca0 13868->13872 13869->13868 13870->13869 13873 4df016 call 438c70 13870->13873 13875 4de6cd-4de6d4 call 4338f3 13871->13875 13876 4de6b9-4de6c7 13871->13876 13882 4def96-4defa6 13872->13882 13883 4de710-4de7ca call 41ab20 call 4e6d70 13872->13883 13884 4df01b call 402c60 13873->13884 13875->13872 13876->13873 13876->13875 13888 4defa8-4defb7 13882->13888 13889 4defd3-4df015 call 402df0 * 2 13882->13889 13906 4deb14-4deba4 13883->13906 13907 4de7d0-4de8b0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 13883->13907 13892 4df020 call 402c60 13884->13892 13893 4defc9-4defd0 call 4338f3 13888->13893 13894 4defb9-4defc7 13888->13894 13902 4df025 call 402c60 13892->13902 13893->13889 13894->13893 13898 4df02a-4df02f call 438c70 13894->13898 13902->13898 13911 4deba7-4debac 13906->13911 13927 4de8d7-4de982 call 41ab20 13907->13927 13928 4de8b2-4de8d1 CreateDirectoryA 13907->13928 13911->13911 13913 4debae-4debb9 13911->13913 13913->13892 13915 4debbf-4dec27 call 41e8a0 call 4e6ca0 call 402df0 13913->13915 13915->13882 13931 4dec2d-4ded01 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 13915->13931 13935 4de984 13927->13935 13936 4de986-4dea19 13927->13936 13928->13927 13929 4deb05-4deb0f call 402df0 13928->13929 13929->13906 13951 4ded1f-4dedaf 13931->13951 13952 4ded03-4ded19 CreateDirectoryA 13931->13952 13935->13936 13938 4dea20-4dea25 13936->13938 13938->13938 13940 4dea27-4dea32 13938->13940 13940->13884 13942 4dea38-4deab1 call 41e8a0 CopyFileA call 402df0 * 2 13940->13942 13960 4deabe-4deafb call 402cf0 call 4e6770 call 402df0 13942->13960 13961 4deab3-4deabc 13942->13961 13955 4dedb2-4dedb7 13951->13955 13952->13951 13954 4def87 13952->13954 13956 4def8a-4def91 call 402df0 13954->13956 13955->13955 13958 4dedb9-4dedc2 13955->13958 13956->13882 13958->13902 13962 4dedc8-4dee57 call 41e8a0 call 402df0 * 2 call 4e6ca0 13958->13962 13965 4deb00 13960->13965 13961->13965 13977 4dee59-4dee6f CreateDirectoryA 13962->13977 13978 4dee75-4def41 call 4163b0 call 41ab20 call 4dff00 13962->13978 13965->13929 13977->13956 13977->13978 13985 4def4e-4def82 call 402cf0 call 4e6770 call 402df0 13978->13985 13986 4def43-4def4c 13978->13986 13985->13954 13986->13954
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DE8C9
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DEA83
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DED11
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DEE67
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesCopyErrorFolderLastPath
                                    • String ID:
                                    • API String ID: 1001086254-0
                                    • Opcode ID: 853d6f72cb5c0f678857b63163ccb3b14b2a86cf2ef544d30bb23aa5b3a238af
                                    • Instruction ID: 4de69712ac24b7a09e9bc2c7d11d42553b755471a164b72fa8c1d2b7ead1c118
                                    • Opcode Fuzzy Hash: 853d6f72cb5c0f678857b63163ccb3b14b2a86cf2ef544d30bb23aa5b3a238af
                                    • Instruction Fuzzy Hash: 298225B0C042598BCB15CFA9C995BEEBBB0BF18304F10419ED549BB382DB745A85CFA5
                                    Function 004C6000 Relevance: 6.3, APIs: 4, Instructions: 310fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 14881 4c6000-4c6070 14882 4c608a-4c6133 call 41ab20 14881->14882 14883 4c6072 14881->14883 14889 4c6135 14882->14889 14890 4c6137-4c615c FindFirstFileA call 402df0 14882->14890 14884 4c6074-4c6080 call 402df0 14883->14884 14891 4c6082-4c6087 14884->14891 14889->14890 14894 4c6162-4c6166 14890->14894 14895 4c6463-4c648d call 402df0 14890->14895 14891->14882 14897 4c6168-4c616f 14894->14897 14898 4c6177-4c617e 14894->14898 14899 4c6175 14897->14899 14900 4c6437-4c6447 FindNextFileA 14897->14900 14898->14900 14902 4c6184-4c618d 14898->14902 14899->14902 14900->14894 14904 4c644d-4c6456 GetLastError 14900->14904 14903 4c6190-4c6195 14902->14903 14903->14903 14905 4c6197-4c61a2 14903->14905 14904->14894 14906 4c645c-4c645d FindClose 14904->14906 14907 4c61ad-4c61b0 14905->14907 14908 4c61a4-4c61a7 14905->14908 14906->14895 14909 4c61b2-4c61b5 14907->14909 14910 4c61c3-4c61c7 14907->14910 14908->14900 14908->14907 14909->14910 14911 4c61b7-4c61bd 14909->14911 14912 4c61cd-4c6295 call 41ab20 14910->14912 14913 4c6385-4c63b7 call 403040 14910->14913 14911->14900 14911->14910 14920 4c6298-4c629d 14912->14920 14918 4c63b9-4c63e1 14913->14918 14919 4c63e3-4c63ea call 4242a0 14913->14919 14921 4c63f2-4c63f9 14918->14921 14924 4c63ef 14919->14924 14920->14920 14923 4c629f-4c62ef call 418f00 14920->14923 14925 4c63fb-4c6409 14921->14925 14926 4c6425-4c6433 14921->14926 14931 4c62f1-4c6310 14923->14931 14932 4c6312-4c631e call 4242a0 14923->14932 14924->14921 14929 4c641b-4c6422 call 4338f3 14925->14929 14930 4c640b-4c6419 14925->14930 14926->14900 14929->14926 14930->14929 14933 4c648e-4c6493 call 438c70 14930->14933 14935 4c6321-4c632e 14931->14935 14932->14935 14941 4c635c-4c6380 call 402df0 14935->14941 14942 4c6330-4c633c 14935->14942 14941->14900 14943 4c633e-4c634c 14942->14943 14944 4c6352-4c6359 call 4338f3 14942->14944 14943->14933 14943->14944 14944->14941
                                    APIs
                                    • FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                    • FindNextFileA.KERNELBASE(00000000,00000010), ref: 004C643F
                                    • GetLastError.KERNEL32 ref: 004C644D
                                    • FindClose.KERNEL32(00000000), ref: 004C645D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 819619735-0
                                    • Opcode ID: f762d99c4fa528508f5b9809e2b01a6377f531d297b90f669e44bfe66e34ce6f
                                    • Instruction ID: afe6fe270f27518361ed143ef8865d869d8c660e8b4c9bb3a5978c93709ae348
                                    • Opcode Fuzzy Hash: f762d99c4fa528508f5b9809e2b01a6377f531d297b90f669e44bfe66e34ce6f
                                    • Instruction Fuzzy Hash: ACD17CB4C043488FDB24CF98C994BEEBBB1BF45314F14829ED4496B392D7785A84CB59
                                    Function 004C6B00 Relevance: 4.7, APIs: 3, Instructions: 206encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004C6B57
                                    • LocalFree.KERNEL32(?), ref: 004C6B86
                                    • LocalFree.KERNEL32(?), ref: 004C6C82
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: FreeLocal$CryptDataUnprotect
                                    • String ID:
                                    • API String ID: 2835072361-0
                                    • Opcode ID: 1da4f0d34072f6ba30fd19e4896b550e5d176e2ab3d70f0d169f099a65ce9a99
                                    • Instruction ID: 6019ec204b0dd747d4126109e6a4f8e7bf51aa55734569d67b400ef60c6c0d13
                                    • Opcode Fuzzy Hash: 1da4f0d34072f6ba30fd19e4896b550e5d176e2ab3d70f0d169f099a65ce9a99
                                    • Instruction Fuzzy Hash: 6171B171C002489BDB00DFA8C945BEEFBB4EF14314F10826EE851B3391EB786A44DBA5
                                    Function 0053F550 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053F705
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053FA07
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 885266447-0
                                    • Opcode ID: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                                    • Instruction ID: 1f76d2344d35fe0e13097961589cbfb84b6978ae6f877586e2245b879765d82e
                                    • Opcode Fuzzy Hash: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                                    • Instruction Fuzzy Hash: E3029C71A04702AFDB18CF29C840B6ABBE4BF88318F14867DE859D7650D774ED94CB92
                                    Function 0044002D Relevance: .3, Instructions: 318COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                                    • Instruction ID: 127d1e6b524efbadbaaaff55744b8fab0cc6e196c82b7e7b6ae44d0b7ee8643f
                                    • Opcode Fuzzy Hash: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                                    • Instruction Fuzzy Hash: 3BB1F67090060A9BFB28CE68D855ABFBBB1AF04304F140A1FDA52A7791C77D9D21CB59
                                    Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279networksleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 8282 4c7b00-4c7b38 8283 4c7ecc-4c7ee0 8282->8283 8284 4c7b3e 8282->8284 8285 4c7b44-4c7b4c 8284->8285 8286 4c7b4e-4c7b74 call 4c8590 8285->8286 8287 4c7b87-4c7bd0 setsockopt recv WSAGetLastError 8285->8287 8292 4c7b79-4c7b81 8286->8292 8287->8283 8289 4c7bd6-4c7bd9 8287->8289 8290 4c7bdf-4c7be6 8289->8290 8291 4c7e2a-4c7e53 call 433069 call 458660 8289->8291 8293 4c7bec-4c7c48 call 418dc0 recv 8290->8293 8294 4c7e15-4c7e25 recv 8290->8294 8297 4c7eaf-4c7eb1 Sleep 8291->8297 8306 4c7e55 8291->8306 8292->8287 8296 4c7eb7-4c7ec6 Sleep 8292->8296 8302 4c7c4e-4c7c69 recv 8293->8302 8303 4c7dc3-4c7dd0 8293->8303 8294->8297 8296->8283 8296->8285 8297->8296 8302->8303 8305 4c7c6f-4c7caa 8302->8305 8307 4c7dfe-4c7e10 8303->8307 8308 4c7dd2-4c7dde 8303->8308 8309 4c7cac-4c7cb1 8305->8309 8310 4c7d1d-4c7d6b call 4163b0 call 408d50 call 4c7ef0 8305->8310 8311 4c7e5f-4c7e97 call 409280 8306->8311 8312 4c7e57-4c7e5d 8306->8312 8307->8297 8313 4c7df4-4c7dfb call 4338f3 8308->8313 8314 4c7de0-4c7dee 8308->8314 8315 4c7cc7-4c7cd1 call 418dc0 8309->8315 8316 4c7cb3-4c7cc5 8309->8316 8331 4c7d70-4c7d7d 8310->8331 8323 4c7e9c-4c7eaa 8311->8323 8312->8297 8312->8311 8313->8307 8314->8313 8318 4c7ee1-4c7ee6 call 438c70 8314->8318 8321 4c7cd6-4c7d1b setsockopt recv 8315->8321 8316->8321 8321->8310 8323->8297 8332 4c7d7f-4c7d8b 8331->8332 8333 4c7dab-4c7dbf 8331->8333 8334 4c7d8d-4c7d9b 8332->8334 8335 4c7da1-4c7da8 call 4338f3 8332->8335 8333->8303 8334->8318 8334->8335 8335->8333
                                    APIs
                                    • setsockopt.WS2_32(00000358,0000FFFF,00001006,?,00000008), ref: 004C7BA6
                                    • recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
                                    • WSAGetLastError.WS2_32 ref: 004C7BC5
                                    • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
                                    • recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
                                    • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
                                    • recv.WS2_32(00000000,?,00000008), ref: 004C7D1B
                                      • Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
                                      • Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
                                      • Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
                                      • Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
                                      • Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
                                      • Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
                                      • Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690
                                    • recv.WS2_32(?,00000004,00000008), ref: 004C7E23
                                    • __Xtime_get_ticks.LIBCPMT ref: 004C7E2A
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
                                    • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
                                    • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
                                    • String ID:
                                    • API String ID: 3089209366-0
                                    • Opcode ID: 73d8f8bc8ecc92c4a9a5aa98c021befa8569924b62150f826682c5cf68bcecb9
                                    • Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
                                    • Opcode Fuzzy Hash: 73d8f8bc8ecc92c4a9a5aa98c021befa8569924b62150f826682c5cf68bcecb9
                                    • Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95
                                    Function 0045E140 Relevance: 17.4, APIs: 11, Instructions: 889COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 8667 45e140-45e246 call 40b8e0 call 4132d0 call 41ab20 CreateDirectoryA 8674 45e8e1-45e8e8 8667->8674 8675 45e24c-45e250 8667->8675 8676 45f16d-45f452 call 402df0 8674->8676 8677 45e8ee-45e98a call 4132d0 call 41ab20 CreateDirectoryA 8674->8677 8678 45e252-45e26d 8675->8678 8694 45e990-45e994 8677->8694 8695 45f15e-45f168 call 402df0 8677->8695 8681 45e8a5-45e8d0 call 4163b0 call 4df030 8678->8681 8682 45e273-45e3bd call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8678->8682 8681->8674 8701 45e8d2-45e8d9 call 4e6770 8681->8701 8739 45e3dd-45e4b0 call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8682->8739 8740 45e3bf-45e3d7 CreateDirectoryA 8682->8740 8698 45e996-45e9b1 8694->8698 8695->8676 8702 45e9b7-45eb07 call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8698->8702 8703 45f11f-45f14d call 4163b0 call 4d7600 8698->8703 8709 45e8de 8701->8709 8756 45eb27-45ebfa call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8702->8756 8757 45eb09-45eb21 CreateDirectoryA 8702->8757 8703->8695 8721 45f14f-45f156 call 4e6770 8703->8721 8709->8674 8725 45f15b 8721->8725 8725->8695 8790 45e4d0-45e4d7 8739->8790 8791 45e4b2-45e4ca CreateDirectoryA 8739->8791 8740->8739 8742 45e854-45e8a0 call 402df0 * 5 8740->8742 8742->8678 8816 45ebfc-45ec14 CreateDirectoryA 8756->8816 8817 45ec1a-45ec21 8756->8817 8757->8756 8760 45f0ce-45f11a call 402df0 * 5 8757->8760 8760->8698 8794 45e5e0-45e5e4 8790->8794 8795 45e4dd-45e59d call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8790->8795 8791->8742 8791->8790 8798 45e5e6-45e649 call 4132d0 8794->8798 8799 45e64e-45e652 8794->8799 8854 45e5c2-45e5cc call 416290 8795->8854 8855 45e59f-45e5c0 CreateDirectoryA 8795->8855 8813 45e704-45e7f2 call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 4162c0 call 402df0 * 3 call 4e6ca0 8798->8813 8805 45e654-45e6b7 call 4132d0 8799->8805 8806 45e6b9-45e6ff call 4132d0 8799->8806 8805->8813 8806->8813 8904 45e7f4-45e80c CreateDirectoryA 8813->8904 8905 45e80e-45e84e call 4163b0 * 2 call 4dff00 8813->8905 8816->8760 8816->8817 8820 45ec27-45ece7 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8817->8820 8821 45ed2a-45ed2e 8817->8821 8882 45ed0c-45ed16 call 416290 8820->8882 8883 45ece9-45ed0a CreateDirectoryA 8820->8883 8826 45ed34-45edce call 4132d0 call 41ab20 call 4e6ca0 8821->8826 8827 45ee43-45ee47 8821->8827 8868 45edd0-45edf1 CreateDirectoryA 8826->8868 8869 45edf3-45ee31 call 4163b0 * 2 call 4dff00 8826->8869 8832 45eeb1-45eeb5 8827->8832 8833 45ee49-45eeac call 4132d0 8827->8833 8840 45eeb7-45ef1a call 4132d0 8832->8840 8841 45ef1c-45ef7a call 4132d0 8832->8841 8851 45ef7f-45f04e call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 402df0 * 2 call 4e6ca0 8833->8851 8840->8851 8841->8851 8911 45f050-45f071 CreateDirectoryA 8851->8911 8912 45f073-45f0b9 call 4163b0 * 2 call 4dff00 8851->8912 8861 45e5d1-45e5db call 402df0 8854->8861 8855->8854 8855->8861 8861->8794 8868->8869 8873 45ee34-45ee3e 8868->8873 8869->8873 8881 45f0c9 call 402df0 8873->8881 8881->8760 8888 45ed1b-45ed25 call 402df0 8882->8888 8883->8882 8883->8888 8888->8821 8904->8742 8904->8905 8905->8742 8922 45e850 8905->8922 8911->8912 8914 45f0bf-45f0c3 8911->8914 8912->8914 8925 45f0bb 8912->8925 8914->8881 8922->8742 8925->8914
                                    APIs
                                      • Part of subcall function 0040B8E0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E242
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045E3D3
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045E4C6
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045E5BC
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 0045E808
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E986
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045EB1D
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045EC10
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045ED06
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045EDED
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045F06D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                    • String ID:
                                    • API String ID: 453214671-0
                                    • Opcode ID: 7c6aeaa58c0b9a153ea23e900c0bdb69a20d50c5e76b04a78abf5970d97d9260
                                    • Instruction ID: 0e418cf523baa0a35c0a910b93c4bb77d5942d6061cfe1063ad62b245a56bb8b
                                    • Opcode Fuzzy Hash: 7c6aeaa58c0b9a153ea23e900c0bdb69a20d50c5e76b04a78abf5970d97d9260
                                    • Instruction Fuzzy Hash: 4FA226B0D012688BCB25DB65CD95BDDBBB4AF14304F0040EED44A67282EB785F88DF5A
                                    Function 004E4720 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 291registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 9337 4e4720-4e4a78 call 4359b0 RegGetValueA 9340 4e4a7a-4e4a89 9337->9340 9341 4e4aa8-4e4aac 9337->9341 9342 4e4a90-4e4a95 9340->9342 9343 4e4bad-4e4bc0 9341->9343 9344 4e4ab2-4e4ae4 call 4359b0 GetComputerNameExA 9341->9344 9342->9342 9345 4e4a97-4e4aa3 call 416130 9342->9345 9349 4e4b08-4e4b0c 9344->9349 9350 4e4ae6-4e4aef 9344->9350 9345->9341 9349->9343 9352 4e4b12-4e4b3d call 4359b0 LsaOpenPolicy 9349->9352 9351 4e4af0-4e4af5 9350->9351 9351->9351 9353 4e4af7-4e4b03 call 416130 9351->9353 9357 4e4b3f-4e4b50 LsaQueryInformationPolicy 9352->9357 9358 4e4b85-4e4b92 9352->9358 9353->9349 9360 4e4b7c-4e4b7f LsaClose 9357->9360 9361 4e4b52-4e4b59 9357->9361 9359 4e4b95-4e4b9a 9358->9359 9359->9359 9362 4e4b9c-4e4ba8 call 416130 9359->9362 9360->9358 9363 4e4b5e-4e4b76 call 403440 LsaFreeMemory 9361->9363 9364 4e4b5b 9361->9364 9362->9343 9363->9360 9364->9363
                                    APIs
                                    • RegGetValueA.KERNELBASE(80000002,?,?,0001FFFF,?,?,00000104), ref: 004E4A70
                                    • GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 004E4ADC
                                    • LsaOpenPolicy.ADVAPI32(00000000,00587684,00000001,?), ref: 004E4B35
                                    • LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 004E4B48
                                    • LsaFreeMemory.ADVAPI32(?), ref: 004E4B76
                                    • LsaClose.ADVAPI32(?), ref: 004E4B7F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
                                    • String ID: %wZ$&"N$;Yb.
                                    • API String ID: 762890658-4094109456
                                    • Opcode ID: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                                    • Instruction ID: db120a3af714b361d6db134a28a940fef9e0d4b71911d12d67c4190411436b99
                                    • Opcode Fuzzy Hash: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                                    • Instruction Fuzzy Hash: 1EE101B4D0425A8FDB14CF98C985BEEBBB4BF08304F2041AAE949B7341D7745A85CFA5
                                    Function 00448910 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 12645 448910-448920 12646 448922-448935 call 4416ec call 4416ff 12645->12646 12647 44893a-44893c 12645->12647 12661 448c94 12646->12661 12648 448942-448948 12647->12648 12649 448c7c-448c89 call 4416ec call 4416ff 12647->12649 12648->12649 12652 44894e-448977 12648->12652 12666 448c8f call 438c60 12649->12666 12652->12649 12656 44897d-448986 12652->12656 12659 4489a0-4489a2 12656->12659 12660 448988-44899b call 4416ec call 4416ff 12656->12660 12664 448c78-448c7a 12659->12664 12665 4489a8-4489ac 12659->12665 12660->12666 12667 448c97-448c9a 12661->12667 12664->12667 12665->12664 12669 4489b2-4489b6 12665->12669 12666->12661 12669->12660 12672 4489b8-4489cf 12669->12672 12674 448a04-448a0a 12672->12674 12675 4489d1-4489d4 12672->12675 12678 448a0c-448a13 12674->12678 12679 4489de-4489f5 call 4416ec call 4416ff call 438c60 12674->12679 12676 4489d6-4489dc 12675->12676 12677 4489fa-448a02 12675->12677 12676->12677 12676->12679 12681 448a77-448a96 12677->12681 12682 448a15 12678->12682 12683 448a17-448a35 call 44b094 call 44b01a * 2 12678->12683 12710 448baf 12679->12710 12685 448b52-448b5b call 453be3 12681->12685 12686 448a9c-448aa8 12681->12686 12682->12683 12714 448a37-448a4d call 4416ff call 4416ec 12683->12714 12715 448a52-448a75 call 4425fd 12683->12715 12698 448bcc 12685->12698 12699 448b5d-448b6f 12685->12699 12686->12685 12690 448aae-448ab0 12686->12690 12690->12685 12694 448ab6-448ad7 12690->12694 12694->12685 12700 448ad9-448aef 12694->12700 12703 448bd0-448be6 ReadFile 12698->12703 12699->12698 12705 448b71-448b80 GetConsoleMode 12699->12705 12700->12685 12701 448af1-448af3 12700->12701 12701->12685 12706 448af5-448b18 12701->12706 12708 448c44-448c4f GetLastError 12703->12708 12709 448be8-448bee 12703->12709 12705->12698 12711 448b82-448b86 12705->12711 12706->12685 12713 448b1a-448b30 12706->12713 12716 448c51-448c63 call 4416ff call 4416ec 12708->12716 12717 448c68-448c6b 12708->12717 12709->12708 12718 448bf0 12709->12718 12712 448bb2-448bbc call 44b01a 12710->12712 12711->12703 12719 448b88-448ba0 ReadConsoleW 12711->12719 12712->12667 12713->12685 12721 448b32-448b34 12713->12721 12714->12710 12715->12681 12716->12710 12728 448c71-448c73 12717->12728 12729 448ba8-448bae call 4416a5 12717->12729 12725 448bf3-448c05 12718->12725 12726 448bc1-448bca 12719->12726 12727 448ba2 GetLastError 12719->12727 12721->12685 12731 448b36-448b4d 12721->12731 12725->12712 12735 448c07-448c0b 12725->12735 12726->12725 12727->12729 12728->12712 12729->12710 12731->12685 12739 448c24-448c31 12735->12739 12740 448c0d-448c1d call 448622 12735->12740 12742 448c33 call 448779 12739->12742 12743 448c3d-448c42 call 448468 12739->12743 12752 448c20-448c22 12740->12752 12750 448c38-448c3b 12742->12750 12743->12750 12750->12752 12752->12712
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: af5c18eac6aee9373ea9a3a89fc0d6f7e951fb066dc8ecf711b9bb6bae0b05c0
                                    • Instruction ID: d4d7462daa34083545f9d93f0c5ebf53bf58a01a885379ada905c47cec286c1a
                                    • Opcode Fuzzy Hash: af5c18eac6aee9373ea9a3a89fc0d6f7e951fb066dc8ecf711b9bb6bae0b05c0
                                    • Instruction Fuzzy Hash: E2B1F4B0A00245AFFB11DF99C881BAE7BB1FF55304F14015EE414AB392CB78AD81CB69
                                    Function 004D6BA0 Relevance: 9.2, APIs: 6, Instructions: 164fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 13040 4d6ba0-4d6bd8 GetLastError 13041 4d6bde-4d6bf1 13040->13041 13042 4d6d19-4d6d31 CopyFileA 13040->13042 13045 4d6bf4-4d6bf9 13041->13045 13043 4d6d73-4d6d85 13042->13043 13044 4d6d33-4d6d38 GetLastError 13042->13044 13046 4d6d5f-4d6d72 13044->13046 13047 4d6d3a-4d6d3c call 4e77e0 13044->13047 13045->13045 13048 4d6bfb-4d6c5a call 429070 call 4359b0 6CE37CF0 13045->13048 13052 4d6d41-4d6d5e CopyFileA 13047->13052 13055 4d6cf4-4d6d13 SetLastError call 4188d0 13048->13055 13056 4d6c60-4d6c9b call 415eb0 13048->13056 13055->13042 13063 4d6c9d-4d6cc3 13056->13063 13064 4d6ce2-4d6cef call 4188d0 13056->13064 13067 4d6ccd-4d6cd1 13063->13067 13068 4d6cc5-4d6ccb 13063->13068 13064->13055 13067->13064 13069 4d6cd3-4d6ce0 13067->13069 13068->13064 13068->13067 13069->13064
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                    • 6CE37CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                    • SetLastError.KERNEL32(00000000), ref: 004D6CFE
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D25
                                    • GetLastError.KERNEL32(?,?,00000000), ref: 004D6D33
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CopyFile
                                    • String ID:
                                    • API String ID: 936320341-0
                                    • Opcode ID: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                    • Instruction ID: cca443e56f4e81c83c2dc89493b37bcb85ee1d7da0cfa031959f485395bd6110
                                    • Opcode Fuzzy Hash: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                    • Instruction Fuzzy Hash: 6051C172D01219ABCB21CF94DC55BEEBBB8EB04320F10026AE804B3390D7396E05CBA4
                                    Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382libraryloadernetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 13992 409280-4092dd call 4163b0 13995 409413-409521 call 402df0 call 4ea420 13992->13995 13996 4092e3-4092e9 13992->13996 14012 409523-409535 13995->14012 14013 409537-40953f call 418dc0 13995->14013 13997 4092f0-409313 13996->13997 13999 409324-409331 13997->13999 14000 409315-40931f 13997->14000 14003 409342-40934f 13999->14003 14004 409333-40933d 13999->14004 14002 409403-409406 14000->14002 14006 409409-40940d 14002->14006 14007 409360-40936d 14003->14007 14008 409351-40935b 14003->14008 14004->14002 14006->13995 14006->13997 14010 40937e-40938b 14007->14010 14011 40936f-409379 14007->14011 14008->14002 14015 409399-4093a6 14010->14015 14016 40938d-409397 14010->14016 14011->14002 14017 409544-409597 call 4ea420 * 2 14012->14017 14013->14017 14018 4093b4-4093c1 14015->14018 14019 4093a8-4093b2 14015->14019 14016->14002 14029 409599-4095c8 call 4ea420 call 435270 14017->14029 14030 4095cb-4095e1 call 4ea420 14017->14030 14021 4093c3-4093cd 14018->14021 14022 4093cf-4093dc 14018->14022 14019->14002 14021->14002 14024 4093ea-4093f4 14022->14024 14025 4093de-4093e8 14022->14025 14024->14006 14028 4093f6-4093ff 14024->14028 14025->14002 14028->14002 14029->14030 14036 4096e2 14030->14036 14037 4095e7-4095ed 14030->14037 14038 4096e6-4096f0 14036->14038 14040 4095f0-4096ce GetModuleHandleA GetProcAddress WSASend 14037->14040 14043 4096f2-4096fe 14038->14043 14044 40971e-40973d 14038->14044 14041 4096d4-4096dc 14040->14041 14042 40975f-409763 14040->14042 14041->14036 14041->14040 14042->14038 14045 409700-40970e 14043->14045 14046 409714-40971b call 4338f3 14043->14046 14047 40976f-409796 14044->14047 14048 40973f-40974b 14044->14048 14045->14046 14049 409797-4097fe call 438c70 call 402df0 * 2 14045->14049 14046->14044 14051 409765-40976c call 4338f3 14048->14051 14052 40974d-40975b 14048->14052 14051->14047 14052->14049 14055 40975d 14052->14055 14055->14051
                                    APIs
                                    • GetModuleHandleA.KERNEL32(Ws2_32.dll), ref: 004096A6
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
                                    • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 004096C9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProcSend
                                    • String ID: Ws2_32.dll
                                    • API String ID: 2819740048-3093949381
                                    • Opcode ID: 36229bc7762860d1b94afdb362c75bc9198afe96d6f9a09503f3ca506ee9d700
                                    • Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
                                    • Opcode Fuzzy Hash: 36229bc7762860d1b94afdb362c75bc9198afe96d6f9a09503f3ca506ee9d700
                                    • Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96
                                    Function 00463830 Relevance: 6.9, APIs: 3, Instructions: 2365COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • Part of subcall function 004E6C10: CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00465CB0
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465FD5
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465EC6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                    • String ID:
                                    • API String ID: 453214671-0
                                    • Opcode ID: 98037bc161112e31a744da87ea9d45df2885168016234282422ba706702991fa
                                    • Instruction ID: bdb7de5e538d98cc2bc1e856d074b668cb5d4ba5ca64421d2565693f44b24664
                                    • Opcode Fuzzy Hash: 98037bc161112e31a744da87ea9d45df2885168016234282422ba706702991fa
                                    • Instruction Fuzzy Hash: 8053CFB0D052688FDB65DF55C994BDDBBB0BB58304F0041EAD44AA7292EB382F84DF49
                                    Function 004E6CA0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                    • GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                    • String ID:
                                    • API String ID: 995686243-0
                                    • Opcode ID: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                                    • Instruction ID: 241e2f942859b358e1133ab4bf22632851a161ac9c5554c12c2f2fb0b7350d8e
                                    • Opcode Fuzzy Hash: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                                    • Instruction Fuzzy Hash: DF11CE71A0028496DB205F6A5C08F6A7F60EB22772F64031BD8359B3D4DB3948058759
                                    Function 00448DFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E55
                                    • GetLastError.KERNEL32(?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: ChangeCloseErrorFindLastNotification
                                    • String ID: 8a
                                    • API String ID: 1687624791-2698673895
                                    • Opcode ID: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                                    • Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
                                    • Opcode Fuzzy Hash: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                                    • Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D
                                    Function 004D6790 Relevance: 4.8, APIs: 3, Instructions: 278fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6A20
                                      • Part of subcall function 004D6BA0: GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                      • Part of subcall function 004D6BA0: 6CE37CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B84
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B95
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_$CopyErrorFileLast
                                    • String ID:
                                    • API String ID: 1723067277-0
                                    • Opcode ID: b4a4ce97f8c673c3844e154375a683749c2501ef21060f82f96e2b15cc183bf8
                                    • Instruction ID: af59b977606615079acd7a310a8afa41bd250120d803ccb4a837ad8b48953fd5
                                    • Opcode Fuzzy Hash: b4a4ce97f8c673c3844e154375a683749c2501ef21060f82f96e2b15cc183bf8
                                    • Instruction Fuzzy Hash: 5BD18BB0C00249DBDB04DFA9C9557EEBBB1BF54304F14419ED80577382EB785A45CBA6
                                    Function 00493B60 Relevance: 4.8, APIs: 3, Instructions: 264registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 00493D89
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?), ref: 00493DAC
                                    • RegCloseKey.ADVAPI32(?), ref: 00493DB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                                    • Instruction ID: c2861601c7c989816088ca7cd521e7ac3defefe444e22908af63c5fcea44e6b0
                                    • Opcode Fuzzy Hash: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                                    • Instruction Fuzzy Hash: C8C136B1D042499FDB14CFA8D986BAEBBB0EF09314F204169E905B7391E7345A84CFA5
                                    Function 004E6C10 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                                      • Part of subcall function 00432BAA: RtlReleaseSRWLockExclusive.NTDLL(004E6D30), ref: 00432BBE
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C84
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C95
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_$CreateDirectoryExclusiveLockRelease
                                    • String ID:
                                    • API String ID: 1881651058-0
                                    • Opcode ID: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                                    • Instruction ID: b54f6e02dbe68d52aaf8ce57ceccae370b453a77f91dfdb3bbc81736346272f4
                                    • Opcode Fuzzy Hash: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                                    • Instruction Fuzzy Hash: B2F049B1500640FBD7109F999D06B6ABBA8FB05731F14031AFC35A63D0D7B5190087AA
                                    Function 0044B9D0 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNELBASE(?,?,0043D2B1,?), ref: 0044B9D8
                                    • GetLastError.KERNEL32(?,0043D2B1,?), ref: 0044B9E2
                                    • __dosmaperr.LIBCMT ref: 0044B9E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: DeleteErrorFileLast__dosmaperr
                                    • String ID:
                                    • API String ID: 1545401867-0
                                    • Opcode ID: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                                    • Instruction ID: 29a5b21677c8caf908dcad016bfb5ae84cbfd6cad116b975ceede8be2d8f2443
                                    • Opcode Fuzzy Hash: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                                    • Instruction Fuzzy Hash: 00D0C9321146086BEA106BB6BC089163B6D9A913797140616F52CC52A0EE25C895A665
                                    Function 004E57F0 Relevance: 3.4, APIs: 2, Instructions: 350COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004E588F
                                    • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004E5B9B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: DirectoryInformationVolumeWindows
                                    • String ID:
                                    • API String ID: 3487004747-0
                                    • Opcode ID: f3331e4acbb6699ef19fe587a09904c02824fa22103a97831a7592332d5ea090
                                    • Instruction ID: 009fea26e280c08ebde66711631a2368a09a7ac58c7b38572a32fddf838a6e16
                                    • Opcode Fuzzy Hash: f3331e4acbb6699ef19fe587a09904c02824fa22103a97831a7592332d5ea090
                                    • Instruction Fuzzy Hash: 81F157B0D002499BDB14CFA8C9957EEBBB1FF08304F24425EE545BB381DB756A84CBA5
                                    Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(5C79D584,00000000,00000000,0043D0C7), ref: 00448F02
                                    • WriteFile.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,?,004E6E3C,?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7), ref: 0044990E
                                    • GetLastError.KERNEL32(?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7,004E6E3C,?,00000000,?), ref: 00449918
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: ConsoleErrorFileLastOutputWrite
                                    • String ID:
                                    • API String ID: 2915228174-0
                                    • Opcode ID: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                                    • Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
                                    • Opcode Fuzzy Hash: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                                    • Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65
                                    Function 004D65F0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004D676A
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004D677B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_
                                    • String ID:
                                    • API String ID: 2134207285-0
                                    • Opcode ID: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                                    • Instruction ID: 177bb7d1701b8dda1f5a90c4ee3be826f8175b366ab48e47effb054e9b4aa952
                                    • Opcode Fuzzy Hash: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                                    • Instruction Fuzzy Hash: 6441F2B1E002058BC720DF68995136EBBA1BB94314F19072FE815673D1EB79EA04C795
                                    Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(00000000,00000000,0043D0C7,00000000,00000002,00000000,00000000,00000000,00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000), ref: 00442558
                                    • GetLastError.KERNEL32(00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000,?,0044982E,00000000,00000000,00000000,00000002,0043D0C7,00000000), ref: 00442565
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastPointer
                                    • String ID:
                                    • API String ID: 2976181284-0
                                    • Opcode ID: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                                    • Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
                                    • Opcode Fuzzy Hash: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                                    • Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4
                                    Function 0044B01A Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B030
                                    • GetLastError.KERNEL32(?,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B03B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 485612231-0
                                    • Opcode ID: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                    • Instruction ID: f233056e1464041c82b2d36bf1c88bdb576215b3e64377b8de55bab97aefa9e3
                                    • Opcode Fuzzy Hash: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                    • Instruction Fuzzy Hash: 66E08C32100204ABEB212FA5AC0CB9A3B69EF00756F15802AF608971B0DB38C894D798
                                    Function 004C7EF0 Relevance: 1.9, APIs: 1, Instructions: 399COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: efb3c3bd782524ca9452cfa108d9499f19190cabffa6b3f3d668b7e84d9a7b29
                                    • Instruction ID: 65307ecbef6fb9e01e3d4ad067897c34c173f6a72c2a6aa1ef5fcaa49911cde8
                                    • Opcode Fuzzy Hash: efb3c3bd782524ca9452cfa108d9499f19190cabffa6b3f3d668b7e84d9a7b29
                                    • Instruction Fuzzy Hash: 0E02A070D04248DFDB14DF68C945BDDBBB0AB14308F14419ED8057B386EBB95E88DB9A
                                    Function 00413D50 Relevance: 1.8, APIs: 1, Instructions: 253COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00414093
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: e5e77736cee01c048ca598f33ea93b4c08ab8cd2e48cfadc695183fb4b68044b
                                    • Instruction ID: 20828e305faf8902bc30eee05bf9285b15bc31f2c0f4ddd4d11a1ed2060bf189
                                    • Opcode Fuzzy Hash: e5e77736cee01c048ca598f33ea93b4c08ab8cd2e48cfadc695183fb4b68044b
                                    • Instruction Fuzzy Hash: 21C138B0901249DFDB00CFA9C444799FBF0AF49314F28C1AEE458AB391D77A9A45CF95
                                    Function 00415350 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0041546E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: 605aa84c53d1c06fd5e6cdf41f604a7b3fccc91fdcca7bf9b36104f76f86f3cf
                                    • Instruction ID: bd448271620100f3a1b1b6e8090fbb17c8ec551eb96fe3ea9a7077eb077db61a
                                    • Opcode Fuzzy Hash: 605aa84c53d1c06fd5e6cdf41f604a7b3fccc91fdcca7bf9b36104f76f86f3cf
                                    • Instruction Fuzzy Hash: AF6199B1A00614DFCB10CF59C984B9ABBF5FF88310F24816EE8199B391C778EA41CB95
                                    Function 00438E02 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                                    • Instruction ID: 9663080612542d3e5f9b84a36c3ecf1ef98ea00319430370267f097460dfd66c
                                    • Opcode Fuzzy Hash: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                                    • Instruction Fuzzy Hash: 2651C670A00204AFDF14DF59C881AAABBA2EF8D328F24915EF8089B352D775DD41CB55
                                    Function 00429E20 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00429F7B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: 8482c0d6c957f33918d9138d1bd6797b8604ed2ab317032aa5cc83da2685a5d5
                                    • Instruction ID: efe4cd6a287aa12a83b409d23e88dd93d6c4865ddef84cf0d949cd52fc0f7608
                                    • Opcode Fuzzy Hash: 8482c0d6c957f33918d9138d1bd6797b8604ed2ab317032aa5cc83da2685a5d5
                                    • Instruction Fuzzy Hash: AA410271E001259FCB14DF68C9419AEBBB9EB89310F64422EE815E7381D738DE01CBE4
                                    Function 004E7640 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 09dbeedca0382fe83fa6e64ccb476af2fb42ace462cdada0f63a81bd75d016a3
                                    • Instruction ID: 028c77ef4637c0ac0bfd58be9ca2c186fed01019b569c5d695070078eed700b9
                                    • Opcode Fuzzy Hash: 09dbeedca0382fe83fa6e64ccb476af2fb42ace462cdada0f63a81bd75d016a3
                                    • Instruction Fuzzy Hash: A8517FB0D043499BDB10DF99D986BAEFBB4FF44714F10012EE8416B381D7796A44CBA5
                                    Function 004E74C0 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 018f489811a338dcef82faead4130839585db85a1beb9436eeefc27b6700566d
                                    • Instruction ID: 959dba962c579710b3c8227977385e6342f185642bc3a86ace1f34c607c4467c
                                    • Opcode Fuzzy Hash: 018f489811a338dcef82faead4130839585db85a1beb9436eeefc27b6700566d
                                    • Instruction Fuzzy Hash: 78416CB0D04248EBDB14DF99D985BEEBBB4FF48714F10416EE801AB381D7799901CBA5
                                    Function 00406870 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 00406908
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: ___std_fs_directory_iterator_open@12
                                    • String ID:
                                    • API String ID: 29801545-0
                                    • Opcode ID: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                                    • Instruction ID: 382a6ddcba4688358f9e0a4ad0208e6a3358ad319658d54a7c18dfc33c73484c
                                    • Opcode Fuzzy Hash: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                                    • Instruction Fuzzy Hash: AB21AE76E00619ABCB14EF49D841BAAB7B4FB84324F00466EED1663780DB396D10CB94
                                    Function 004E5D00 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetupDiGetClassDevsA.SETUPAPI(0055D560,00000000,00000000), ref: 004E5D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: ClassDevsSetup
                                    • String ID:
                                    • API String ID: 2330331845-0
                                    • Opcode ID: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                                    • Instruction ID: 3af1858aaf6aa964ebdd9f4359c5c99147492c850a3065a18f0c0dee6211d041
                                    • Opcode Fuzzy Hash: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                                    • Instruction Fuzzy Hash: A0110EB1D04B449BE3208F28DD0A757BBF0EB00B28F10471EE850573C1E3BA6A4887E2
                                    Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0040331F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: 6b439644f511b7bf5bd0b924e2b63d29697b7510f9c6a7035d7f710025fe36b7
                                    • Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
                                    • Opcode Fuzzy Hash: 6b439644f511b7bf5bd0b924e2b63d29697b7510f9c6a7035d7f710025fe36b7
                                    • Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788
                                    Function 0044A65A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,000000FF,00000000), ref: 0044A69B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 44fe68ec2fca24d705c4288583a30094579fd4d4051ae38cb78614132530c581
                                    • Instruction ID: 9689b7dccde3e7d2c1426315cc49502dff6dd5535dcc2f3da2dc3831567fdc71
                                    • Opcode Fuzzy Hash: 44fe68ec2fca24d705c4288583a30094579fd4d4051ae38cb78614132530c581
                                    • Instruction Fuzzy Hash: 4CF0E0311905246BFB216A66DC05B5B375CAF41760F1E8117EC84EB190CA3CDC3146EE
                                    Function 00406840 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406853
                                      • Part of subcall function 00431F7B: FindNextFileW.KERNELBASE(?,?,?,00406858,?,?,?,?,0040691A,?,?,?,00000000,?,?), ref: 00431F84
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                                    • String ID:
                                    • API String ID: 3878998205-0
                                    • Opcode ID: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                                    • Instruction ID: f155dccb83496c4d8f98fbb14974b26749813e83e467fdfa34ea523ab42003ff
                                    • Opcode Fuzzy Hash: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                                    • Instruction Fuzzy Hash: 63D05E22701520118D24752738085AF06498DC66A8A42447FB84AB32C2EA2D8C0311AD
                                    Function 004466D5 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2848746217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2848713865.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2848901492.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849258759.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000732000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000734000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000736000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000738000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.000000000077E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000780000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2849375383.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2851136094.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_PNO3otPYOa.jbxd
                                    Similarity
                                    • API ID: H_prolog3
                                    • String ID:
                                    • API String ID: 431132790-0
                                    • Opcode ID: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                                    • Instruction ID: ccf5b3b5ee64302dd7184922bc8d264c22512182c10063c293431932d1ea205a
                                    • Opcode Fuzzy Hash: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                                    • Instruction Fuzzy Hash: 13E09AB2C0020D9ADB00DFD5C452BEFBBB8AB08315F50446BA205E6181EB789748CBE5