Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7rA1iX60wh.exe

Overview

General Information

Sample name:7rA1iX60wh.exe
renamed because original name is a hash value
Original sample name:a8b80d67357afbd703ee2a13d9cbf339.exe
Analysis ID:1460406
MD5:a8b80d67357afbd703ee2a13d9cbf339
SHA1:68620481e594727f1751d84b1e372a5b72d421f9
SHA256:f42d98ec4c311b66ce4b40a98db073cfdf86af1e6fa63b8f9a07555cb4e7958d
Tags:exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 7rA1iX60wh.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\7rA1iX60wh.exe" MD5: A8B80D67357AFBD703EE2A13D9CBF339)
    • schtasks.exe (PID: 6928 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7072 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 6896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1944 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 1364 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A8B80D67357AFBD703EE2A13D9CBF339)
    • WerFault.exe (PID: 5744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1860 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 5232 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A8B80D67357AFBD703EE2A13D9CBF339)
    • WerFault.exe (PID: 5780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 1904 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 2004 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A8B80D67357AFBD703EE2A13D9CBF339)
  • RageMP131.exe (PID: 6972 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A8B80D67357AFBD703EE2A13D9CBF339)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\SYv2wcsD2EVzcZNBuLFypWC.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\lw3hbkC7r6iSSxte_tz5rje.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.1984656819.0000000005770000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000000.00000002.2009861773.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 20 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\7rA1iX60wh.exe, ProcessId: 6752, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                Snort Signatures

                Timestamp:06/20/24-23:32:17.457498
                SID:2046269
                Source Port:49732
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:05.022651
                SID:2046269
                Source Port:49731
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:01.314499
                SID:2049060
                Source Port:49731
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:23.634453
                SID:2046266
                Source Port:58709
                Destination Port:49751
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:05.631353
                SID:2046266
                Source Port:58709
                Destination Port:49732
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:18.079804
                SID:2046267
                Source Port:58709
                Destination Port:49740
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:16.340233
                SID:2046266
                Source Port:58709
                Destination Port:49740
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:01.877338
                SID:2046266
                Source Port:58709
                Destination Port:49731
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:05.646014
                SID:2046266
                Source Port:58709
                Destination Port:49733
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:17.457568
                SID:2046269
                Source Port:49733
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:06.016692
                SID:2046267
                Source Port:58709
                Destination Port:49731
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:06.217335
                SID:2046267
                Source Port:58709
                Destination Port:49732
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:32:06.245750
                SID:2046267
                Source Port:58709
                Destination Port:49733
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: malware
                Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: malware
                Source: http://77.91.77.81/mine/amadka.exet1Avira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exeshinamAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exe0.1Avira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exeilesCOAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/mine/amadka.exeerAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exetAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: malware
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 55%
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 55%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: 7rA1iX60wh.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004C6B00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,5_2_004C6B00
                Source: 7rA1iX60wh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49747 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49753 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49755 version: TLS 1.2
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,0_2_00493F40
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004C6000
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,5_2_004E6770
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,5_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,5_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError,5_2_00431F9C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,5_2_00432022
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004938D0

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49731
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49732
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49733
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49740
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49740
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49751
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
                Source: global trafficTCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
                Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
                Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004C8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,0_2_004C8590
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                Source: global trafficDNS traffic detected: DNS query: db-ip.com
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2010522434.000000000579A000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1878548593.000000000577B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1996805770.000000000577C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984656819.0000000005784000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805983196.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849083129.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe0.1
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805983196.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exeilesCO
                Source: MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849083129.00000000057D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exeshinam
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exet
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984816945.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exeer
                Source: MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984816945.00000000057D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exet1
                Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
                Source: 7rA1iX60wh.exe, 00000000.00000003.1659354541.0000000002870000.00000004.00001000.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1994134545.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1696368041.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1982433070.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1696579739.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1805385974.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1908108475.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1891971662.0000000002870000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1990858548.000000000055D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                Source: 7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: 7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: 7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: 7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1742235564.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1909577550.000000000100C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                Source: 7rA1iX60wh.exe, 00000000.00000003.1742235564.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/N
                Source: 7rA1iX60wh.exe, 00000000.00000003.1742235564.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/Z
                Source: RageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
                Source: RageMP131.exe, 00000007.00000002.1909577550.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33LA
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33N
                Source: RageMP131.exe, 00000007.00000002.1909577550.000000000100C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33r
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000E22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1909577550.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
                Source: 7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: 7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: 7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RageMP131.exe, 00000010.00000002.1992597918.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                Source: RageMP131.exe, 00000010.00000002.1992597918.0000000000F42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/:
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1909577550.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/e
                Source: 7rA1iX60wh.exe, 00000000.00000003.1659354541.0000000002870000.00000004.00001000.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1994134545.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1696368041.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1982433070.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1696579739.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1805385974.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1908108475.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1891971662.0000000002870000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1990858548.000000000055D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/t
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D1A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1909577550.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000ED7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.330
                Source: RageMP131.exe, 00000007.00000002.1909577550.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.338
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000D9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33D
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33W
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33ap
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33o
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
                Source: RageMP131.exe, 00000007.00000002.1909577550.0000000000FD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.330
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                Source: MPGPH131.exe, 00000005.00000003.1836286933.0000000005AF6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1835513578.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1831926883.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, R0S0RUVxqvyQHistory.0.dr, kIQomd5yBLOGHistory.0.dr, AB89z_t13yqTHistory.6.dr, uXAOMY6nzRJRHistory.6.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: MPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016/ee
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016A
                Source: MPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, R0S0RUVxqvyQHistory.0.dr, kIQomd5yBLOGHistory.0.dr, AB89z_t13yqTHistory.6.dr, uXAOMY6nzRJRHistory.6.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016R
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, R0S0RUVxqvyQHistory.0.dr, kIQomd5yBLOGHistory.0.dr, AB89z_t13yqTHistory.6.dr, uXAOMY6nzRJRHistory.6.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: MPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17/ewGpY
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17FALSE
                Source: MPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, R0S0RUVxqvyQHistory.0.dr, kIQomd5yBLOGHistory.0.dr, AB89z_t13yqTHistory.6.dr, uXAOMY6nzRJRHistory.6.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: RageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.M
                Source: 7rA1iX60wh.exe, 00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009861773.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057BB000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984656819.0000000005770000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1909577550.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, SYv2wcsD2EVzcZNBuLFypWC.zip.0.dr, lw3hbkC7r6iSSxte_tz5rje.zip.5.drString found in binary or memory: https://t.me/RiseProSUPPORT
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000D9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTN
                Source: MPGPH131.exe, 00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984656819.0000000005770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTOU
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTQ
                Source: RageMP131.exe, 00000007.00000002.1909577550.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTk
                Source: 7rA1iX60wh.exe, 00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTr
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTw
                Source: RageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro
                Source: RageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.0.drString found in binary or memory: https://t.me/risepro_bot
                Source: RageMP131.exe, 00000007.00000002.1909577550.000000000100C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot.cloudflare.c
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot33
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botY
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot_
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_botP
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlater
                Source: RageMP131.exe, 00000007.00000002.1909577550.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botm)
                Source: RageMP131.exe, 00000007.00000002.1909577550.000000000100C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botraction
                Source: 7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: 7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: 7rA1iX60wh.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805983196.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805641702.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1848839634.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849083129.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984816945.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/6-
                Source: 7rA1iX60wh.exe, 00000000.00000003.1803712215.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1798349872.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1797988118.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1798769689.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2010522434.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1830541260.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984656819.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805983196.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805641702.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Q
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/u
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805983196.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805641702.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1848839634.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849083129.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984816945.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805983196.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805641702.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/allets
                Source: MPGPH131.exe, 00000006.00000003.1848839634.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849083129.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984816945.00000000057D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/e
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
                Source: 7rA1iX60wh.exe, 00000000.00000003.1803712215.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1798349872.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1797988118.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1798769689.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2010522434.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1830541260.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984656819.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49747 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49753 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49755 version: TLS 1.2
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004E5FF0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,6FE374A0,DeleteObject,DeleteObject,ReleaseDC,0_2_004E5FF0

                System Summary

                barindex
                PE file contains section with special chars
                Source: 7rA1iX60wh.exeStatic PE information: section name:
                Source: 7rA1iX60wh.exeStatic PE information: section name:
                Source: 7rA1iX60wh.exeStatic PE information: section name:
                Source: 7rA1iX60wh.exeStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0044002D0_2_0044002D
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DF0300_2_004DF030
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0049F0D00_2_0049F0D0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004AA2000_2_004AA200
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0049D3A00_2_0049D3A0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004963B00_2_004963B0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004904400_2_00490440
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DE4300_2_004DE430
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0053F5500_2_0053F550
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004D76000_2_004D7600
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004986B00_2_004986B0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0040B8E00_2_0040B8E0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00481C100_2_00481C10
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004FAD000_2_004FAD00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00493F400_2_00493F40
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0049AF600_2_0049AF60
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DFF000_2_004DFF00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004930800_2_00493080
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004371A00_2_004371A0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0044036F0_2_0044036F
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004A43200_2_004A4320
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004845E00_2_004845E0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0042F5800_2_0042F580
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004A36100_2_004A3610
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_005486C00_2_005486C0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_005477600_2_00547760
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004E77E00_2_004E77E0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004547BF0_2_004547BF
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0043C9600_2_0043C960
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0043A9280_2_0043A928
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0044DA860_2_0044DA86
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00458BB00_2_00458BB0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004EEC400_2_004EEC40
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004EFC400_2_004EFC40
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00534D400_2_00534D40
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00546D200_2_00546D20
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00545DE00_2_00545DE0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00458E300_2_00458E30
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00541F000_2_00541F00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004F2FD00_2_004F2FD0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0044002D5_2_0044002D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DF0305_2_004DF030
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0049F0D05_2_0049F0D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004AA2005_2_004AA200
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0049D3A05_2_0049D3A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004963B05_2_004963B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004904405_2_00490440
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DE4305_2_004DE430
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0053F5505_2_0053F550
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004D76005_2_004D7600
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004986B05_2_004986B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0040B8E05_2_0040B8E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00481C105_2_00481C10
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004FAD005_2_004FAD00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F405_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0049AF605_2_0049AF60
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DFF005_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004930805_2_00493080
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004371A05_2_004371A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0044036F5_2_0044036F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004A43205_2_004A4320
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004845E05_2_004845E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0042F5805_2_0042F580
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004A36105_2_004A3610
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005486C05_2_005486C0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005477605_2_00547760
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004E77E05_2_004E77E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004547BF5_2_004547BF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0043C9605_2_0043C960
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0043A9285_2_0043A928
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0044DA865_2_0044DA86
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00458BB05_2_00458BB0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004EEC405_2_004EEC40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004EFC405_2_004EFC40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00534D405_2_00534D40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00546D205_2_00546D20
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00545DE05_2_00545DE0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00458E305_2_00458E30
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00541F005_2_00541F00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004F2FD05_2_004F2FD0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: String function: 0041ACE0 appears 86 times
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0041ACE0 appears 86 times
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1944
                Source: 7rA1iX60wh.exeBinary or memory string: OriginalFilename vs 7rA1iX60wh.exe
                Source: 7rA1iX60wh.exe, 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs 7rA1iX60wh.exe
                Source: 7rA1iX60wh.exe, 00000000.00000000.1657068315.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs 7rA1iX60wh.exe
                Source: 7rA1iX60wh.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs 7rA1iX60wh.exe
                Source: 7rA1iX60wh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 7rA1iX60wh.exeStatic PE information: Section: ZLIB complexity 0.9985052456245028
                Source: 7rA1iX60wh.exeStatic PE information: Section: ZLIB complexity 0.9933916823308271
                Source: 7rA1iX60wh.exeStatic PE information: Section: ZLIB complexity 0.98974609375
                Source: 7rA1iX60wh.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9985052456245028
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9933916823308271
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.98974609375
                Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9985052456245028
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9933916823308271
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.98974609375
                Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/60@2/3
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5232
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6752
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 7rA1iX60wh.exe, 00000000.00000003.1659354541.0000000002870000.00000004.00001000.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1994134545.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1696368041.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1982433070.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1696579739.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1805385974.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1908108475.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1891971662.0000000002870000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1990858548.000000000055D000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: 7rA1iX60wh.exe, 00000000.00000003.1659354541.0000000002870000.00000004.00001000.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1994134545.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1696368041.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1982433070.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1696579739.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1805385974.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1908108475.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1891971662.0000000002870000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1990858548.000000000055D000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: MPGPH131.exe, 00000005.00000003.1832516736.00000000057C1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1831988470.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1831764215.00000000057C1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1831495687.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, eYQJ_YGPGqbuLogin Data For Account.6.dr, Rb2xMzRNsLcbLogin Data.6.dr, mf8AS39i8yL1Login Data.0.dr, w8m6J4EPt9q1Login Data For Account.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 7rA1iX60wh.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile read: C:\Users\user\Desktop\7rA1iX60wh.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\7rA1iX60wh.exe "C:\Users\user\Desktop\7rA1iX60wh.exe"
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1944
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1860
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 1904
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: 7rA1iX60wh.exeStatic file information: File size 3308048 > 1048576
                Source: 7rA1iX60wh.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x270200
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: 7rA1iX60wh.exeStatic PE information: section name:
                Source: 7rA1iX60wh.exeStatic PE information: section name:
                Source: 7rA1iX60wh.exeStatic PE information: section name:
                Source: 7rA1iX60wh.exeStatic PE information: section name:
                Source: 7rA1iX60wh.exeStatic PE information: section name: .themida
                Source: 7rA1iX60wh.exeStatic PE information: section name: .boot
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name: .themida
                Source: RageMP131.exe.0.drStatic PE information: section name: .boot
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
                Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_005A8A35 push ecx; mov dword ptr [esp], ebp0_2_007C5B56
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_005A8A35 push eax; mov dword ptr [esp], esi0_2_007C5B85
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_005A8A35 push edx; mov dword ptr [esp], ecx0_2_007C5B93
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_005A8A35 push ebp; mov dword ptr [esp], edi0_2_007C5BE3
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00588BD8 push 00000063h; retf 0_2_00588BDB
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00588BE4 push dword ptr [ebx-4C02E8F6h]; retf 0000h0_2_00588EFB
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005A8A35 push ecx; mov dword ptr [esp], ebp5_2_007C5B56
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005A8A35 push eax; mov dword ptr [esp], esi5_2_007C5B85
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005A8A35 push edx; mov dword ptr [esp], ecx5_2_007C5B93
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005A8A35 push ebp; mov dword ptr [esp], edi5_2_007C5BE3
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00433F59 push ecx; ret 5_2_00433F6C
                Source: 7rA1iX60wh.exeStatic PE information: section name: entropy: 7.976114758528028
                Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.976114758528028
                Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.976114758528028
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Found stalling execution ending in API Sleep call
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-53826
                Source: C:\Users\user\Desktop\7rA1iX60wh.exe TID: 6780Thread sleep count: 37 > 30Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5800Thread sleep count: 96 > 30Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4924Thread sleep count: 95 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6996Thread sleep count: 64 > 30
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,0_2_00493F40
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004C6000
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,5_2_004E6770
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,5_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,5_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError,5_2_00431F9C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,5_2_00432022
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004938D0
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: RageMP131.exe, 00000007.00000002.1909577550.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&_A
                Source: Amcache.hve.11.drBinary or memory string: VMware
                Source: MPGPH131.exe, 00000006.00000002.1984816945.00000000057D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Dk&Ven_VMware&P
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}<Q7|
                Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_BA2B277D)
                Source: RageMP131.exe, 00000007.00000003.1832560960.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}}@
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1742235564.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000DEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1742235564.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                Source: RageMP131.exe, 00000010.00000003.1905504331.0000000000F39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 7rA1iX60wh.exe, 00000000.00000003.1804907386.00000000057AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a\*
                Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: Amcache.hve.11.drBinary or memory string: vmci.sys
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}R6BwZ
                Source: MPGPH131.exe, 00000006.00000003.1879853581.00000000057C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_BA2B277D
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000D90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000WSH;.MSCPROCESSOR_ARCHITECTU
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010522434.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}[
                Source: Amcache.hve.11.drBinary or memory string: VMware20,1
                Source: MPGPH131.exe, 00000006.00000003.1847963338.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}rf
                Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: MPGPH131.exe, 00000005.00000003.1725523240.0000000000D31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}n
                Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: RageMP131.exe, 00000007.00000002.1909577550.0000000000FAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                Source: RageMP131.exe, 00000010.00000002.1992597918.0000000000ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
                Source: RageMP131.exe, 00000010.00000003.1905504331.0000000000F39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: RageMP131.exe, 00000010.00000002.1992597918.0000000000F20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXI
                Source: 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000D90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000n
                Source: MPGPH131.exe, 00000006.00000003.1848662551.000000000582D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}~j
                Source: MPGPH131.exe, 00000006.00000002.1983899285.0000000000E53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.11.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000CCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&L
                Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWE
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010522434.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Profiles\fqs92o4p.default-release\formhistory.sqlite
                Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: RageMP131.exe, 00000007.00000002.1909577550.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                Source: MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*B
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]0_2_004C6D80
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00493F40 mov eax, dword ptr fs:[00000030h]0_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6D80 mov eax, dword ptr fs:[00000030h]5_2_004C6D80
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F40 mov eax, dword ptr fs:[00000030h]5_2_00493F40
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,0_2_004E9A70
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0043451D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00438A64

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject threads in other processes
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,5_2_004CF280
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: GetLocaleInfoW,0_2_004531CA
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: GetLocaleInfoW,0_2_004533F9
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: GetLocaleInfoW,0_2_0044B734
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: GetLocaleInfoW,0_2_00452D5F
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: EnumSystemLocalesW,0_2_00452E51
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: EnumSystemLocalesW,0_2_00452E06
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: EnumSystemLocalesW,0_2_00452EEC
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,5_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_004531CA
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_0044B1B1
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004532F3
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_004533F9
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_004534CF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_0044B734
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,5_2_00452B5A
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_00452D5F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_00452E51
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_00452E06
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_00452EEC
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00452F77
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000006.00000002.1984656819.0000000005770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2009861773.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1805883265.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1806000516.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2009458883.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2010729169.00000000057BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1878445681.0000000005793000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1806109261.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 7rA1iX60wh.exe PID: 6752, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1364, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 5232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 2004, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 6972, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\SYv2wcsD2EVzcZNBuLFypWC.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\lw3hbkC7r6iSSxte_tz5rje.zip, type: DROPPED
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                Source: 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
                Source: 7rA1iX60wh.exe, 00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletS
                Source: 7rA1iX60wh.exe, 00000000.00000003.1804907386.00000000057CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: 7rA1iX60wh.exe, 00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletS
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
                Source: 7rA1iX60wh.exe, 00000000.00000003.1804907386.00000000057CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.walletP
                Source: 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Pale Moon
                Source: 7rA1iX60wh.exe, 00000000.00000003.1804907386.00000000057CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\7rA1iX60wh.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 7rA1iX60wh.exe PID: 6752, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1364, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 5232, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000006.00000002.1984656819.0000000005770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2009861773.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1805883265.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1806000516.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2009458883.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2010729169.00000000057BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1878445681.0000000005793000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1806109261.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 7rA1iX60wh.exe PID: 6752, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1364, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 5232, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 2004, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 6972, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\SYv2wcsD2EVzcZNBuLFypWC.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\lw3hbkC7r6iSSxte_tz5rje.zip, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                Scheduled Task/Job                		11
                Process Injection                		3
                Obfuscated Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		1
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		2
                Software Packing                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS35
                System Information Discovery                		Distributed Component Object Model1
                Email Collection                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Query Registry                		SSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
                Virtualization/Sandbox Evasion                		Cached Domain Credentials351
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Process Injection                		DCSync13
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460406 Sample: 7rA1iX60wh.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 46 ipinfo.io 2->46 48 db-ip.com 2->48 56 Snort IDS alert for network traffic 2->56 58 Antivirus detection for URL or domain 2->58 60 Yara detected RisePro Stealer 2->60 62 4 other signatures 2->62 8 7rA1iX60wh.exe 1 62 2->8         started        13 MPGPH131.exe 5 53 2->13         started        15 MPGPH131.exe 5 51 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 50 77.91.77.66, 49731, 49732, 49733 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->50 52 ipinfo.io 34.117.186.192, 443, 49734, 49735 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->52 54 db-ip.com 104.26.4.15, 443, 49737, 49738 CLOUDFLARENETUS United States 8->54 36 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->36 dropped 38 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->38 dropped 40 C:\Users\user\...\SYv2wcsD2EVzcZNBuLFypWC.zip, Zip 8->40 dropped 44 2 other malicious files 8->44 dropped 64 Query firmware table information (likely to detect VMs) 8->64 66 Tries to steal Mail credentials (via file / registry access) 8->66 68 Found many strings related to Crypto-Wallets (likely being stolen) 8->68 80 2 other signatures 8->80 19 WerFault.exe 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        42 C:\Users\user\...\lw3hbkC7r6iSSxte_tz5rje.zip, Zip 13->42 dropped 70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 74 Found stalling execution ending in API Sleep call 13->74 26 WerFault.exe 13->26         started        76 Tries to harvest and steal browser information (history, passwords, etc) 15->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->78 28 WerFault.exe 15->28         started        file6 signatures7 process8 file9 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->34 dropped 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                7rA1iX60wh.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe55%ReversingLabsWin32.Trojan.RiseProStealer
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe55%ReversingLabsWin32.Trojan.RiseProStealer

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                http://upx.sf.net0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                https://ipinfo.io/0%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORTw0%Avira URL Cloudsafe
                https://db-ip.com:443/demo/home.php?s=8.46.123.33J0%Avira URL Cloudsafe
                http://77.91.77.81/cost/go.exe100%Avira URL Cloudmalware
                http://77.91.77.81/mine/amadka.exe100%Avira URL Cloudmalware
                http://77.91.77.81/mine/amadka.exet1100%Avira URL Cloudphishing
                https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33D0%Avira URL Cloudsafe
                https://ipinfo.io:443/widget/demo/8.46.123.330%Avira URL Cloudsafe
                https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%Avira URL Cloudsafe
                https://t.me/risepro_botraction0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORTk0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORTr0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.3380%Avira URL Cloudsafe
                https://t.me/risepro_botY0%Avira URL Cloudsafe
                https://db-ip.com/0%Avira URL Cloudsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33ap0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exeshinam100%Avira URL Cloudphishing
                http://77.91.77.81/cost/lenin.exe0.1100%Avira URL Cloudphishing
                https://t.me/risepro0%Avira URL Cloudsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016/ee0%Avira URL Cloudsafe
                https://t.me/risepro_bot.cloudflare.c0%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.33N0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exeilesCO100%Avira URL Cloudphishing
                https://t.me/RiseProSUPPORTQ0%Avira URL Cloudsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.330%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORTN0%Avira URL Cloudsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17/ewGpY0%Avira URL Cloudsafe
                https://ipinfo.io/t0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33o0%Avira URL Cloudsafe
                https://db-ip.com:443/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
                http://77.91.77.81/mine/amadka.exeer100%Avira URL Cloudphishing
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016A0%Avira URL Cloudsafe
                https://db-ip.com/N0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33W0%Avira URL Cloudsafe
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                https://ipinfo.io:443/widget/demo/8.46.123.3300%Avira URL Cloudsafe
                https://ipinfo.io/e0%Avira URL Cloudsafe
                https://t.me/risepro_bot330%Avira URL Cloudsafe
                https://db-ip.com/Z0%Avira URL Cloudsafe
                https://t.me/risepro_botm)0%Avira URL Cloudsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.33LA0%Avira URL Cloudsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016R0%Avira URL Cloudsafe
                https://t.me/risepro_botisepro_botP0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
                https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%Avira URL Cloudsafe
                https://ipinfo.io/Mozilla/5.00%Avira URL Cloudsafe
                https://ipinfo.io/:0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exet100%Avira URL Cloudphishing
                https://t.me/risepro_bot0%Avira URL Cloudsafe
                https://t.M0%Avira URL Cloudsafe
                https://t.me/risepro_botlater0%Avira URL Cloudsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17FALSE0%Avira URL Cloudsafe
                https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.3300%Avira URL Cloudsafe
                https://t.me/risepro_bot_0%Avira URL Cloudsafe
                http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.33r0%Avira URL Cloudsafe
                https://support.mozilla.org0%Avira URL Cloudsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORTOU0%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exe100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ipinfo.io
                		34.117.186.192
                		truefalse
                  		unknown
                  db-ip.com
                  		104.26.4.15
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/widget/demo/8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/false
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://77.91.77.81/mine/amadka.exeMPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984816945.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://db-ip.com:443/demo/home.php?s=8.46.123.33JMPGPH131.exe, 00000005.00000002.1995877183.0000000000D2B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33D7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000D9E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTwMPGPH131.exe, 00000006.00000002.1983899285.0000000000E07000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/mine/amadka.exet1MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984816945.00000000057D1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://duckduckgo.com/chrome_newtab7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io:443/widget/demo/8.46.123.337rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F4C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/go.exe7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2010522434.000000000579A000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1878548593.000000000577B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1996805770.000000000577C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984656819.0000000005784000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://t.me/risepro_botractionRageMP131.exe, 00000007.00000002.1909577550.000000000100C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTr7rA1iX60wh.exe, 00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057BB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTkRageMP131.exe, 00000007.00000002.1909577550.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1742235564.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1909577550.000000000100C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exeshinamMPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849083129.00000000057D0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.338RageMP131.exe, 00000007.00000002.1909577550.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33apMPGPH131.exe, 00000005.00000002.1995877183.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, R0S0RUVxqvyQHistory.0.dr, kIQomd5yBLOGHistory.0.dr, AB89z_t13yqTHistory.6.dr, uXAOMY6nzRJRHistory.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botYMPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exe0.1MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016/eeMPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/riseproRageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_bot.cloudflare.cRageMP131.exe, 00000007.00000002.1909577550.000000000100C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33NMPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exeilesCO7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805983196.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://t.me/RiseProSUPPORTQMPGPH131.exe, 00000005.00000002.1995877183.0000000000CCD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17/ewGpYMPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallMPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, R0S0RUVxqvyQHistory.0.dr, kIQomd5yBLOGHistory.0.dr, AB89z_t13yqTHistory.6.dr, uXAOMY6nzRJRHistory.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTN7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000D9E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ipinfo.io/tMPGPH131.exe, 00000006.00000002.1983899285.0000000000E48000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com:443/demo/home.php?s=8.46.123.337rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000E22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1909577550.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33o7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000DEB000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/mine/amadka.exeer7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://db-ip.com/N7rA1iX60wh.exe, 00000000.00000003.1742235564.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33WMPGPH131.exe, 00000005.00000002.1995877183.0000000000D1A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016AMPGPH131.exe, 00000006.00000002.1983899285.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/eMPGPH131.exe, 00000005.00000002.1995877183.0000000000D3E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io:443/widget/demo/8.46.123.330RageMP131.exe, 00000007.00000002.1909577550.0000000000FD7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_bot33MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botm)RageMP131.exe, 00000007.00000002.1909577550.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/Z7rA1iX60wh.exe, 00000000.00000003.1742235564.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33LARageMP131.exe, 00000007.00000002.1909577550.0000000000FE3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RMPGPH131.exe, 00000006.00000002.1983899285.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botisepro_botPMPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll7rA1iX60wh.exe, 00000000.00000003.1659354541.0000000002870000.00000004.00001000.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1994134545.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1696368041.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1982433070.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1696579739.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1805385974.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1908108475.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1891971662.0000000002870000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1990858548.000000000055D000.00000002.00000001.01000000.00000006.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.11.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/RiseProSUPPORT7rA1iX60wh.exe, 00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009861773.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057BB000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984656819.0000000005770000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1909577550.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, SYv2wcsD2EVzcZNBuLFypWC.zip.0.dr, lw3hbkC7r6iSSxte_tz5rje.zip.5.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016MPGPH131.exe, 00000005.00000003.1836286933.0000000005AF6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1835513578.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1831926883.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, R0S0RUVxqvyQHistory.0.dr, kIQomd5yBLOGHistory.0.dr, AB89z_t13yqTHistory.6.dr, uXAOMY6nzRJRHistory.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ipinfo.io/Mozilla/5.07rA1iX60wh.exe, 00000000.00000002.2009458883.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1909577550.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1992597918.0000000000F4C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exet7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://t.me/risepro_botRageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/:RageMP131.exe, 00000010.00000002.1992597918.0000000000F42000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17FALSEMPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botlaterMPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.maxmind.com/en/locate-my-ip-address7rA1iX60wh.exe, MPGPH131.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.330MPGPH131.exe, 00000006.00000002.1983899285.0000000000E53000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.MRageMP131.exe, 00000010.00000002.1992597918.0000000000F63000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_bot_7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1760151148.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.winimage.com/zLibDll7rA1iX60wh.exe, 00000000.00000003.1659354541.0000000002870000.00000004.00001000.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1994134545.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1696368041.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1982433070.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1696579739.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1805385974.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1908108475.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.1891971662.0000000002870000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1990858548.000000000055D000.00000002.00000001.01000000.00000006.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33rRageMP131.exe, 00000007.00000002.1909577550.000000000100C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesMPGPH131.exe, 00000006.00000003.1835916752.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, R0S0RUVxqvyQHistory.0.dr, kIQomd5yBLOGHistory.0.dr, AB89z_t13yqTHistory.6.dr, uXAOMY6nzRJRHistory.6.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTOUMPGPH131.exe, 00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1984656819.0000000005770000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=7rA1iX60wh.exe, 00000000.00000003.1799658979.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1799011403.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1800857195.0000000005800000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1834591904.0000000005B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1838468818.0000000005B08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1833052520.00000000057ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1836251157.00000000057F7000.00000004.00000020.00020000.00000000.sdmp, KTLvV8LpVE9pWeb Data.0.dr, U2l6ocEPq0VAWeb Data.6.dr, GpT142gGtTJXWeb Data.6.dr, qcOI72S8Wv9BWeb Data.0.dr, feyUeh_eGCc2Web Data.0.dr, jq2E_9CdxA4hWeb Data.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exe7rA1iX60wh.exe, 00000000.00000002.2010729169.00000000057E3000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805983196.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1803593775.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806092362.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, 7rA1iX60wh.exe, 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1995877183.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849328886.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1849083129.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    34.117.186.192
                    		ipinfo.ioUnited States
                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                    104.26.4.15
                    		db-ip.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    77.91.77.66
                    		unknownRussian Federation
                    		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1460406
                    Start date and time:2024-06-20 23:31:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 47s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:7rA1iX60wh.exe
                    renamed because original name is a hash value
                    Original Sample Name:a8b80d67357afbd703ee2a13d9cbf339.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@14/60@2/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 68%
                    • Number of executed functions: 53
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 52.168.117.173
                    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: 7rA1iX60wh.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:32:29API Interceptor3x Sleep call for process: WerFault.exe modified
                    22:32:01Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                    22:32:01Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                    22:32:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                    22:32:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    34.117.186.192HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                    • ipinfo.io/
                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                    • ipinfo.io/
                    w.shGet hashmaliciousXmrigBrowse
                    • /ip
                    Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    104.26.4.15#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exeGet hashmaliciousNemty, XmrigBrowse
                    • api.db-ip.com/v2/free/102.129.152.212/countryName
                    77.91.77.66PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                      YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                        AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                          setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                            D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                              WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                  T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ipinfo.ioPsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                    • 34.117.186.192
                                    PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                    • 34.117.186.192
                                    D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                    • 34.117.186.192
                                    WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    http://telegliam.icu/Get hashmaliciousUnknownBrowse
                                    • 34.117.186.192
                                    db-ip.comPNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                    • 104.26.4.15
                                    YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                    • 172.67.75.166
                                    setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                    • 104.26.5.15
                                    D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                    • 104.26.4.15
                                    1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                    • 104.26.4.15
                                    WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                    • 104.26.4.15
                                    2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                    • 104.26.5.15
                                    T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                    • 172.67.75.166
                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                    • 172.67.75.166
                                    https://curious-kringle-id4964-024b3b3.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
                                    • 104.26.5.15

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUPNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                    • 77.91.77.66
                                    YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                    • 77.91.77.66
                                    AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                                    • 77.91.77.66
                                    setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                    • 77.91.77.81
                                    setup.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                    • 77.91.77.81
                                    FN MultiHack v2.exeGet hashmaliciousRedLineBrowse
                                    • 77.91.77.6
                                    D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                    • 77.91.77.66
                                    https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                                    • 77.91.77.5
                                    https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                                    • 77.91.77.5
                                    WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                    • 77.91.77.66
                                    GOOGLE-AS-APGoogleAsiaPacificPteLtdSGPsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                    • 34.117.186.192
                                    PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                    • 34.117.239.71
                                    https://my.visme.co/v/pvmd79je-dj6mqvGet hashmaliciousUnknownBrowse
                                    • 34.117.77.79
                                    setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                    • 34.117.186.192
                                    D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                    • 34.117.186.192
                                    WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    CLOUDFLARENETUShttps://qlwcz.semoxqj.ru/jEmXeUJt/#XGet hashmaliciousUnknownBrowse
                                    • 104.17.2.184
                                    https://qlwcz.semoxqj.ru/jEmXeUJt/#XGet hashmaliciousHTMLPhisherBrowse
                                    • 104.17.3.184
                                    https://sigmaalphalambda.org/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?ver=5.4.8.3Get hashmaliciousUnknownBrowse
                                    • 104.26.7.221
                                    https://i1h.nechole.ru/9Ciz/Get hashmaliciousHTMLPhisherBrowse
                                    • 104.17.2.184
                                    https://criticalsystemsllc-my.sharepoint.com/:o:/p/rlingle/EsvC9Qj-ls9HhKnRaEZ1Lz8BvxH0MI-VHwfPjNPle-U1uw?e=5%3aU5b5yJ&at=9&xsdata=MDV8MDJ8YnBha0BkZXdiZXJyeS5jb218YWEyYWY5MTc3YmRhNDI3YWMwMjUwOGRjOTE1ZjI1OWZ8ODRiN2Y1MzdmYjc2NDJiMmFjMWI0MTVhNTU5Nzc2NmN8MHwwfDYzODU0NTA4NTA0NDA0NDI4OHxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=YmpNTzhSaVBMSktXRzI4YjdkN3g4Um1yTTg1RUtvcGw4enpqT1BjVFpqdz0%3dGet hashmaliciousHTMLPhisherBrowse
                                    • 1.1.1.1
                                    https://qlwcz.semoxqj.ru/jEmXeUJt/#XGet hashmaliciousUnknownBrowse
                                    • 104.17.2.184
                                    Direct - Deposit 6192024.htmlGet hashmaliciousUnknownBrowse
                                    • 188.114.96.3
                                    https://ms-doc.view-saf-eastsuusex-d0c-file239291.com/?Rg=GHhLsGet hashmaliciousHTMLPhisherBrowse
                                    • 1.1.1.1
                                    ReceiptCopy37.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 104.17.24.14
                                    https://ms-doc.view-saf-eastsuusex-d0c-file239291.com/?Rg=GHhLsGet hashmaliciousHTMLPhisherBrowse
                                    • 1.1.1.1

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    a0e9f5d64349fb13191bc781f81f42e1Form_Ver-18-13-38.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15
                                    PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15
                                    YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15
                                    Invoice.docmGet hashmaliciousUnknownBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15
                                    file.exeGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15
                                    Setup.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15
                                    setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15
                                    setup.exeGet hashmaliciousLummaCBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15
                                    setup.exeGet hashmaliciousLummaCBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15
                                    Galaxy Swapper v2.0.3.exeGet hashmaliciousLummaC, XmrigBrowse
                                    • 34.117.186.192
                                    • 104.26.4.15

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\MPGPH131\MPGPH131.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3308048
                                    Entropy (8bit):7.963565427613973
                                    Encrypted:false
                                    SSDEEP:98304:R3Z1B/WjR+4+cpPwD2nn8Dw2Urxqs7w5R:fujXdU2Lxp7wz
                                    MD5:A8B80D67357AFBD703EE2A13D9CBF339
                                    SHA1:68620481E594727F1751D84B1E372A5B72D421F9
                                    SHA-256:F42D98EC4C311B66CE4B40A98DB073CFDF86AF1E6FA63B8F9A07555CB4E7958D
                                    SHA-512:24C0CA44640A97CCB1A38D8CE98C96E6D307906863DB51C433A540212DF296136871A2E2F0C628689B20914A64B6F172189B73B391AA0DCFE28449A529E265D5
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 55%
                                    Reputation:low
                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@.......................... ........2......................................a..........8....................................................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot.....'...X...'..x..............`..`.reloc...............z2................@................................................................

                                    C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7rA1iX60wh.exe_511ab0be63976828f72d7f6d2841b4c9b261a31_cf8b7adb_4ffa0061-89aa-4a4c-b409-95594dce7fb0\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.0507151286088185
                                    Encrypted:false
                                    SSDEEP:192:hL0/QjR0bxwGfjyZrosLZuzuiFlZ24IO8FL:d0/QjSbxwGfjyuzuiFlY4IO8FL
                                    MD5:19DD008B14F649BEBA66D3D26BEC5584
                                    SHA1:5E70CE27F6F31EA3F9E4EBDEDDC4C139B5F8C721
                                    SHA-256:45FC4C6B0B4ECB05DF3F640FB31FA65B419CD20DDBAE3099F6DD1D41ADD0747A
                                    SHA-512:4F9C0070C16BD801A82CA4C10BF75309B2D33E4F3E893BCB2FDF1FE9521F4F6D93E732ABC3A6D76D72A400D68248F94AEA4A10C64E68B4C27D596CA10B72A0A5
                                    Malicious:true
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.9.2.7.3.6.6.2.5.9.2.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.9.2.7.3.7.2.1.9.6.7.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.f.a.0.0.6.1.-.8.9.a.a.-.4.a.4.c.-.b.4.0.9.-.9.5.5.9.4.d.c.e.7.f.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.0.f.a.9.3.4.-.2.a.f.c.-.4.0.8.2.-.8.5.0.2.-.f.4.1.6.b.c.1.4.6.e.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.7.r.A.1.i.X.6.0.w.h...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.0.-.0.0.0.1.-.0.0.1.4.-.b.1.7.7.-.3.5.4.7.5.9.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.6.8.6.2.0.4.8.1.e.5.9.4.7.2.7.f.1.7.5.1.d.8.4.b.1.e.3.7.2.a.5.b.7.2.d.4.2.

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_a06fe7d5e939aa5857c5d2fe9ff4c2a9e77a88_f4fd270f_bb4cd91d-df8c-4f38-905d-2e89817ed0fa\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.048951551526084
                                    Encrypted:false
                                    SSDEEP:192:TTlplLaPzN8SD0pPso6E6jjRZrVfxjPzuiFlZ24IO8q6t:/J27N/wpPs3jzPzuiFlY4IO81
                                    MD5:0DA419264DBEE8CF8426141CA1A147C7
                                    SHA1:6C292446C0EBEBA9A6F118D5C7AF997ED82E91BC
                                    SHA-256:43572F04D09F18835A9CA7201EEFCA3BF8D6734598DF5E850EE150585090D459
                                    SHA-512:E5AD0BEA333BEA71AB2C187937C1D0DE58F73B573328F86F419847CD82D9CEBF3AD041A07BA382EAE1E44411018140283A04E00D35E582C8E9770EF651BD986F
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.9.2.7.4.0.0.7.4.3.9.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.9.2.7.4.1.0.7.4.3.9.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.4.c.d.9.1.d.-.d.f.8.c.-.4.f.3.8.-.9.0.5.d.-.2.e.8.9.8.1.7.e.d.0.f.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.b.2.0.1.1.5.-.2.f.c.9.-.4.c.4.a.-.9.d.f.d.-.e.3.0.2.3.7.7.7.e.6.2.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.5.4.-.0.0.0.1.-.0.0.1.4.-.f.2.d.d.-.5.2.4.9.5.9.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.6.8.6.2.0.4.8.1.e.5.9.4.7.2.7.f.1.7.5.1.d.8.4.b.1.e.3.7.2.a.5.b.7.2.d.4.2.1.f.

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_a06fe7d5e939aa5857c5d2fe9ff4c2a9e77a88_f4fd270f_c3495008-d89e-4544-998b-0fae7661c62b\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.0426073546379673
                                    Encrypted:false
                                    SSDEEP:192:3MGAlbaPz88SD0pPso6E6jj/ZrUUJcUzuiFlZ24IO8q6t:8GYm78/wpPs3jqUzuiFlY4IO81
                                    MD5:A86E885C95A24367D8C3D078CF4B521A
                                    SHA1:F1A7B377161538C8870E684BF7BCF91D703B28B8
                                    SHA-256:26EB135AA4B264902E9BF0669B08F67AD44FC8A08126634B38BB96C727566000
                                    SHA-512:3A08F2F5375A748ED425F52DAB498665FB088A09B637B4750C58551D946DC9D442F9C2EAB904B523144C713D8AF5DC13E416E0979D205839177AFBBBABC544BB
                                    Malicious:false
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.9.2.7.4.0.7.5.7.5.4.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.9.2.7.4.1.2.8.8.7.9.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.4.9.5.0.0.8.-.d.8.9.e.-.4.5.4.4.-.9.9.8.b.-.0.f.a.e.7.6.6.1.c.6.2.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.b.d.0.6.3.f.-.9.c.b.4.-.4.5.e.d.-.a.a.b.5.-.9.d.e.2.1.b.7.8.3.d.d.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.7.0.-.0.0.0.1.-.0.0.1.4.-.7.6.0.f.-.6.d.4.9.5.9.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.6.8.6.2.0.4.8.1.e.5.9.4.7.2.7.f.1.7.5.1.d.8.4.b.1.e.3.7.2.a.5.b.7.2.d.4.2.1.f.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2225.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 21:32:16 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):104800
                                    Entropy (8bit):2.0535558088577095
                                    Encrypted:false
                                    SSDEEP:384:fg3la4SIZidwFtv2crlHEY8bja++1ZG8s4ekDS3zLTj8XnHXX8YCS1F1lVFkbSlp:f+a47ZiyFtv2nax1I1kw
                                    MD5:2A759BFCC2C6E4B98CD5C7960E82FF1B
                                    SHA1:43C1CFC3A76BD9302DF9FA866D88E25B531C71D2
                                    SHA-256:50A95F7CBD70A0D61E0D47184046B107413D6697B83B467F15978B838D8CA5D6
                                    SHA-512:6801A0371785A54A7EF2CA7874D4A1D13010720C77B2240F7803D8ABFE19D1F8271F8B8473BB1BF290EF82F24145223D0F3E27C9AB2B556FF424EF402F392D56
                                    Malicious:false
                                    Preview:MDMP..a..... .........tf....................................l....#...........L..........`.......8...........T...........`K...N...........#...........%..............................................................................eJ.......&......GenuineIntel............T.......`....tf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER239D.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8396
                                    Entropy (8bit):3.705096504459567
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJ6Cl66HdU6Y9JSU9V3YzgmfnJJ43sprG89bOBsfOam:R6lXJr66HdU6YzSU9dYzgmfnJJWGO6fK
                                    MD5:6991927074D068FFE1AF8465AD87BE5A
                                    SHA1:79D102052DDA0C586B898746EA659BBB8840711E
                                    SHA-256:13C6BBA86125BB7BA9F5262EEE8C1319E00905F0ACBE62DF82C8FE455076A5FC
                                    SHA-512:90AC75ED40647348F5366DA5247BEDE34A303B70067F483DBB5F9D31F6033453A98463C0E491D6D305B35DEC29A9171F1ED08AA4E27E311762ED3BE613D6579B
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.5.2.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER23CD.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4713
                                    Entropy (8bit):4.516174525052626
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsgJg77aI947WpW8VYbPYm8M4JCGKF++q8qK48CM6d:uIjfmI7WK7V+SJCa3/8CM6d
                                    MD5:790001C58E9E904B41F276717C0EF46E
                                    SHA1:1F4EF23BD5784241F28448CDE3AE628F3524D64D
                                    SHA-256:EB7D2DC2731BDFB151D3300E78B058E937E604704CD1E9547F86A20022FD3F81
                                    SHA-512:7D9FE3F9CEB9052F44D13A27963E24B9EEB5179A882DE9177A4FF1D9BF921F56CE66C28897EB7840E0E61E53005E6627C46F8571D38B79E02EC50D0045D2A82B
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376594" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F83.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 21:32:20 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):104280
                                    Entropy (8bit):2.046570371156321
                                    Encrypted:false
                                    SSDEEP:384:eTkWKYNFtvvKCRBq1tD6CT/gZuWKQLqwtxTAFpWDUTYT8jxDvBm:eY9oFtvozgZwQLnsLJ
                                    MD5:9C9F19C00D53451920CE22AD78A2F5AC
                                    SHA1:E13044DFE3DB8025D13D2F9A2ABF39D04B5DB5F5
                                    SHA-256:EDCF80A94704BC46A59BB6BE936CF835224E280D66F0AF669B125FC2C4D8D666
                                    SHA-512:40ED17DB1DC830431C7300148F127C31107C8AD47A1051AC5A88A1A4EACBE805ED4A6B5B43569560617ADC1B3367AF9F388902A0F9E0238E4999B07FB6D13D40
                                    Malicious:false
                                    Preview:MDMP..a..... ........tf....................................l....#...........L..........`.......8...........T...........pJ...L...........#...........%..............................................................................eJ.......&......GenuineIntel............T.......T....tf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER31F5.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):6366
                                    Entropy (8bit):3.7261727799270314
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJxu160bSLYiyJJUpra89byMsfKldGm:R6lXJi64SLYRJJiyffKH
                                    MD5:597933402624A977D25EF184B1ACEE9C
                                    SHA1:9842349211338E72984A626B401F362CFEFA6E3B
                                    SHA-256:682F6C0399F1F48531A6385B585BABD90774AD7ED59891AD244E6A970DB801B3
                                    SHA-512:7236F17E923DF3BDC3605E32ABE48370F6A7ED9C6F895FCE8E24591D3B7A383BF99A8D4BCB0D0B1B247FB671E552B66976C79F3117DBD26D89DACE1ECBAB7778
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.6.4.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER3225.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4703
                                    Entropy (8bit):4.519581952306753
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsPJg77aI947WpW8VYNa0Ym8M4JHwFor+q8bO8wJs1d:uIjfxI7WK7VfJjrF8wJs1d
                                    MD5:F8570CE29D98D2C574D3EEA4BC955AE0
                                    SHA1:846969ECF7482326353A18C62D3072532722D028
                                    SHA-256:2E1EF4E510BA8AB6BDA08938533D42B4B98013502565E9AED85B64F1C829800C
                                    SHA-512:65CA2519983FE8CFEC39E278F0949EDA9964A3589E829B2DE2A3A26E4279644F4CD27B6B601FB29EA0C08AE10C4003FB4B5F0393A684BC6BE8AAA9109CBCCC30
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376595" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER3242.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 21:32:20 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):103904
                                    Entropy (8bit):2.0496185379817526
                                    Encrypted:false
                                    SSDEEP:384:0CsADSWFAEO1bRtv8Q3EQGeKPiYv+UYpq7EwUEOxqj4jMTATJM+98:h2WCBbRtvKU6YEmd6
                                    MD5:4B57FE4A6979C201ECD0AF29D234F225
                                    SHA1:D04C19C6FFE250CA78DF822D3B940376044BC67F
                                    SHA-256:FBA9BDB8385C772F8D4B492CAD250B3F287D3C01674C7522308496A70CE0A4FF
                                    SHA-512:C5D4D464A69FFCDE442CBD01EEA750B845683364D21A74273CE6F33509EA5AFDBAD3C89C1AD39562F165ACA5D9DF0B28B7DE912D3EEC8C082624DC717041A3DD
                                    Malicious:false
                                    Preview:MDMP..a..... ........tf........................,...........l...$#..........rL..........`.......8...........T...........XI...L...........#..........|%..............................................................................eJ.......&......GenuineIntel............T.......p....tf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER332E.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):6366
                                    Entropy (8bit):3.726548053997114
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJfux6zS/YiyJJUprZ89b7LsfXJJm:R6lXJY6zS/YRJJX7QfXW
                                    MD5:F34ABE06DE5266E44CC4D8D918125E97
                                    SHA1:070F531FF33F9C705B0884414AF1249F8B4CA37E
                                    SHA-256:4927378CD3835F9C7D0AF03B4FF5B1CEA26DCCBE0305AD6DDB7297A904414562
                                    SHA-512:0B7D961041BF8662CB734900FF863D87B45800A8D256E12149EB49AF2FD6193C394E756B515B46EA673123C5CC6A665CEF46B5CB538DA93A6C1FC8D40E126EEB
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.3.2.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER337D.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4703
                                    Entropy (8bit):4.518919854744802
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsPJg77aI947WpW8VYNnYm8M4JHwFI+q8b+8wJsud:uIjfxI7WK7VZJBR8wJsud
                                    MD5:F29DCC0776B7CBCA1D278D91593FF651
                                    SHA1:923C63B4A2DE8287DD180C32D21B6C773B99E0B3
                                    SHA-256:F9819AF4EB9B774E9FD9B27073BD0BBB3E04F9BCDE4C170B4DFD75F2598D6E59
                                    SHA-512:1B31B00FFEDF66CB1903B985754775F40B3C0415A6592465075768D53B3E0F4BE4C21473F86436BDDCAEB519B2329AF9F75304AA56965240CD1ECC0D59989C9A
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376595" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3308048
                                    Entropy (8bit):7.963565427613973
                                    Encrypted:false
                                    SSDEEP:98304:R3Z1B/WjR+4+cpPwD2nn8Dw2Urxqs7w5R:fujXdU2Lxp7wz
                                    MD5:A8B80D67357AFBD703EE2A13D9CBF339
                                    SHA1:68620481E594727F1751D84B1E372A5B72D421F9
                                    SHA-256:F42D98EC4C311B66CE4B40A98DB073CFDF86AF1E6FA63B8F9A07555CB4E7958D
                                    SHA-512:24C0CA44640A97CCB1A38D8CE98C96E6D307906863DB51C433A540212DF296136871A2E2F0C628689B20914A64B6F172189B73B391AA0DCFE28449A529E265D5
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 55%
                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@.......................... ........2......................................a..........8....................................................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot.....'...X...'..x..............`..`.reloc...............z2................@................................................................

                                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Users\user\AppData\Local\Temp\SYv2wcsD2EVzcZNBuLFypWC.zip

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:modified
                                    Size (bytes):5541
                                    Entropy (8bit):7.899424497308472
                                    Encrypted:false
                                    SSDEEP:96:ZWGzqeAoMq+YK0KF8cAJiI2i+u3u6gQDNzajlalKZRcnG1B/LOzljc0tVIK63KJP:tqASpF8wF+u6gQD5aRalxG1Glj7O6JP
                                    MD5:8A9C5CEED3C76FEF125BBD9300DB31DA
                                    SHA1:EDE80F8EF7802D9C9C4381AB6EACA90AAD4ABCA9
                                    SHA-256:7A27CFB79078D21713C9FDD251795004BE7AA3D159A946AAB30FEDBEEC530D6A
                                    SHA-512:3C6E05F8D4C3496B32EBE62EE650288432191AA9C82421024C0D4F066A6B1CDA8010B64C40AE07406B8E6D80724919CA21308866C9B9A26A6A8539036F1B32CE
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\SYv2wcsD2EVzcZNBuLFypWC.zip, Author: Joe Security
                                    Preview:PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                    C:\Users\user\AppData\Local\Temp\lw3hbkC7r6iSSxte_tz5rje.zip

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:modified
                                    Size (bytes):5639
                                    Entropy (8bit):7.894594765783779
                                    Encrypted:false
                                    SSDEEP:96:bUT29vHz9WQBavDziBP1Pe4McobRHSImi4AQbRqPdX5cu5DcHh3KJn:bUT29Hz9WGFh1Pe4q4B7AQkPdXvmHh61
                                    MD5:ED55CEB357DDE83112D02D47E769BF25
                                    SHA1:09648B7E00CF7FF18FBED296CD71F1D161F37ED8
                                    SHA-256:7C57118232B3F723622F7A6152BB5A3A66BC803C810991128179CADD27E8CF38
                                    SHA-512:7C8943DAD33F96FFFDB2B5E0264351E7BFA33C8FC3288DAE0CA0E1FE3A2804900608D808B5C350A5973F5B8F1F5D9441D8B837ADD19C99AB072D78157C328570
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\lw3hbkC7r6iSSxte_tz5rje.zip, Author: Joe Security
                                    Preview:PK...........X................Cookies\..PK...........X..s@..../......Cookies\Chrome_Default.txt.G.....5..G.BMx.....%.M...{...?.LH..71.t.....:y3..s./.0.m.%......../. ..!..A.C.........;...x...........!.2.....Z..<....*<.h8..<.q;.....9....gK.}.R.#f...A.E...1...?lR....b.....nS=l.%E&'...>x......h.......E)C..t..'.2<Z_@.........&Lk......0..B.mqk.9M1lf.-e@....E.v..R&..|..-....C.w.Y.K... ...*.....k..3..2W5.!vs.....S.~.......0._.*..e.....U...).....>...g+;...z[Ks....Z..d...|.".v..(...I....+.7.y.X@.H....eV.............Y..c..x...Kw.'S>.d|.....B..k.p..|C|F.......O52....`f.3W..../....i..E...7..c.Kwv..,]..C..j.2.T..+............t.2....6.M>..s..K.M...VJ..>;.......n.<f;]s.K..5...n....~$ ....%......Z#.....Q5...<n...I&......0<:..>..I.K)g.)..KX.H.(Y!..j4W.j..1.V..d\.T..,p...D...T..>z...,.....L.....Mh.t..!....A...!?.U...x..[a7j.N;#..t.\.#.Z.-)f...v_.<..?..`.D0..?......).vX.#...Lw.j...1.....M.#...+.W....h....U.W....G.w......'.Y?.....;.....`...X...C..w..

                                    C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):13
                                    Entropy (8bit):2.5654483718208256
                                    Encrypted:false
                                    SSDEEP:3:L1XQcu6:Rs6
                                    MD5:E0B04B1FAA889F3963BB9122F2571BD8
                                    SHA1:85708F0BD56809DE1E33C569DCD8E289890DC031
                                    SHA-256:C1E16BB531DA676F881236827BCEE8A2AF9D59DD18677A0B76BAB65E1F35EE87
                                    SHA-512:DB2AC7D74A076ED49B3F383B50700F4C932747B5DEE654765DF04FCCA2AD088889E99CE6D8F1A3375FDA9659660DEBF6C36A647BAAD915148F337D2F874D9DE8
                                    Malicious:false
                                    Preview:1718925978825

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\02zdBXl47cvzcookies.sqlite

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.08235737944063153
                                    Encrypted:false
                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\3b6N2Xdh3CYwplaces.sqlite

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):5242880
                                    Entropy (8bit):0.037963276276857943
                                    Encrypted:false
                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                    Malicious:false
                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\D87fZN3R3jFeplaces.sqlite

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):5242880
                                    Entropy (8bit):0.037963276276857943
                                    Encrypted:false
                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                    Malicious:false
                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\KTLvV8LpVE9pWeb Data

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\R0S0RUVxqvyQHistory

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                    Category:dropped
                                    Size (bytes):159744
                                    Entropy (8bit):0.7873599747470391
                                    Encrypted:false
                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\drK5I6mZQPFzWeb Data

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\fYBtN6WB2te6History

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):126976
                                    Entropy (8bit):0.47147045728725767
                                    Encrypted:false
                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\feyUeh_eGCc2Web Data

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\kIQomd5yBLOGHistory

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                    Category:dropped
                                    Size (bytes):159744
                                    Entropy (8bit):0.7873599747470391
                                    Encrypted:false
                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\m8dScJ7a8z3ZLogin Data

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):49152
                                    Entropy (8bit):0.8180424350137764
                                    Encrypted:false
                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                    MD5:349E6EB110E34A08924D92F6B334801D
                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\mf8AS39i8yL1Login Data

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\ndJelY4wftoNWeb Data

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\ngQhft7xiv4THistory

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):126976
                                    Entropy (8bit):0.47147045728725767
                                    Encrypted:false
                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\oP6Wo1scogyXCookies

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                    Category:dropped
                                    Size (bytes):28672
                                    Entropy (8bit):2.5793180405395284
                                    Encrypted:false
                                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\qcOI72S8Wv9BWeb Data

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\tzWwWCdjTGU8Web Data

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanfMKOdBHYvzaR\w8m6J4EPt9q1Login Data For Account

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\02zdBXl47cvzcookies.sqlite

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.08235737944063153
                                    Encrypted:false
                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\2YzQt69UsAn1History

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):126976
                                    Entropy (8bit):0.47147045728725767
                                    Encrypted:false
                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\3b6N2Xdh3CYwplaces.sqlite

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):5242880
                                    Entropy (8bit):0.037963276276857943
                                    Encrypted:false
                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                    Malicious:false
                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\7td_a9XJUaZjHistory

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):126976
                                    Entropy (8bit):0.47147045728725767
                                    Encrypted:false
                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\9BQxZZWndJ0JWeb Data

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\AB89z_t13yqTHistory

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                    Category:dropped
                                    Size (bytes):159744
                                    Entropy (8bit):0.7873599747470391
                                    Encrypted:false
                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\D87fZN3R3jFeplaces.sqlite

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):5242880
                                    Entropy (8bit):0.037963276276857943
                                    Encrypted:false
                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                    Malicious:false
                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\GpT142gGtTJXWeb Data

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\PYtSMPHrm1SuWeb Data

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\Rb2xMzRNsLcbLogin Data

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\U2l6ocEPq0VAWeb Data

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\doeJFtzaloUBLogin Data

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):49152
                                    Entropy (8bit):0.8180424350137764
                                    Encrypted:false
                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                    MD5:349E6EB110E34A08924D92F6B334801D
                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\eYQJ_YGPGqbuLogin Data For Account

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\jq2E_9CdxA4hWeb Data

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\uXAOMY6nzRJRHistory

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                    Category:dropped
                                    Size (bytes):159744
                                    Entropy (8bit):0.7873599747470391
                                    Encrypted:false
                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\v3pxjf8ng_oCWeb Data

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\spanwHjf0pIE7Aqw\zmamEJ09jjflCookies

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                    Category:dropped
                                    Size (bytes):28672
                                    Entropy (8bit):2.5793180405395284
                                    Encrypted:false
                                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\trixyfMKOdBHYvzaR\Cookies\Chrome_Default.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):6085
                                    Entropy (8bit):6.038274200863744
                                    Encrypted:false
                                    SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                    MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                    SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                    SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                    SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                    Malicious:false
                                    Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                    C:\Users\user\AppData\Local\Temp\trixyfMKOdBHYvzaR\information.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:ASCII text, with CRLF, LF line terminators
                                    Category:dropped
                                    Size (bytes):6083
                                    Entropy (8bit):5.532477780895963
                                    Encrypted:false
                                    SSDEEP:96:xbPIORk1cT4Aisph+9hcm1kpXUqGfB8S3gkNYx/jIxRYjhe8Ok8l9if1WDZql1DU:xX21vAtphWhcm1kpXeB
                                    MD5:1A6E9C5C2BCF0F52A172D4FB4CD5F7A5
                                    SHA1:CD7149C8E9705F2BBD5925349D992BAB8CBD0415
                                    SHA-256:FAA77D3A8FDD02B172118B255D39CAF31CAFE14333C8F45F90DD59A147AA07DF
                                    SHA-512:BEC7D235EBC1F7AA004DE57420C39948EFEAE1F58F25EEBABA9DF8216DFC475653D125C3FE22637E7FCED4EFBA9E0BCA825845D1F21C3F5E048B39017772B73D
                                    Malicious:false
                                    Preview:Build: binga..Version: 2.0....Date: Thu Jun 20 17:32:12 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 7f48667f87a7a89dff5d6465b689ff1d....Path: C:\Users\user\Desktop\7rA1iX60wh.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyfMKOdBHYvzaR....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 932923 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 17:32:12..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.ex

                                    C:\Users\user\AppData\Local\Temp\trixyfMKOdBHYvzaR\passwords.txt

                                    Download File
                                    Process:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                    Category:dropped
                                    Size (bytes):4897
                                    Entropy (8bit):2.518316437186352
                                    Encrypted:false
                                    SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                    MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                    SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                    SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                    SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\trixywHjf0pIE7Aqw\Cookies\Chrome_Default.txt

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):12170
                                    Entropy (8bit):6.038274200863744
                                    Encrypted:false
                                    SSDEEP:192:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WhHGYUnOTNC5IcXkWFXZQHRFJ5Pts7c3aP:gwsPbtKvCpqq40wsPbtKvCpqq47
                                    MD5:B6F52D24FC4333CE4C66DDA3C3735C85
                                    SHA1:5B69F1D66E95EFE2CF1710E9F58526B2AAEC67E4
                                    SHA-256:0FEE1A764F541EC6733DB89C823296650F6E581CD7D812D5A142B5A0AD9BC9B6
                                    SHA-512:CD2C6D64083061D7C7A7E89CF9C9F7D2B66301C73CFB56D2CCD94D1B810DE42774DAE5B77DB2E567A26FC54989C04D8A60D76225E6F3F91FCD2AE4D2E01F3C4C
                                    Malicious:false
                                    Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                    C:\Users\user\AppData\Local\Temp\trixywHjf0pIE7Aqw\information.txt

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:ASCII text, with CRLF, LF line terminators
                                    Category:dropped
                                    Size (bytes):6151
                                    Entropy (8bit):5.535148434646244
                                    Encrypted:false
                                    SSDEEP:96:xbDeORkBcT4Aisph+9hcm1kpXNqGfB8S3gkNYx/jIxRYjhe8Ok8l9if1WDZql1Dc:xJ2BvAtphWhcm1kpXJB
                                    MD5:3D02D8345E67F47CA0BAACEEC30C76CF
                                    SHA1:062B0D0C41E50798C8136079BF78A04CA6F8B463
                                    SHA-256:0A889C5B1604E493E779CB8BF769712456D8E9844F6534C0DE2704F4506DA5D5
                                    SHA-512:67623135F217F902D37FA68A6694200C1667F774063FD98BE24F7570EDB7956C04CAC86F50C675AD739F8971B2262DF5AD6317C92A163C1BAA34A4E7500C4A3A
                                    Malicious:false
                                    Preview:Build: binga..Version: 2.0....Date: Thu Jun 20 17:32:16 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 7f48667f87a7a89dff5d6465b689ff1d....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixywHjf0pIE7Aqw....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 932923 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 17:32:16..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe

                                    C:\Users\user\AppData\Local\Temp\trixywHjf0pIE7Aqw\passwords.txt

                                    Download File
                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                    Category:dropped
                                    Size (bytes):4897
                                    Entropy (8bit):2.518316437186352
                                    Encrypted:false
                                    SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                    MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                    SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                    SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                    SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.469056632174496
                                    Encrypted:false
                                    SSDEEP:6144:QIXfpi67eLPU9skLmb0b4kWSPKaJG8nAgejZMMhA2gX4WABl0uNidwBCswSbr:1XD94kWlLZMM6YFHE+r
                                    MD5:6DEE3533D4D6FC2E422C77BFE8676C4A
                                    SHA1:C8A7E0804A133A9B889BB40A39A440CBF19DA222
                                    SHA-256:F88E767CAFC9BBB3156FE8596AD12FE46C0A0A4BE5C748443B3458D6D1FB51C1
                                    SHA-512:9DB87CBD70A6313E1772C49684673F5D4E9A8825962801A6AC66503B219F650B45CBF7A485A077A42DD36B6C5E3A73425CF9477B9FD2276B6B585480AC6D7A8B
                                    Malicious:false
                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmB.mRY................................................................................................................................................................................................................................................................................................................................................ezf........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.963565427613973
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:7rA1iX60wh.exe
                                    File size:3'308'048 bytes
                                    MD5:a8b80d67357afbd703ee2a13d9cbf339
                                    SHA1:68620481e594727f1751d84b1e372a5b72d421f9
                                    SHA256:f42d98ec4c311b66ce4b40a98db073cfdf86af1e6fa63b8f9a07555cb4e7958d
                                    SHA512:24c0ca44640a97ccb1a38d8ce98c96e6d307906863db51c433a540212df296136871a2e2f0c628689b20914a64b6f172189b73b391aa0dcfe28449a529e265d5
                                    SSDEEP:98304:R3Z1B/WjR+4+cpPwD2nn8Dw2Urxqs7w5R:fujXdU2Lxp7wz
                                    TLSH:DEE5333370907AB3E4B02DFA587710521DA6BEFF9A931B1911DFDA5A05E734E83A1078
                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                    File Icon

                                    Icon Hash:8596a1a0a1a1b171

                                    Static PE Info

                                    General

                                    Entrypoint:0x980058
                                    Entrypoint Section:.boot
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                    Time Stamp:0x664C6914 [Tue May 21 09:27:48 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:0
                                    File Version Major:6
                                    File Version Minor:0
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:0
                                    Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F4820E30E00h
                                    push ebx
                                    mov ebx, esp
                                    push ebx
                                    mov esi, dword ptr [ebx+08h]
                                    mov edi, dword ptr [ebx+10h]
                                    cld
                                    mov dl, 80h
                                    mov al, byte ptr [esi]
                                    inc esi
                                    mov byte ptr [edi], al
                                    inc edi
                                    mov ebx, 00000002h
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    jnc 00007F4820E30C9Ch
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    jnc 00007F4820E30D03h
                                    xor eax, eax
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    jnc 00007F4820E30D97h
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    adc eax, eax
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    adc eax, eax
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    adc eax, eax
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    adc eax, eax
                                    je 00007F4820E30CBAh
                                    push edi
                                    mov eax, eax
                                    sub edi, eax
                                    mov al, byte ptr [edi]
                                    pop edi
                                    mov byte ptr [edi], al
                                    inc edi
                                    mov ebx, 00000002h
                                    jmp 00007F4820E30C4Bh
                                    mov eax, 00000001h
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    adc eax, eax
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    jc 00007F4820E30C9Ch
                                    sub eax, ebx
                                    mov ebx, 00000001h
                                    jne 00007F4820E30CDAh
                                    mov ecx, 00000001h
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    adc ecx, ecx
                                    add dl, dl
                                    jne 00007F4820E30CB7h
                                    mov dl, byte ptr [esi]
                                    inc esi
                                    adc dl, dl
                                    jc 00007F4820E30C9Ch
                                    push esi
                                    mov esi, edi
                                    sub esi, ebp

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x19618b0x184.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000x1638.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7f10000x10.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x1970180x18.tls
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x15bbc80x9d200ce6560505cf4c77ceeff521f0b1dd0caFalse0.9985052456245028data7.976114758528028IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    0x15d0000x27e320x10a00a80c041c9956f89999ec20e40c4195d1False0.9933916823308271data7.93829062487739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    0x1850000x49300x80082a7565b59e6c45c33761fb825711586False0.98974609375OpenPGP Secret Key7.77625925366548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x18a0000x16380x1800fe6f3fdb9e7e97cba92d8ce4e4fcc95bFalse0.7220052083333334data6.54017046361188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    0x18c0000x98580x7200dd61d08f502b5631df830501cadfa154False0.977453399122807data7.92268004130138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    .idata0x1960000x10000x4001b20e07443fa333ff9692026d1e6c6c2False0.3984375data3.42439969016873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .tls0x1970000x10000x20054a50a058e0f3b6aa2fe1b22e2033106False0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .themida0x1980000x3e80000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .boot0x5800000x2702000x2702007bf41848303f1b24a888b2e0203c9d98unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .reloc0x7f10000x10000x10f5bc99b71bad9e8a775cc32747e3ca58False1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x18a4400x1060PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.8838263358778626
                                    RT_GROUP_ICON0x18b4a00x14dataRussianRussia1.05
                                    RT_VERSION0x18a1300x310dataRussianRussia0.45408163265306123
                                    RT_MANIFEST0x18b4b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                    Imports

                                    DLLImport
                                    kernel32.dllGetModuleHandleA
                                    USER32.dllwsprintfA
                                    GDI32.dllCreateCompatibleBitmap
                                    ADVAPI32.dllRegQueryValueExA
                                    SHELL32.dllShellExecuteA
                                    ole32.dllCoInitialize
                                    WS2_32.dllWSAStartup
                                    CRYPT32.dllCryptUnprotectData
                                    SHLWAPI.dllPathFindExtensionA
                                    gdiplus.dllGdipGetImageEncoders
                                    SETUPAPI.dllSetupDiEnumDeviceInfo
                                    ntdll.dllRtlUnicodeStringToAnsiString
                                    RstrtMgr.DLLRmStartSession

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    RussianRussia
                                    EnglishUnited States

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    06/20/24-23:32:17.457498TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973258709192.168.2.477.91.77.66
                                    06/20/24-23:32:05.022651TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.477.91.77.66
                                    06/20/24-23:32:01.314499TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973158709192.168.2.477.91.77.66
                                    06/20/24-23:32:23.634453TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094975177.91.77.66192.168.2.4
                                    06/20/24-23:32:05.631353TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973277.91.77.66192.168.2.4
                                    06/20/24-23:32:18.079804TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094974077.91.77.66192.168.2.4
                                    06/20/24-23:32:16.340233TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094974077.91.77.66192.168.2.4
                                    06/20/24-23:32:01.877338TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973177.91.77.66192.168.2.4
                                    06/20/24-23:32:05.646014TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973377.91.77.66192.168.2.4
                                    06/20/24-23:32:17.457568TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973358709192.168.2.477.91.77.66
                                    06/20/24-23:32:06.016692TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973177.91.77.66192.168.2.4
                                    06/20/24-23:32:06.217335TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973277.91.77.66192.168.2.4
                                    06/20/24-23:32:06.245750TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973377.91.77.66192.168.2.4

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jun 20, 2024 23:32:01.284159899 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:01.289402008 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:01.289511919 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:01.314498901 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:01.319487095 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:01.877337933 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:01.926182032 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:05.017699003 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:05.022650957 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:05.022922039 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:05.022998095 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:05.027462006 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:05.027765036 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:05.032974005 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:05.033055067 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:05.070060015 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:05.073424101 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:05.075371981 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:05.078217983 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:05.631352901 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:05.646013975 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:05.676299095 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:05.692085981 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:06.016691923 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.066450119 CEST49734443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.066477060 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.066528082 CEST49734443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.066777945 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:06.067709923 CEST49734443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.067724943 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.175215006 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.217334986 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.223052979 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:06.245749950 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.270057917 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:06.301088095 CEST49735443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.301126957 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.301177025 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:06.301352024 CEST49735443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.301352024 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.301403046 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.301485062 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.302453041 CEST49735443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.302465916 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.302474022 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.302481890 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.353059053 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.353195906 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:06.358088017 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.402981043 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.403486013 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:06.408344030 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.418478966 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.418700933 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:06.423906088 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:06.538228035 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.538296938 CEST49734443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.539797068 CEST49734443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.539805889 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.540621996 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.577838898 CEST49734443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.620548964 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.704186916 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.704545021 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.704611063 CEST49734443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.707199097 CEST49734443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.707220078 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.707231998 CEST49734443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.707238913 CEST4434973434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.723119020 CEST49737443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:06.723211050 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:06.723300934 CEST49737443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:06.723603010 CEST49737443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:06.723639965 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:06.770047903 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.770153999 CEST49735443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.771125078 CEST49735443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.771135092 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.771917105 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.796998024 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.797174931 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.798135042 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.798139095 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.798907995 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.807562113 CEST49735443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.848031998 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.852494001 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.873418093 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.920527935 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.934148073 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.934305906 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.934367895 CEST49735443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.934659004 CEST49735443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.934710026 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.934743881 CEST49735443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:06.934761047 CEST4434973534.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:06.937217951 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:06.937314987 CEST44349738104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:06.937392950 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:06.937716007 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:06.937753916 CEST44349738104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.007236004 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:07.007529974 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:07.007611036 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:07.007785082 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:07.007834911 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:07.007867098 CEST49736443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:07.007884979 CEST4434973634.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:07.009696960 CEST49739443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.009774923 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.009840012 CEST49739443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.010160923 CEST49739443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.010195017 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.200479031 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.200612068 CEST49737443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.202891111 CEST49737443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.202923059 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.203340054 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.204307079 CEST49737443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.248492956 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.368963003 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.369230032 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.369311094 CEST49737443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.369395971 CEST49737443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.369395971 CEST49737443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.369443893 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.369472027 CEST44349737104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.369746923 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:07.374473095 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.421422958 CEST44349738104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.421641111 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.422667027 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.422725916 CEST44349738104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.423265934 CEST44349738104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.424468994 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.472491980 CEST44349738104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.483504057 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.483669996 CEST49739443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.484707117 CEST49739443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.484731913 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.485255003 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.486357927 CEST49739443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.528584003 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.577151060 CEST44349738104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.577411890 CEST44349738104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.577611923 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.577611923 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.577611923 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.577748060 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:07.582494020 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.633549929 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.633872986 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.633977890 CEST49739443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.634069920 CEST49739443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.634104013 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.634130955 CEST49739443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.634149075 CEST44349739104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.634310961 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:07.638036966 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.639117002 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.691792011 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:07.691910028 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:07.696953058 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.801302910 CEST49738443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:07.801379919 CEST44349738104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:07.847383976 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.894921064 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:07.905926943 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.910729885 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:07.915649891 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.928591967 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.957416058 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:07.957564116 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:07.962483883 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:07.973138094 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.020037889 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.025057077 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.142793894 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.189744949 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.192003012 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.239021063 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.239829063 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.243917942 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.285907984 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.291397095 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.291945934 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.291960001 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.291975021 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292000055 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292013884 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292021036 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.292032957 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292071104 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.292092085 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.292184114 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292330027 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292432070 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292462111 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.292505980 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292521000 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292553902 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.292891026 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.292902946 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.293045044 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.293077946 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.293092012 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.293126106 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.293323994 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.293378115 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.297024012 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.297044992 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.297200918 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.409118891 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.409136057 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.409152031 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.409216881 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.409298897 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.495779991 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:08.551219940 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.567045927 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:08.572169065 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.038077116 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.067529917 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.067550898 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.067611933 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.067656994 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.067846060 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.067862988 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.067889929 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.068197012 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.068212986 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.068229914 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.068240881 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.068243980 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.068278074 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.068352938 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.068397045 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.068546057 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.068562984 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.068578959 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.068604946 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.068890095 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.068933964 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.069058895 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.074296951 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.074353933 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.079922915 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.080266953 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.080332041 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.082036972 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.082365036 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.082381010 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.082405090 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.082446098 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.084733009 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.084749937 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.084794998 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.085067987 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.085114002 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.085742950 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.085758924 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.085776091 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.085791111 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.085805893 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.085807085 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.085829973 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.085876942 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.085896969 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.085922956 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.087754965 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.087796926 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.098180056 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.102998972 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.188631058 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.188652039 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.188668013 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.188785076 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.188810110 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.188863993 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.188863993 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.205046892 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.205138922 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.205152035 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.205224037 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.205240011 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.205255985 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.205427885 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.205427885 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.205885887 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.238630056 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.254442930 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.262506008 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.283508062 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:10.317156076 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:10.325404882 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:11.348675966 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:11.375344992 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:11.389004946 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:11.394887924 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:11.410551071 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:11.415445089 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:11.441768885 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:11.457602024 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:11.462518930 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:13.046101093 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:13.046101093 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:13.051029921 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:13.051039934 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:13.051047087 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:13.051055908 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:13.051105022 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:13.051112890 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:13.051172018 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:13.056094885 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:14.327884912 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:14.341835976 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:14.379270077 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:14.394877911 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:15.730643988 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:15.735826015 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:15.735929012 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:15.762239933 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:15.767538071 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:16.129806995 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:16.135242939 CEST587094973177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:16.135320902 CEST4973158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:16.340233088 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:16.394891977 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:17.220590115 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:17.220690012 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:17.225577116 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.225594044 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.225608110 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.225620985 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.225635052 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:17.225766897 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.225780964 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.230515957 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.352395058 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:17.352557898 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:17.357454062 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.357492924 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.357506990 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.357521057 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.357557058 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:17.357862949 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.357918978 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.362375975 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.457498074 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:17.457567930 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:17.469109058 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.469125986 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.702764034 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:17.894892931 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:18.079399109 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:18.079803944 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:18.079870939 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:18.144104958 CEST49744443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:18.144196987 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.144581079 CEST49744443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:18.146225929 CEST49744443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:18.146311045 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.610605001 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.610696077 CEST49744443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:18.612474918 CEST49744443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:18.612560034 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.613137007 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.689421892 CEST49744443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:18.736510992 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.826889038 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.827032089 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.829006910 CEST49744443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:18.831280947 CEST49744443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:18.831280947 CEST49744443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:18.831329107 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.831358910 CEST4434974434.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:18.835699081 CEST49747443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:18.835747004 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:18.835825920 CEST49747443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:18.836847067 CEST49747443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:18.836862087 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:19.311213970 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:19.311295986 CEST49747443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:19.312531948 CEST49747443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:19.312546968 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:19.313524008 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:19.322638035 CEST49747443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:19.364557028 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:19.474834919 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:19.475101948 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:19.475162983 CEST49747443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:19.475261927 CEST49747443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:19.475285053 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:19.475322962 CEST49747443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:19.475331068 CEST44349747104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:19.475653887 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:19.480587006 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:19.778642893 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:19.802083015 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:19.806945086 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:20.169337988 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:20.240694046 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:20.285641909 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:20.290822029 CEST587094973277.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:20.290880919 CEST4973258709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:20.331826925 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:20.332854033 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:20.337651014 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:20.441787004 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:20.447336912 CEST587094973377.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:20.447415113 CEST4973358709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:23.022330046 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:23.027252913 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:23.027318954 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:23.042903900 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:23.047687054 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:23.254281044 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:23.260823011 CEST587094974077.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:23.260878086 CEST4974058709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:23.634453058 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:23.676106930 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:23.762183905 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:23.762386084 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:23.767185926 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:23.848853111 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:23.894870996 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:24.056416988 CEST49753443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:24.056533098 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.057245016 CEST49753443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:24.058163881 CEST49753443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:24.058201075 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.521893024 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.521977901 CEST49753443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:24.523250103 CEST49753443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:24.523272991 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.523758888 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.565612078 CEST49753443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:24.612494946 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.693378925 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.693798065 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.693865061 CEST49753443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:24.693953037 CEST49753443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:24.693995953 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.694025040 CEST49753443192.168.2.434.117.186.192
                                    Jun 20, 2024 23:32:24.694041967 CEST4434975334.117.186.192192.168.2.4
                                    Jun 20, 2024 23:32:24.695296049 CEST49755443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:24.695341110 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:24.695447922 CEST49755443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:24.695822954 CEST49755443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:24.695841074 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:25.168864965 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:25.168958902 CEST49755443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:25.170284986 CEST49755443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:25.170324087 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:25.170674086 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:25.171885967 CEST49755443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:25.212541103 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:25.561019897 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:25.561148882 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:25.561203003 CEST49755443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:25.561465025 CEST49755443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:25.561491013 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:25.561515093 CEST49755443192.168.2.4104.26.4.15
                                    Jun 20, 2024 23:32:25.561522961 CEST44349755104.26.4.15192.168.2.4
                                    Jun 20, 2024 23:32:25.561959982 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:25.567747116 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:26.798727989 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:26.847958088 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:26.879343033 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:26.884104013 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:28.434302092 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:28.488588095 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:31.535537004 CEST4975158709192.168.2.477.91.77.66
                                    Jun 20, 2024 23:32:31.541121006 CEST587094975177.91.77.66192.168.2.4
                                    Jun 20, 2024 23:32:31.541171074 CEST4975158709192.168.2.477.91.77.66

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jun 20, 2024 23:32:06.054620981 CEST4947853192.168.2.41.1.1.1
                                    Jun 20, 2024 23:32:06.061911106 CEST53494781.1.1.1192.168.2.4
                                    Jun 20, 2024 23:32:06.710841894 CEST6409453192.168.2.41.1.1.1
                                    Jun 20, 2024 23:32:06.722404003 CEST53640941.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jun 20, 2024 23:32:06.054620981 CEST192.168.2.41.1.1.10xa11bStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                    Jun 20, 2024 23:32:06.710841894 CEST192.168.2.41.1.1.10x4671Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jun 20, 2024 23:32:06.061911106 CEST1.1.1.1192.168.2.40xa11bNo error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                    Jun 20, 2024 23:32:06.722404003 CEST1.1.1.1192.168.2.40x4671No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                    Jun 20, 2024 23:32:06.722404003 CEST1.1.1.1192.168.2.40x4671No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                    Jun 20, 2024 23:32:06.722404003 CEST1.1.1.1192.168.2.40x4671No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • ipinfo.io
                                    • https:
                                    • db-ip.com

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination Port
                                    0192.168.2.44973034.117.186.192443
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:31:53 UTC59OUTGET / HTTP/1.1
                                    Host: ipinfo.io
                                    Connection: Keep-Alive
                                    2024-06-20 21:31:53 UTC513INHTTP/1.1 200 OK
                                    server: nginx/1.24.0
                                    date: Thu, 20 Jun 2024 21:31:53 GMT
                                    content-type: application/json; charset=utf-8
                                    Content-Length: 319
                                    access-control-allow-origin: *
                                    x-frame-options: SAMEORIGIN
                                    x-xss-protection: 1; mode=block
                                    x-content-type-options: nosniff
                                    referrer-policy: strict-origin-when-cross-origin
                                    x-envoy-upstream-service-time: 1
                                    via: 1.1 google
                                    strict-transport-security: max-age=2592000; includeSubDomains
                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    Connection: close
                                    2024-06-20 21:31:53 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                                    Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.44973434.117.186.1924436752C:\Users\user\Desktop\7rA1iX60wh.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:06 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Referer: https://ipinfo.io/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: ipinfo.io
                                    2024-06-20 21:32:06 UTC514INHTTP/1.1 200 OK
                                    server: nginx/1.24.0
                                    date: Thu, 20 Jun 2024 21:32:06 GMT
                                    content-type: application/json; charset=utf-8
                                    Content-Length: 1025
                                    access-control-allow-origin: *
                                    x-frame-options: SAMEORIGIN
                                    x-xss-protection: 1; mode=block
                                    x-content-type-options: nosniff
                                    referrer-policy: strict-origin-when-cross-origin
                                    x-envoy-upstream-service-time: 2
                                    via: 1.1 google
                                    strict-transport-security: max-age=2592000; includeSubDomains
                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    Connection: close
                                    2024-06-20 21:32:06 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                    Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                    2024-06-20 21:32:06 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                    Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.44973534.117.186.1924431364C:\ProgramData\MPGPH131\MPGPH131.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:06 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Referer: https://ipinfo.io/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: ipinfo.io
                                    2024-06-20 21:32:06 UTC514INHTTP/1.1 200 OK
                                    server: nginx/1.24.0
                                    date: Thu, 20 Jun 2024 21:32:06 GMT
                                    content-type: application/json; charset=utf-8
                                    Content-Length: 1025
                                    access-control-allow-origin: *
                                    x-frame-options: SAMEORIGIN
                                    x-xss-protection: 1; mode=block
                                    x-content-type-options: nosniff
                                    referrer-policy: strict-origin-when-cross-origin
                                    x-envoy-upstream-service-time: 2
                                    via: 1.1 google
                                    strict-transport-security: max-age=2592000; includeSubDomains
                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    Connection: close
                                    2024-06-20 21:32:06 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                    Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                    2024-06-20 21:32:06 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                    Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.44973634.117.186.1924435232C:\ProgramData\MPGPH131\MPGPH131.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:06 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Referer: https://ipinfo.io/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: ipinfo.io
                                    2024-06-20 21:32:07 UTC514INHTTP/1.1 200 OK
                                    server: nginx/1.24.0
                                    date: Thu, 20 Jun 2024 21:32:06 GMT
                                    content-type: application/json; charset=utf-8
                                    Content-Length: 1025
                                    access-control-allow-origin: *
                                    x-frame-options: SAMEORIGIN
                                    x-xss-protection: 1; mode=block
                                    x-content-type-options: nosniff
                                    referrer-policy: strict-origin-when-cross-origin
                                    x-envoy-upstream-service-time: 3
                                    via: 1.1 google
                                    strict-transport-security: max-age=2592000; includeSubDomains
                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    Connection: close
                                    2024-06-20 21:32:07 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                    Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                    2024-06-20 21:32:07 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                    Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.449737104.26.4.154436752C:\Users\user\Desktop\7rA1iX60wh.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:07 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: db-ip.com
                                    2024-06-20 21:32:07 UTC653INHTTP/1.1 200 OK
                                    Date: Thu, 20 Jun 2024 21:32:07 GMT
                                    Content-Type: application/json
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    x-iplb-request-id: A29E3E45:6510_93878F2E:0050_66749FD7_14BE2D1A:7B63
                                    x-iplb-instance: 59128
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AV3g574xEAMhx3bIyAF8x04uRXbe3AtOF%2BubLz3mDo1cu1iHmuTAHQ0uP4ONLuOAi%2FzyPNrXW9lu7WHuOskMnol9adjIqnaa8wBVpiihTffS4oWNmB54IVYShg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 896edea189a40cdd-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-06-20 21:32:07 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                    2024-06-20 21:32:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    5192.168.2.449738104.26.4.154431364C:\ProgramData\MPGPH131\MPGPH131.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:07 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: db-ip.com
                                    2024-06-20 21:32:07 UTC655INHTTP/1.1 200 OK
                                    Date: Thu, 20 Jun 2024 21:32:07 GMT
                                    Content-Type: application/json
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    x-iplb-request-id: A29E9E6D:94D6_93878F2E:0050_66749FD7_14BE2D21:7B63
                                    x-iplb-instance: 59128
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NZ65okuB%2FzM9qmKEm4wfhL2RD11qFZ3U9SeY4faA36wVc%2Fue8s0FcIZpje0n%2F2UPNg8JQKvibjusGi0N8lwsHlHFDL6Q8vtwFvPM0fwpmmmFXlivI9RA6qDt8Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 896edea2cf474231-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-06-20 21:32:07 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                    2024-06-20 21:32:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    6192.168.2.449739104.26.4.154435232C:\ProgramData\MPGPH131\MPGPH131.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:07 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: db-ip.com
                                    2024-06-20 21:32:07 UTC657INHTTP/1.1 200 OK
                                    Date: Thu, 20 Jun 2024 21:32:07 GMT
                                    Content-Type: application/json
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    x-iplb-request-id: AC4672CA:DFE8_93878F2E:0050_66749FD7_14D23E82:4F34
                                    x-iplb-instance: 59215
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fdcp4drdXDtRuiMv%2FJWaPlltdLQmnPc%2FOL1ubvhTgJquaQPNDXOO%2BUEjOaHii0cYHPcXijMtoyhqP01ZnTklsFbXhd9yErD7i4OkI4D%2FjBmgYtINJsmWDgJ8WQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 896edea32ebb726f-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-06-20 21:32:07 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                    2024-06-20 21:32:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    7192.168.2.44974434.117.186.1924432004C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:18 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Referer: https://ipinfo.io/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: ipinfo.io
                                    2024-06-20 21:32:18 UTC514INHTTP/1.1 200 OK
                                    server: nginx/1.24.0
                                    date: Thu, 20 Jun 2024 21:32:18 GMT
                                    content-type: application/json; charset=utf-8
                                    Content-Length: 1025
                                    access-control-allow-origin: *
                                    x-frame-options: SAMEORIGIN
                                    x-xss-protection: 1; mode=block
                                    x-content-type-options: nosniff
                                    referrer-policy: strict-origin-when-cross-origin
                                    x-envoy-upstream-service-time: 3
                                    via: 1.1 google
                                    strict-transport-security: max-age=2592000; includeSubDomains
                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    Connection: close
                                    2024-06-20 21:32:18 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                    Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                    2024-06-20 21:32:18 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                    Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    8192.168.2.449747104.26.4.154432004C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:19 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: db-ip.com
                                    2024-06-20 21:32:19 UTC659INHTTP/1.1 200 OK
                                    Date: Thu, 20 Jun 2024 21:32:19 GMT
                                    Content-Type: application/json
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    x-iplb-request-id: A29E9E6D:94D6_93878F2E:0050_66749FE3_14BE2ED3:7B63
                                    x-iplb-instance: 59128
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gbj%2B%2BStcNpazH%2FWLAZfAPPDfHeedSmZRcveE0lczFyV9HkU76Mx2mPLF8rEfRiqZ3MlU4fBOuT1kVQP0A%2FKm2Kw2KxaPp7cg%2BlFkNcZWHBCQg2OsZHA239iWkA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 896edeed4ca44228-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-06-20 21:32:19 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                    2024-06-20 21:32:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    9192.168.2.44975334.117.186.1924436972C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:24 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Referer: https://ipinfo.io/
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: ipinfo.io
                                    2024-06-20 21:32:24 UTC514INHTTP/1.1 200 OK
                                    server: nginx/1.24.0
                                    date: Thu, 20 Jun 2024 21:32:24 GMT
                                    content-type: application/json; charset=utf-8
                                    Content-Length: 1025
                                    access-control-allow-origin: *
                                    x-frame-options: SAMEORIGIN
                                    x-xss-protection: 1; mode=block
                                    x-content-type-options: nosniff
                                    referrer-policy: strict-origin-when-cross-origin
                                    x-envoy-upstream-service-time: 3
                                    via: 1.1 google
                                    strict-transport-security: max-age=2592000; includeSubDomains
                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    Connection: close
                                    2024-06-20 21:32:24 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                    Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                    2024-06-20 21:32:24 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                    Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    10192.168.2.449755104.26.4.154436972C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                    TimestampBytes transferredDirectionData
                                    2024-06-20 21:32:25 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                    Connection: Keep-Alive
                                    Content-Type: application/x-www-form-urlencoded
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                    Host: db-ip.com
                                    2024-06-20 21:32:25 UTC663INHTTP/1.1 200 OK
                                    Date: Thu, 20 Jun 2024 21:32:25 GMT
                                    Content-Type: application/json
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    x-iplb-request-id: AC46E720:9860_93878F2E:0050_66749FE9_14BE2FA7:7B63
                                    x-iplb-instance: 59128
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6fyDkkiUypq%2FVLSkeC8g6%2BOsUsxtRu2lz%2FiX4L%2FxeO%2BLs8yddzY8HRuytLjRKEhr2I5EAWifqZFnlt1lys0TMPGzOUmU9Ly4rztb8WFY7v%2FtbSLi9r%2Bh2VfQYw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 896edf11b93c8c90-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    2024-06-20 21:32:25 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                    2024-06-20 21:32:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:17:31:57
                                    Start date:20/06/2024
                                    Path:C:\Users\user\Desktop\7rA1iX60wh.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\7rA1iX60wh.exe"
                                    Imagebase:0x400000
                                    File size:3'308'048 bytes
                                    MD5 hash:A8B80D67357AFBD703EE2A13D9CBF339
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2009861773.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1836658218.00000000057AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1806000516.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1805883265.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1806000516.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2009458883.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2009888788.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2010729169.00000000057BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1805883265.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1806109261.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1805522634.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1836839841.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1806109261.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:17:32:00
                                    Start date:20/06/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                    Imagebase:0x4b0000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:17:32:00
                                    Start date:20/06/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:17:32:00
                                    Start date:20/06/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                    Imagebase:0x4b0000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:17:32:00
                                    Start date:20/06/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:17:32:01
                                    Start date:20/06/2024
                                    Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    Imagebase:0x400000
                                    File size:3'308'048 bytes
                                    MD5 hash:A8B80D67357AFBD703EE2A13D9CBF339
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.1996827426.0000000005793000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1878445681.0000000005793000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 55%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:17:32:01
                                    Start date:20/06/2024
                                    Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                    Imagebase:0x400000
                                    File size:3'308'048 bytes
                                    MD5 hash:A8B80D67357AFBD703EE2A13D9CBF339
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.1984656819.0000000005770000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1983899285.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:17:32:11
                                    Start date:20/06/2024
                                    Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                    Imagebase:0x400000
                                    File size:3'308'048 bytes
                                    MD5 hash:A8B80D67357AFBD703EE2A13D9CBF339
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 55%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:17:32:16
                                    Start date:20/06/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1944
                                    Imagebase:0xe80000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:17:32:19
                                    Start date:20/06/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1860
                                    Imagebase:0xe80000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:17:32:20
                                    Start date:20/06/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 1904
                                    Imagebase:0xe80000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:17:32:20
                                    Start date:20/06/2024
                                    Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                    Imagebase:0x400000
                                    File size:3'308'048 bytes
                                    MD5 hash:A8B80D67357AFBD703EE2A13D9CBF339
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:23.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:51.5%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:44
                                      execution_graph 46793 45e140 46849 40b8e0 46793->46849 46795 45e1a1 46796 41ab20 41 API calls 46795->46796 46797 45e218 CreateDirectoryA 46796->46797 46803 45e8de 46797->46803 46824 45e24c 46797->46824 46798 45f16d 46799 402df0 std::_Throw_Cpp_error 41 API calls 46798->46799 46802 45f17c 46799->46802 46800 45e8a5 46801 4163b0 std::_Throw_Cpp_error 41 API calls 46800->46801 46804 45e8b9 46801->46804 46803->46798 46805 41ab20 41 API calls 46803->46805 47488 4df030 46804->47488 46807 45e962 CreateDirectoryA 46805->46807 46809 45f15b 46807->46809 46825 45e990 46807->46825 46810 402df0 std::_Throw_Cpp_error 41 API calls 46809->46810 46810->46798 46811 45f11f 46813 4163b0 std::_Throw_Cpp_error 41 API calls 46811->46813 46812 4e6770 93 API calls 46812->46803 46814 45f136 46813->46814 47593 4d7600 46814->47593 46818 4e6ca0 86 API calls 46818->46824 46819 41ad80 41 API calls 46819->46825 46820 45e3bf CreateDirectoryA 46820->46824 46821 41ab20 41 API calls 46821->46824 46822 402df0 41 API calls std::_Throw_Cpp_error 46822->46824 46823 45eb09 CreateDirectoryA 46823->46825 46824->46800 46824->46818 46824->46820 46824->46821 46824->46822 46828 45e4b2 CreateDirectoryA 46824->46828 46830 41ad80 41 API calls 46824->46830 46831 402cf0 std::_Throw_Cpp_error 41 API calls 46824->46831 46834 45e59f CreateDirectoryA 46824->46834 46837 4162c0 41 API calls 46824->46837 46843 45e7f4 CreateDirectoryA 46824->46843 46845 4163b0 41 API calls std::_Throw_Cpp_error 46824->46845 48452 416290 41 API calls 46824->48452 48453 41ae20 46824->48453 48456 4dff00 46824->48456 46825->46811 46825->46819 46825->46823 46826 402df0 41 API calls std::_Throw_Cpp_error 46825->46826 46829 45ebfc CreateDirectoryA 46825->46829 46832 41ab20 41 API calls 46825->46832 46835 402cf0 std::_Throw_Cpp_error 41 API calls 46825->46835 46838 45edd0 CreateDirectoryA 46825->46838 46839 4163b0 41 API calls std::_Throw_Cpp_error 46825->46839 46840 45ece9 CreateDirectoryA 46825->46840 46842 41ae20 41 API calls 46825->46842 46844 4e6ca0 86 API calls 46825->46844 46846 45f050 CreateDirectoryA 46825->46846 46848 4dff00 205 API calls 46825->46848 48691 4162c0 46825->48691 48695 416290 41 API calls 46825->48695 46826->46825 46828->46824 46829->46825 46830->46824 46831->46824 46832->46825 46834->46824 46835->46825 46837->46824 46838->46825 46839->46825 46840->46825 46842->46825 46843->46824 46844->46825 46845->46824 46846->46825 46848->46825 46850 40b916 46849->46850 46851 40c004 46850->46851 46852 41ab20 41 API calls 46850->46852 46853 40f393 46851->46853 46855 41ab20 41 API calls 46851->46855 46854 40b9e7 CreateDirectoryA 46852->46854 46856 411da6 46853->46856 46861 41ab20 41 API calls 46853->46861 46858 40bff2 46854->46858 46859 40ba12 46854->46859 46860 40c0ab CreateDirectoryA 46855->46860 46857 412294 46856->46857 46862 41ab20 41 API calls 46856->46862 46857->46795 46863 402df0 std::_Throw_Cpp_error 41 API calls 46858->46863 46864 41ab20 41 API calls 46859->46864 46865 40f381 46860->46865 46866 40c0d6 46860->46866 46867 40f43a CreateDirectoryA 46861->46867 46868 411e4d CreateDirectoryA 46862->46868 46863->46851 46869 40bab4 CreateDirectoryA 46864->46869 46870 402df0 std::_Throw_Cpp_error 41 API calls 46865->46870 46871 41ab20 41 API calls 46866->46871 46872 411d94 46867->46872 46873 40f465 46867->46873 46874 412282 46868->46874 46875 411e78 46868->46875 46876 40bae2 __fread_nolock 46869->46876 46877 40bc4c 46869->46877 46870->46853 46878 40c178 CreateDirectoryA 46871->46878 46879 402df0 std::_Throw_Cpp_error 41 API calls 46872->46879 46880 41ab20 41 API calls 46873->46880 46884 402df0 std::_Throw_Cpp_error 41 API calls 46874->46884 46883 41ab20 41 API calls 46875->46883 46893 40baf5 SHGetFolderPathA 46876->46893 46882 41ab20 41 API calls 46877->46882 46885 40c1a0 46878->46885 46886 40c4b9 46878->46886 46879->46856 46881 40f507 CreateDirectoryA 46880->46881 46888 40f877 46881->46888 46889 40f52f 46881->46889 46890 40bcea CreateDirectoryA 46882->46890 46891 411fa0 CreateDirectoryA 46883->46891 46884->46857 46887 402cf0 std::_Throw_Cpp_error 41 API calls 46885->46887 46892 41ab20 41 API calls 46886->46892 46894 40c2be 46887->46894 46900 41ab20 41 API calls 46888->46900 46912 403040 std::_Throw_Cpp_error 41 API calls 46889->46912 46895 40bd12 __fread_nolock 46890->46895 46896 40bfbf 46890->46896 46897 411fc8 46891->46897 47138 41225e 46891->47138 46898 40c557 CreateDirectoryA 46892->46898 46899 402cf0 std::_Throw_Cpp_error 41 API calls 46893->46899 46918 41ace0 41 API calls 46894->46918 46913 40bd25 SHGetFolderPathA 46895->46913 46905 40bfd1 46896->46905 46907 4e6770 93 API calls 46896->46907 46924 403040 std::_Throw_Cpp_error 41 API calls 46897->46924 46902 40d1de 46898->46902 46903 40c57f 46898->46903 46904 40bba1 46899->46904 46906 40f915 CreateDirectoryA 46900->46906 46901 4e6770 93 API calls 46910 412270 46901->46910 46914 41ab20 41 API calls 46902->46914 46915 402cf0 std::_Throw_Cpp_error 41 API calls 46903->46915 46916 41ace0 41 API calls 46904->46916 46911 402df0 std::_Throw_Cpp_error 41 API calls 46905->46911 46908 40fb99 46906->46908 46909 40f93d 46906->46909 46907->46905 46923 41ab20 41 API calls 46908->46923 46917 402cf0 std::_Throw_Cpp_error 41 API calls 46909->46917 46930 402df0 std::_Throw_Cpp_error 41 API calls 46910->46930 46919 40bfe3 46911->46919 46920 40f704 46912->46920 46921 402cf0 std::_Throw_Cpp_error 41 API calls 46913->46921 46922 40d27c CreateDirectoryA 46914->46922 46925 40c727 46915->46925 46926 40bbb7 46916->46926 46928 40fa5b 46917->46928 46929 40c367 46918->46929 46931 402df0 std::_Throw_Cpp_error 41 API calls 46919->46931 46948 41ace0 41 API calls 46920->46948 46932 40be57 46921->46932 46933 40d2a4 46922->46933 46934 40d63c 46922->46934 46935 40fc37 CreateDirectoryA 46923->46935 46936 41211c 46924->46936 46943 41ace0 41 API calls 46925->46943 46927 402df0 std::_Throw_Cpp_error 41 API calls 46926->46927 46937 40bbc9 46927->46937 46953 41ace0 41 API calls 46928->46953 46939 402df0 std::_Throw_Cpp_error 41 API calls 46929->46939 46930->46874 46931->46858 46940 41ace0 41 API calls 46932->46940 46960 402cf0 std::_Throw_Cpp_error 41 API calls 46933->46960 46938 41ab20 41 API calls 46934->46938 46941 40fe35 46935->46941 46942 40fc5f 46935->46942 46961 41ace0 41 API calls 46936->46961 46944 4e6ca0 86 API calls 46937->46944 46946 40d6da CreateDirectoryA 46938->46946 46947 40c379 46939->46947 46949 40be6d 46940->46949 46945 41ab20 41 API calls 46941->46945 46950 402cf0 std::_Throw_Cpp_error 41 API calls 46942->46950 46951 40c7d0 46943->46951 46952 40bbe2 46944->46952 46954 40fed3 CreateDirectoryA 46945->46954 46955 40d702 46946->46955 46956 40da1b 46946->46956 46957 402cf0 std::_Throw_Cpp_error 41 API calls 46947->46957 46958 40f7b1 46948->46958 46959 402df0 std::_Throw_Cpp_error 41 API calls 46949->46959 46984 40fcf7 46950->46984 46963 402df0 std::_Throw_Cpp_error 41 API calls 46951->46963 46977 4163b0 std::_Throw_Cpp_error 41 API calls 46952->46977 47061 40bc21 46952->47061 46964 40fb04 46953->46964 46965 410e56 46954->46965 46966 40fefb 46954->46966 46967 402cf0 std::_Throw_Cpp_error 41 API calls 46955->46967 46962 41ab20 41 API calls 46956->46962 46968 40c39b 46957->46968 46989 40f7d6 46958->46989 48746 402fe0 41 API calls 2 library calls 46958->48746 46969 40be7f 46959->46969 46983 40d3bb 46960->46983 46970 4121c9 46961->46970 46975 40dab9 CreateDirectoryA 46962->46975 46976 40c7e2 46963->46976 46971 402df0 std::_Throw_Cpp_error 41 API calls 46964->46971 46982 41ab20 41 API calls 46965->46982 46978 402cf0 std::_Throw_Cpp_error 41 API calls 46966->46978 46979 40d820 46967->46979 46980 4e6d70 78 API calls 46968->46980 46973 402cf0 std::_Throw_Cpp_error 41 API calls 46969->46973 46985 402df0 std::_Throw_Cpp_error 41 API calls 46970->46985 46988 40fb16 46971->46988 46990 40bea1 46973->46990 46974 4e6ca0 86 API calls 46991 40f80d 46974->46991 46992 40de80 46975->46992 46993 40dae1 46975->46993 46994 402cf0 std::_Throw_Cpp_error 41 API calls 46976->46994 46995 40bbfa 46977->46995 46996 40ff97 46978->46996 47028 41ace0 41 API calls 46979->47028 46997 40c3a8 46980->46997 46981 4e6770 93 API calls 46998 40bc28 46981->46998 46999 410ef4 CreateDirectoryA 46982->46999 47012 41ace0 41 API calls 46983->47012 46986 41ace0 41 API calls 46984->46986 46987 4121db 46985->46987 47000 40fda0 46986->47000 47001 4e6ca0 86 API calls 46987->47001 47002 4e6ca0 86 API calls 46988->47002 46989->46974 48696 4e6d70 46990->48696 47005 40f84c 46991->47005 47022 4163b0 std::_Throw_Cpp_error 41 API calls 46991->47022 47004 41ab20 41 API calls 46992->47004 47006 402cf0 std::_Throw_Cpp_error 41 API calls 46993->47006 47007 40c804 46994->47007 47008 4163b0 std::_Throw_Cpp_error 41 API calls 46995->47008 47044 41ace0 41 API calls 46996->47044 47009 40c49b 46997->47009 47029 41ab20 41 API calls 46997->47029 47013 402df0 std::_Throw_Cpp_error 41 API calls 46998->47013 47010 411842 46999->47010 47011 410f1c 46999->47011 47016 402df0 std::_Throw_Cpp_error 41 API calls 47000->47016 47017 4121f4 47001->47017 47019 40fb2f 47002->47019 47021 40df1e CreateDirectoryA 47004->47021 47027 4e6770 93 API calls 47005->47027 47043 40f853 47005->47043 47023 40dc85 47006->47023 47025 4e6d70 78 API calls 47007->47025 47026 40bc12 47008->47026 47018 4e6770 93 API calls 47009->47018 47024 41ab20 41 API calls 47010->47024 47014 402cf0 std::_Throw_Cpp_error 41 API calls 47011->47014 47015 40d464 47012->47015 47013->46877 47030 410fb9 47014->47030 47031 402df0 std::_Throw_Cpp_error 41 API calls 47015->47031 47032 40fdb2 47016->47032 47033 412233 47017->47033 47049 4163b0 std::_Throw_Cpp_error 41 API calls 47017->47049 47034 40c4a7 47018->47034 47035 40fb6e 47019->47035 47051 4163b0 std::_Throw_Cpp_error 41 API calls 47019->47051 47037 40df46 47021->47037 47038 40e638 47021->47038 47039 40f825 47022->47039 47079 41ace0 41 API calls 47023->47079 47040 4118e6 CreateDirectoryA 47024->47040 47041 40c811 47025->47041 47042 4dff00 205 API calls 47026->47042 47027->47043 47045 40d8c9 47028->47045 47046 40c451 47029->47046 47090 41ace0 41 API calls 47030->47090 47047 40d476 47031->47047 47048 4e6ca0 86 API calls 47032->47048 47050 4e6770 93 API calls 47033->47050 47072 41223a 47033->47072 47071 402df0 std::_Throw_Cpp_error 41 API calls 47034->47071 47056 4e6770 93 API calls 47035->47056 47078 40fb75 47035->47078 47036 40bfa1 47060 4e6770 93 API calls 47036->47060 47053 402cf0 std::_Throw_Cpp_error 41 API calls 47037->47053 47054 41ab20 41 API calls 47038->47054 47055 4163b0 std::_Throw_Cpp_error 41 API calls 47039->47055 47057 411d25 47040->47057 47058 41190e 47040->47058 47059 40c98c 47041->47059 47080 41ab20 41 API calls 47041->47080 47042->47061 47082 402df0 std::_Throw_Cpp_error 41 API calls 47043->47082 47062 410040 47044->47062 47063 402df0 std::_Throw_Cpp_error 41 API calls 47045->47063 47064 40c460 47046->47064 47065 40c462 CopyFileA 47046->47065 47068 402cf0 std::_Throw_Cpp_error 41 API calls 47047->47068 47069 40fdcb 47048->47069 47070 41220c 47049->47070 47050->47072 47073 40fb47 47051->47073 47052 41ab20 41 API calls 47074 40bf57 47052->47074 47075 40dfe3 47053->47075 47076 40e6dc CreateDirectoryA 47054->47076 47077 40f83d 47055->47077 47056->47078 47084 411d37 47057->47084 47103 4e6770 93 API calls 47057->47103 47119 403040 std::_Throw_Cpp_error 41 API calls 47058->47119 47067 402cf0 std::_Throw_Cpp_error 41 API calls 47059->47067 47081 40bfad 47060->47081 47061->46981 47061->46998 47083 402df0 std::_Throw_Cpp_error 41 API calls 47062->47083 47085 40d8db 47063->47085 47064->47065 47066 402df0 std::_Throw_Cpp_error 41 API calls 47065->47066 47087 40c491 47066->47087 47089 40cb30 47067->47089 47091 40d498 47068->47091 47092 40fe0a 47069->47092 47109 4163b0 std::_Throw_Cpp_error 41 API calls 47069->47109 47093 4163b0 std::_Throw_Cpp_error 41 API calls 47070->47093 47071->46886 47113 402df0 std::_Throw_Cpp_error 41 API calls 47072->47113 47094 4163b0 std::_Throw_Cpp_error 41 API calls 47073->47094 47095 40bf66 47074->47095 47096 40bf68 CopyFileA 47074->47096 47131 41ace0 41 API calls 47075->47131 47097 40f2fd 47076->47097 47098 40e704 47076->47098 47099 4dff00 205 API calls 47077->47099 47117 402df0 std::_Throw_Cpp_error 41 API calls 47078->47117 47100 40dd2e 47079->47100 47101 40c940 47080->47101 47082->46888 47102 410052 47083->47102 47088 402df0 std::_Throw_Cpp_error 41 API calls 47084->47088 47086 402cf0 std::_Throw_Cpp_error 41 API calls 47085->47086 47104 40d8fd 47086->47104 47087->47009 47105 40c495 47087->47105 47106 411d49 47088->47106 47145 41ace0 41 API calls 47089->47145 47107 411062 47090->47107 47108 4e6d70 78 API calls 47091->47108 47112 4e6770 93 API calls 47092->47112 47137 40fe11 47092->47137 47110 412224 47093->47110 47114 40fb5f 47094->47114 47095->47096 47111 40f315 47097->47111 47128 4e6770 93 API calls 47097->47128 47116 402cf0 std::_Throw_Cpp_error 41 API calls 47098->47116 47099->47005 47118 402df0 std::_Throw_Cpp_error 41 API calls 47100->47118 47120 40c951 CopyFileA 47101->47120 47121 40c94f 47101->47121 47123 4e6ca0 86 API calls 47102->47123 47103->47084 47134 4e6d70 78 API calls 47104->47134 47105->47034 47125 402df0 std::_Throw_Cpp_error 41 API calls 47106->47125 47126 402df0 std::_Throw_Cpp_error 41 API calls 47107->47126 47127 40d4a5 47108->47127 47135 40fde3 47109->47135 47136 4dff00 205 API calls 47110->47136 47129 402df0 std::_Throw_Cpp_error 41 API calls 47111->47129 47112->47137 47113->47138 47130 4dff00 205 API calls 47114->47130 47132 40e826 47116->47132 47117->46908 47140 40dd40 47118->47140 47133 4119dc 47119->47133 47141 402df0 std::_Throw_Cpp_error 41 API calls 47120->47141 47121->47120 47124 41006b 47123->47124 47142 410e32 47124->47142 47155 41ab20 41 API calls 47124->47155 47146 411074 47126->47146 47147 40d61e 47127->47147 47159 41ab20 41 API calls 47127->47159 47128->47111 47130->47035 47150 40e08c 47131->47150 47182 41ace0 41 API calls 47133->47182 47143 40d90a 47134->47143 47148 4163b0 std::_Throw_Cpp_error 41 API calls 47135->47148 47136->47033 47166 402df0 std::_Throw_Cpp_error 41 API calls 47137->47166 47138->46901 47138->46910 47153 402cf0 std::_Throw_Cpp_error 41 API calls 47140->47153 47154 40c980 47141->47154 47167 4e6770 93 API calls 47142->47167 47180 410e44 47142->47180 47164 40d9fd 47143->47164 47170 41ab20 41 API calls 47143->47170 47157 40cbd9 47145->47157 47158 4163b0 std::_Throw_Cpp_error 41 API calls 47146->47158 47161 4e6770 93 API calls 47147->47161 47165 40fdfb 47148->47165 47162 402df0 std::_Throw_Cpp_error 41 API calls 47150->47162 47168 40dd62 47153->47168 47154->47059 47169 410111 47155->47169 47172 402df0 std::_Throw_Cpp_error 41 API calls 47157->47172 47174 40d5d4 47159->47174 47178 40d62a 47161->47178 47175 4dff00 205 API calls 47165->47175 47166->46941 47167->47180 47187 40cbeb 47172->47187 47189 40d5e3 47174->47189 47190 40d5e5 CopyFileA 47174->47190 47175->47092 47208 402df0 std::_Throw_Cpp_error 41 API calls 47178->47208 47194 411a89 47182->47194 47189->47190 47206 402df0 std::_Throw_Cpp_error 41 API calls 47190->47206 47208->46934 47489 4359b0 __fread_nolock 47488->47489 47490 4df088 SHGetFolderPathA 47489->47490 47491 4df150 47490->47491 47491->47491 47492 403040 std::_Throw_Cpp_error 41 API calls 47491->47492 47493 4df16c 47492->47493 47494 41fbf0 41 API calls 47493->47494 47495 4df19d 47494->47495 47498 4dfed9 47495->47498 47500 4df210 std::ios_base::_Ios_base_dtor 47495->47500 47496 4e6ca0 86 API calls 47497 4df245 47496->47497 47501 41ab20 41 API calls 47497->47501 47502 4dfe6b 47497->47502 47499 438c70 std::_Throw_Cpp_error 41 API calls 47498->47499 47509 4dfede 47499->47509 47500->47496 47505 4df2e8 47501->47505 47503 4dfe9b std::ios_base::_Ios_base_dtor 47502->47503 47502->47509 47504 402df0 std::_Throw_Cpp_error 41 API calls 47503->47504 47506 45e8c9 47504->47506 47507 4e6ca0 86 API calls 47505->47507 47506->46803 47506->46812 47508 4df308 47507->47508 47511 4df312 CreateDirectoryA 47508->47511 47515 4df333 47508->47515 47510 438c70 std::_Throw_Cpp_error 41 API calls 47509->47510 47512 4dfef2 47510->47512 47511->47515 47515->47509 47594 4d7636 __fread_nolock 47593->47594 47595 4d7654 SHGetFolderPathA 47594->47595 47596 4359b0 __fread_nolock 47595->47596 47597 4d7681 SHGetFolderPathA 47596->47597 47598 4d77c8 47597->47598 47598->47598 47599 403040 std::_Throw_Cpp_error 41 API calls 47598->47599 47600 4d77e4 47599->47600 47601 41ace0 41 API calls 47600->47601 47604 4d7800 std::ios_base::_Ios_base_dtor 47601->47604 47602 4e6ca0 86 API calls 47605 4d7875 47602->47605 47603 4de427 47607 438c70 std::_Throw_Cpp_error 41 API calls 47603->47607 47604->47602 47604->47603 47606 4d79fb 47605->47606 47609 41ab20 41 API calls 47605->47609 47608 4de42c 47607->47608 48452->46824 49012 41e710 48453->49012 48455 41ae54 48455->46824 48457 41ab20 41 API calls 48456->48457 48460 4e005f 48457->48460 48458 402df0 std::_Throw_Cpp_error 41 API calls 48459 4e00f2 FindFirstFileA 48458->48459 48468 4e058f std::ios_base::_Ios_base_dtor 48459->48468 48533 4e011f std::_Locinfo::_Locinfo_ctor 48459->48533 48461 4e06bc 48460->48461 48462 4e009f std::ios_base::_Ios_base_dtor 48460->48462 48463 438c70 std::_Throw_Cpp_error 41 API calls 48461->48463 48462->48458 48465 4e06c1 48463->48465 48464 4e0564 FindNextFileA 48466 4e057b FindClose GetLastError 48464->48466 48464->48533 48467 438c70 std::_Throw_Cpp_error 41 API calls 48465->48467 48466->48468 48469 4e06cb 48467->48469 48468->48465 48470 4e0670 std::ios_base::_Ios_base_dtor 48468->48470 48475 41ab20 41 API calls 48469->48475 48471 402df0 std::_Throw_Cpp_error 41 API calls 48470->48471 48472 4e0698 48471->48472 48473 402df0 std::_Throw_Cpp_error 41 API calls 48472->48473 48476 4e06a7 48473->48476 48474 418f00 41 API calls std::_Throw_Cpp_error 48474->48533 48477 4e083a 48475->48477 48476->46824 48478 439820 43 API calls 48477->48478 48479 4e08e8 48478->48479 48480 4e4585 48479->48480 49017 4e71e0 GetCurrentProcess IsWow64Process 48479->49017 48481 4163b0 std::_Throw_Cpp_error 41 API calls 48480->48481 48484 4e45a8 48481->48484 48483 41e8a0 41 API calls 48483->48533 49090 4e7640 48484->49090 48487 403350 78 API calls 48489 4e09c4 48487->48489 48491 403350 78 API calls 48489->48491 48493 4e0a6e 48491->48493 49019 44196b GetSystemTimeAsFileTime 48493->49019 48497 402df0 41 API calls std::_Throw_Cpp_error 48497->48533 48509 4e053f CopyFileA 48512 4e05a0 GetLastError 48509->48512 48509->48533 48512->48468 48513 4e6ca0 86 API calls 48513->48533 48515 4e03cd CreateDirectoryA 48515->48512 48515->48533 48529 4032d0 41 API calls std::_Throw_Cpp_error 48529->48533 48533->48464 48533->48465 48533->48468 48533->48474 48533->48483 48533->48497 48533->48509 48533->48513 48533->48515 48533->48529 48535 4dff00 155 API calls 48533->48535 48535->48533 48692 4162d3 48691->48692 48693 4162ce 48691->48693 48692->46825 48694 402df0 std::_Throw_Cpp_error 41 API calls 48693->48694 48694->48692 48695->46825 48697 439820 43 API calls 48696->48697 48698 4e6e2f 48697->48698 48699 4e6e3c 48698->48699 48700 43d0a8 78 API calls 48698->48700 48701 402df0 std::_Throw_Cpp_error 41 API calls 48699->48701 48700->48699 48702 40beae 48701->48702 48702->47036 48702->47052 48746->46989 49013 41e753 49012->49013 49014 4032d0 std::_Throw_Cpp_error 41 API calls 49013->49014 49015 41e758 std::_Locinfo::_Locinfo_ctor 49013->49015 49016 41e843 std::_Locinfo::_Locinfo_ctor 49014->49016 49015->48455 49016->48455 49018 4e0900 49017->49018 49018->48487 49091 439820 43 API calls 49090->49091 49092 4e7740 49091->49092 49106 4e77b9 49092->49106 49180 43d5f6 49092->49180 49427 45f740 49428 45f794 49427->49428 49429 4602fc 49427->49429 49430 41ab20 41 API calls 49428->49430 49431 41ab20 41 API calls 49429->49431 49432 45f876 49430->49432 49433 4603de 49431->49433 49434 4e6ca0 86 API calls 49432->49434 49435 4e6ca0 86 API calls 49433->49435 49436 45f89c 49434->49436 49437 460404 49435->49437 49438 4e6c10 85 API calls 49436->49438 49445 45f8bf 49436->49445 49442 460427 49437->49442 49574 4e6c10 49437->49574 49438->49445 49440 461b1b 49447 402df0 std::_Throw_Cpp_error 41 API calls 49440->49447 49441 461b00 49441->49440 49451 4e6770 93 API calls 49441->49451 49442->49440 49442->49441 49586 41b260 49442->49586 49443 4602ea 49448 402df0 std::_Throw_Cpp_error 41 API calls 49443->49448 49444 4602cf 49444->49443 49452 4e6770 93 API calls 49444->49452 49445->49443 49445->49444 49446 41b260 41 API calls 49445->49446 49490 45f8ef 49446->49490 49450 461b2d 49447->49450 49448->49429 49451->49440 49452->49443 49453 4602c0 49622 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49453->49622 49454 461af1 49625 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49454->49625 49457 4130f0 41 API calls 49457->49490 49458 41b260 41 API calls 49458->49490 49459 41b260 41 API calls 49489 460457 std::ios_base::_Ios_base_dtor 49459->49489 49462 4163b0 41 API calls std::_Throw_Cpp_error 49462->49490 49463 4163b0 41 API calls std::_Throw_Cpp_error 49463->49489 49466 41ac50 41 API calls 49466->49489 49467 4e6ca0 86 API calls 49467->49490 49468 4e6ca0 86 API calls 49468->49489 49469 439820 43 API calls 49469->49490 49470 439820 43 API calls 49470->49489 49471 41ac50 41 API calls 49471->49490 49472 4e6c10 85 API calls 49472->49490 49473 4e6c10 85 API calls 49473->49489 49474 41ae20 41 API calls 49474->49490 49475 41ae20 41 API calls 49475->49489 49476 402df0 41 API calls std::_Throw_Cpp_error 49476->49490 49477 402df0 41 API calls std::_Throw_Cpp_error 49477->49489 49478 41abb0 41 API calls 49478->49490 49479 41abb0 41 API calls 49479->49489 49480 4130f0 41 API calls 49480->49489 49481 416240 41 API calls 49481->49490 49482 416240 41 API calls 49482->49489 49483 413200 41 API calls 49483->49489 49484 43d0a8 78 API calls 49484->49489 49485 413200 41 API calls 49485->49490 49486 43d0a8 78 API calls 49486->49490 49487 402cf0 41 API calls std::_Throw_Cpp_error 49487->49490 49488 402cf0 41 API calls std::_Throw_Cpp_error 49488->49489 49489->49454 49489->49459 49489->49463 49489->49466 49489->49468 49489->49470 49489->49473 49489->49475 49489->49477 49489->49479 49489->49480 49489->49482 49489->49483 49489->49484 49489->49488 49496 403040 std::_Throw_Cpp_error 41 API calls 49489->49496 49497 41ace0 41 API calls 49489->49497 49498 4162c0 41 API calls 49489->49498 49499 461e04 49489->49499 49501 41b400 41 API calls 49489->49501 49508 41af80 41 API calls 49489->49508 49509 416260 41 API calls 49489->49509 49510 403350 78 API calls 49489->49510 49607 4219a0 49489->49607 49623 416210 41 API calls std::_Throw_Cpp_error 49489->49623 49624 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49489->49624 49490->49453 49490->49457 49490->49458 49490->49462 49490->49467 49490->49469 49490->49471 49490->49472 49490->49474 49490->49476 49490->49478 49490->49481 49490->49485 49490->49486 49490->49487 49492 41af80 41 API calls 49490->49492 49493 403350 78 API calls 49490->49493 49618 416210 41 API calls std::_Throw_Cpp_error 49490->49618 49619 41b400 41 API calls 49490->49619 49620 41bae0 41 API calls 2 library calls 49490->49620 49621 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49490->49621 49492->49490 49493->49490 49496->49489 49497->49489 49498->49489 49500 438c70 std::_Throw_Cpp_error 41 API calls 49499->49500 49502 461e09 49500->49502 49501->49489 49503 41ab20 41 API calls 49502->49503 49504 461f34 49503->49504 49505 4e6ca0 86 API calls 49504->49505 49506 461f5a 49505->49506 49507 4e6c10 85 API calls 49506->49507 49512 461f7d 49506->49512 49507->49512 49508->49489 49509->49489 49510->49489 49511 46299f 49515 4629be 49511->49515 49512->49511 49513 41b260 41 API calls 49512->49513 49512->49515 49575 432b99 12 API calls 49574->49575 49576 4e6c3d 49575->49576 49577 4e6c44 49576->49577 49578 4e6c82 49576->49578 49579 4e6c89 49577->49579 49580 4e6c50 CreateDirectoryA 49577->49580 49581 432534 std::_Throw_Cpp_error 76 API calls 49578->49581 49582 432534 std::_Throw_Cpp_error 76 API calls 49579->49582 49583 432baa RtlReleaseSRWLockExclusive 49580->49583 49581->49579 49584 4e6c9a 49582->49584 49585 4e6c6e 49583->49585 49585->49442 49587 433672 std::_Facet_Register 3 API calls 49586->49587 49588 41b2b8 49587->49588 49589 41b2e2 49588->49589 49590 41b3b4 49588->49590 49591 433672 std::_Facet_Register 3 API calls 49589->49591 49593 402cf0 std::_Throw_Cpp_error 41 API calls 49590->49593 49592 41b2f7 49591->49592 49632 42e7e0 49592->49632 49594 41b3c4 49593->49594 49595 41ace0 41 API calls 49594->49595 49597 41b3d9 49595->49597 49599 407cf0 41 API calls 49597->49599 49598 41b33b 49600 41b352 49598->49600 49603 41d1d0 41 API calls 49598->49603 49602 41b3ee 49599->49602 49644 41d1d0 49600->49644 49605 4351fb Concurrency::cancel_current_task RaiseException 49602->49605 49603->49600 49604 41b390 std::ios_base::_Ios_base_dtor 49604->49489 49606 41b3ff 49605->49606 49608 4219d0 49607->49608 49609 4219f5 49607->49609 49608->49489 49610 402cf0 std::_Throw_Cpp_error 41 API calls 49609->49610 49611 421a03 49610->49611 49612 41ace0 41 API calls 49611->49612 49613 421a18 49612->49613 49614 407cf0 41 API calls 49613->49614 49615 421a2d 49614->49615 49616 4351fb Concurrency::cancel_current_task RaiseException 49615->49616 49618->49490 49619->49490 49620->49490 49621->49490 49622->49444 49623->49489 49624->49489 49625->49441 49638 42e82a 49632->49638 49643 42e9ff 49632->49643 49634 4163b0 41 API calls std::_Throw_Cpp_error 49634->49638 49635 42ea1a 49682 407260 RaiseException 49635->49682 49636 433672 std::_Facet_Register 3 API calls 49636->49638 49638->49634 49638->49635 49638->49636 49639 402df0 std::_Throw_Cpp_error 41 API calls 49638->49639 49638->49643 49649 413d50 49638->49649 49639->49638 49640 42ea3d 49640->49598 49642 42ea1f 49642->49640 49683 42d6a0 41 API calls std::_Throw_Cpp_error 49642->49683 49643->49598 49645 41d24d 49644->49645 49647 41d1f8 std::ios_base::_Ios_base_dtor 49644->49647 49645->49604 49646 41d1d0 41 API calls 49646->49647 49647->49645 49647->49646 49648 402df0 std::_Throw_Cpp_error 41 API calls 49647->49648 49648->49647 49650 413df7 std::_Locinfo::_Locinfo_ctor 49649->49650 49651 413d8f 49649->49651 49650->49638 49651->49650 49652 413d96 49651->49652 49653 413e69 49651->49653 49654 413f7d 49651->49654 49655 413f1e 49651->49655 49657 433672 std::_Facet_Register 3 API calls 49652->49657 49656 433672 std::_Facet_Register 3 API calls 49653->49656 49658 433672 std::_Facet_Register 3 API calls 49654->49658 49696 417e80 41 API calls 2 library calls 49655->49696 49660 413e73 49656->49660 49661 413da0 49657->49661 49662 413f8a 49658->49662 49660->49650 49664 42bf30 41 API calls 49660->49664 49663 433672 std::_Facet_Register 3 API calls 49661->49663 49662->49650 49666 413fd3 49662->49666 49667 41408e 49662->49667 49665 413dd2 49663->49665 49675 413eb1 49664->49675 49684 42f460 49665->49684 49670 414004 49666->49670 49671 413fdb 49666->49671 49697 403330 RaiseException 49667->49697 49674 433672 std::_Facet_Register 3 API calls 49670->49674 49672 414093 49671->49672 49673 413fe6 49671->49673 49698 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 49672->49698 49677 433672 std::_Facet_Register 3 API calls 49673->49677 49674->49650 49675->49650 49678 413d50 41 API calls 49675->49678 49679 413fec 49677->49679 49678->49675 49679->49650 49680 438c70 std::_Throw_Cpp_error 41 API calls 49679->49680 49681 41409d 49680->49681 49682->49642 49683->49642 49685 42f498 49684->49685 49695 42f53f 49684->49695 49686 433672 std::_Facet_Register 3 API calls 49685->49686 49687 42f4ba 49686->49687 49688 4163b0 std::_Throw_Cpp_error 41 API calls 49687->49688 49689 42f4d0 49688->49689 49690 413d50 41 API calls 49689->49690 49691 42f4e0 49690->49691 49695->49650 49696->49650 49698->49679 49855 46aa80 50083 46aaba 49855->50083 49856 478b27 49857 46aae1 49858 4163b0 std::_Throw_Cpp_error 41 API calls 49857->49858 49859 4163b0 std::_Throw_Cpp_error 41 API calls 49857->49859 49858->49857 49860 46ab3c 49859->49860 49861 46abc4 49860->49861 49863 46abde 49861->49863 49862 403040 std::_Throw_Cpp_error 41 API calls 49862->49863 49863->49862 49864 403040 std::_Throw_Cpp_error 41 API calls 49863->49864 49865 46ad59 49864->49865 49867 46ad84 49865->49867 51202 47721c 49865->51202 51203 4aa200 49865->51203 49870 46ad96 49867->49870 49868 47722a 49869 47724c 49868->49869 49873 4163b0 std::_Throw_Cpp_error 41 API calls 49869->49873 49871 46adb8 49870->49871 49872 4163b0 std::_Throw_Cpp_error 41 API calls 49871->49872 49874 46adc0 49872->49874 49875 47725b 49873->49875 49876 46adda 49874->49876 49883 477278 49875->49883 49877 46ade1 49876->49877 49879 4163b0 std::_Throw_Cpp_error 41 API calls 49877->49879 49878 4163b0 std::_Throw_Cpp_error 41 API calls 49878->49883 49880 46ade9 49879->49880 49882 402cf0 std::_Throw_Cpp_error 41 API calls 49880->49882 49881 402cf0 std::_Throw_Cpp_error 41 API calls 49881->49883 49884 46ae63 49882->49884 49883->49878 49883->49881 49891 47747b 49883->49891 49886 402cf0 std::_Throw_Cpp_error 41 API calls 49884->49886 49885 402cf0 std::_Throw_Cpp_error 41 API calls 49885->49891 49887 46af8d 49886->49887 49888 4aa200 222 API calls 49887->49888 49890 46afa8 49888->49890 49889 4aa200 222 API calls 49889->49891 49894 46afbd 49890->49894 49891->49885 49891->49889 49892 4774af 49891->49892 49893 4774d1 49892->49893 49896 4163b0 std::_Throw_Cpp_error 41 API calls 49893->49896 49895 46afdf 49894->49895 49897 4163b0 std::_Throw_Cpp_error 41 API calls 49895->49897 49898 4774e0 49896->49898 49899 46afe7 49897->49899 49907 4774fd 49898->49907 49900 46b001 49899->49900 49903 4163b0 std::_Throw_Cpp_error 41 API calls 49903->49907 49906 402cf0 std::_Throw_Cpp_error 41 API calls 49906->49907 49907->49903 49907->49906 49914 477700 49907->49914 49909 402cf0 std::_Throw_Cpp_error 41 API calls 49909->49914 49912 4aa200 222 API calls 49912->49914 49914->49909 49914->49912 49916 477734 49914->49916 49918 477756 49916->49918 49921 4163b0 std::_Throw_Cpp_error 41 API calls 49918->49921 49922 477765 49921->49922 49931 477782 49922->49931 49926 4163b0 std::_Throw_Cpp_error 41 API calls 49926->49931 49929 402cf0 std::_Throw_Cpp_error 41 API calls 49929->49931 49931->49926 49931->49929 49938 477985 49931->49938 49934 402cf0 std::_Throw_Cpp_error 41 API calls 49934->49938 49937 4aa200 222 API calls 49937->49938 49938->49934 49938->49937 49940 4779b9 49938->49940 50077 402cf0 std::_Throw_Cpp_error 41 API calls 50077->50083 50081 4aa200 222 API calls 50081->50083 50083->49856 50083->49857 50083->50077 50083->50081 51202->49868 51204 4359b0 __fread_nolock 51203->51204 51205 4aa25b SHGetFolderPathA 51204->51205 52164 41ac50 51205->52164 51207 4aa28f 51208 4aa2ad 51207->51208 51209 4ab3c5 51207->51209 51211 4163b0 std::_Throw_Cpp_error 41 API calls 51208->51211 51210 4152b0 41 API calls 51209->51210 51213 4ab411 51210->51213 51212 4aa2be 51211->51212 51214 4c6000 45 API calls 51212->51214 51215 402df0 std::_Throw_Cpp_error 41 API calls 51213->51215 51216 4aa2d1 51214->51216 51217 4ab3c3 51215->51217 51218 4aa2eb 51216->51218 51473 4aa355 std::_Locinfo::_Locinfo_ctor 51216->51473 51224 4242a0 41 API calls 51217->51224 51225 4ab46b 51217->51225 51474 4ab490 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 51217->51474 51220 4185d0 76 API calls 51218->51220 51219 4ab3b4 51222 4185d0 76 API calls 51219->51222 51221 4aa2f7 51220->51221 51223 4185d0 76 API calls 51221->51223 51222->51217 51226 4aa303 51223->51226 51224->51225 51227 402df0 std::_Throw_Cpp_error 41 API calls 51225->51227 51228 402df0 std::_Throw_Cpp_error 41 API calls 51226->51228 51227->51474 51231 4aa30f 51228->51231 51229 4adb0c 51234 417ef0 41 API calls 51229->51234 51230 41ab20 41 API calls 51230->51474 51236 4adb7a 51234->51236 51238 4140c0 41 API calls 51236->51238 51240 4adba4 51238->51240 51243 41ad80 41 API calls 51243->51474 51252 4adb07 51256 438c70 std::_Throw_Cpp_error 41 API calls 51252->51256 51256->51229 51264 41e8a0 41 API calls 51264->51474 51272 402df0 41 API calls std::_Throw_Cpp_error 51272->51473 51296 41e8a0 41 API calls 51296->51473 51318 41e710 41 API calls 51318->51474 51321 418f00 std::_Throw_Cpp_error 41 API calls 51321->51474 51329 41abb0 41 API calls 51329->51474 51340 41abb0 41 API calls 51340->51473 51368 4e6d70 78 API calls 51368->51474 51387 403040 41 API calls std::_Throw_Cpp_error 51387->51474 51394 4032d0 41 API calls std::_Throw_Cpp_error 51394->51474 51401 4235f0 41 API calls 51401->51474 51410 402df0 41 API calls std::_Throw_Cpp_error 51410->51474 51413 418f00 41 API calls std::_Throw_Cpp_error 51413->51473 51429 402fe0 41 API calls std::_Throw_Cpp_error 51429->51474 51445 4163b0 41 API calls std::_Throw_Cpp_error 51445->51474 51450 4e6d70 78 API calls 51450->51473 51452 4032d0 std::_Throw_Cpp_error 41 API calls 51452->51473 51457 4163b0 41 API calls std::_Throw_Cpp_error 51457->51473 51473->51219 51473->51229 51473->51272 51473->51296 51473->51340 51473->51413 51473->51450 51473->51452 51473->51457 52339 424400 44 API calls 4 library calls 51473->52339 51474->51221 51474->51229 51474->51230 51474->51243 51474->51252 51474->51264 51474->51318 51474->51321 51474->51329 51474->51368 51474->51387 51474->51394 51474->51401 51474->51410 51474->51429 51474->51445 51475 4098e0 41 API calls 51474->51475 51475->51474 52165 41ac81 52164->52165 52165->52165 52166 41ac9b 52165->52166 52169 41acd3 52165->52169 52167 41e8a0 41 API calls 52166->52167 52168 41acb2 52167->52168 52168->51207 52170 41fbf0 41 API calls 52169->52170 52171 41ad24 52170->52171 52171->51207 52339->51473 53054 46a140 53065 46a17b 53054->53065 53055 46aa60 53056 4163b0 41 API calls std::_Throw_Cpp_error 53056->53065 53060 41af80 41 API calls 53060->53065 53061 413d50 41 API calls 53061->53065 53062 4138b0 41 API calls 53062->53065 53065->53055 53065->53056 53065->53060 53065->53061 53065->53062 53066 49f0d0 53065->53066 53158 49d3a0 53065->53158 53238 49af60 53065->53238 53319 4986b0 53065->53319 53396 4963b0 53065->53396 53067 49f106 53066->53067 53068 417ef0 41 API calls 53067->53068 53069 49f12f 53068->53069 53070 4140c0 41 API calls 53069->53070 53071 49f159 53070->53071 53072 41af80 41 API calls 53071->53072 53073 49f1f4 __fread_nolock 53072->53073 53074 49f212 SHGetFolderPathA 53073->53074 53075 41ac50 41 API calls 53074->53075 53076 49f23f 53075->53076 53077 41ab20 41 API calls 53076->53077 53078 49f2e4 __fread_nolock 53077->53078 53079 49f2fe GetPrivateProfileSectionNamesA 53078->53079 53132 49f331 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53079->53132 53081 4a348d lstrlen 53082 4a34a3 53081->53082 53081->53132 53083 402df0 std::_Throw_Cpp_error 41 API calls 53082->53083 53085 4a34b2 53083->53085 53084 49f422 GetPrivateProfileStringA 53084->53132 53086 402df0 std::_Throw_Cpp_error 41 API calls 53085->53086 53087 4a34c1 53086->53087 53088 402df0 std::_Throw_Cpp_error 41 API calls 53087->53088 53089 4a34cd 53088->53089 53092 402df0 std::_Throw_Cpp_error 41 API calls 53089->53092 53090 4a34fb 53094 402cf0 std::_Throw_Cpp_error 41 API calls 53090->53094 53091 41abb0 41 API calls 53091->53132 53093 4a34d9 53092->53093 53095 402df0 std::_Throw_Cpp_error 41 API calls 53093->53095 53096 4a3514 53094->53096 53097 4a34e5 53095->53097 53098 41ace0 41 API calls 53096->53098 53097->53065 53099 4a3529 53098->53099 53100 407cf0 41 API calls 53099->53100 53101 4a3541 53100->53101 53102 4351fb Concurrency::cancel_current_task RaiseException 53101->53102 53103 4a3555 53102->53103 53104 438c70 std::_Throw_Cpp_error 41 API calls 53103->53104 53105 4a355a 53104->53105 53107 402cf0 std::_Throw_Cpp_error 41 API calls 53105->53107 53106 41e8a0 41 API calls 53106->53132 53110 4a356d 53107->53110 53108 4d6790 148 API calls 53108->53132 53109 4e7640 87 API calls 53109->53132 53113 41ace0 41 API calls 53110->53113 53111 4032d0 std::_Throw_Cpp_error 41 API calls 53111->53132 53112 41b430 53 API calls 53112->53132 53114 4a3582 53113->53114 53115 407cf0 41 API calls 53114->53115 53116 4a359a 53115->53116 53117 4351fb Concurrency::cancel_current_task RaiseException 53116->53117 53119 4a35ae 53117->53119 53118 4d65f0 87 API calls 53118->53132 53120 402cf0 std::_Throw_Cpp_error 41 API calls 53119->53120 53121 4a35c2 53120->53121 53122 41ace0 41 API calls 53121->53122 53123 4a35d7 53122->53123 53124 407cf0 41 API calls 53123->53124 53125 4a35ef 53124->53125 53126 4351fb Concurrency::cancel_current_task RaiseException 53125->53126 53127 4a3603 53126->53127 53128 417ef0 41 API calls 53128->53132 53129 4130f0 41 API calls 53129->53132 53131 4e6ca0 86 API calls 53131->53132 53132->53081 53132->53084 53132->53090 53132->53091 53132->53103 53132->53105 53132->53106 53132->53108 53132->53109 53132->53111 53132->53112 53132->53118 53132->53119 53132->53128 53132->53129 53132->53131 53133 4a1c5f CreateDirectoryA 53132->53133 53135 426db0 41 API calls 53132->53135 53136 41af80 41 API calls 53132->53136 53137 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53132->53137 53138 41ad80 41 API calls 53132->53138 53139 403040 41 API calls std::_Throw_Cpp_error 53132->53139 53140 413d50 41 API calls 53132->53140 53141 41b0e0 41 API calls 53132->53141 53142 4a1f46 CreateDirectoryA 53132->53142 53143 41ab20 41 API calls 53132->53143 53144 402fe0 41 API calls std::_Throw_Cpp_error 53132->53144 53145 402cf0 std::_Throw_Cpp_error 41 API calls 53132->53145 53147 41ace0 41 API calls 53132->53147 53148 41b7b0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection 53132->53148 53149 4e6d70 78 API calls 53132->53149 53150 439820 43 API calls 53132->53150 53152 413980 41 API calls 53132->53152 53153 402df0 41 API calls std::_Throw_Cpp_error 53132->53153 53154 4a3610 154 API calls 53132->53154 53155 441628 75 API calls 53132->53155 53156 43d0a8 78 API calls 53132->53156 53475 440fae 53132->53475 53489 42c080 41 API calls 2 library calls 53132->53489 53490 424900 41 API calls 53132->53490 53491 413200 53132->53491 53506 41b9d0 41 API calls 2 library calls 53132->53506 53507 4136c0 41 API calls 2 library calls 53132->53507 53133->53132 53135->53132 53136->53132 53137->53132 53138->53132 53139->53132 53140->53132 53141->53132 53142->53132 53143->53132 53144->53132 53145->53132 53147->53132 53148->53132 53149->53132 53150->53132 53152->53132 53153->53132 53154->53132 53155->53132 53156->53132 53159 49d3d6 53158->53159 53160 417ef0 41 API calls 53159->53160 53161 49d3ff 53160->53161 53162 4140c0 41 API calls 53161->53162 53163 49d429 53162->53163 53164 41af80 41 API calls 53163->53164 53165 49d4c4 __fread_nolock 53164->53165 53166 49d4e2 SHGetFolderPathA 53165->53166 53167 41ac50 41 API calls 53166->53167 53168 49d50f 53167->53168 53169 41ab20 41 API calls 53168->53169 53170 49d5b4 __fread_nolock 53169->53170 53171 49d5ce GetPrivateProfileSectionNamesA 53170->53171 53234 49d601 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53171->53234 53172 440fae 50 API calls 53172->53234 53173 49ef31 lstrlen 53174 49ef47 53173->53174 53173->53234 53176 402df0 std::_Throw_Cpp_error 41 API calls 53174->53176 53175 49d6f2 GetPrivateProfileStringA 53175->53234 53177 49ef56 53176->53177 53178 402df0 std::_Throw_Cpp_error 41 API calls 53177->53178 53179 49ef65 53178->53179 53181 402df0 std::_Throw_Cpp_error 41 API calls 53179->53181 53180 49f068 53185 438c70 std::_Throw_Cpp_error 41 API calls 53180->53185 53183 49ef71 53181->53183 53182 41e8a0 41 API calls 53182->53234 53183->53065 53184 41abb0 41 API calls 53184->53234 53186 49f072 53185->53186 53187 402cf0 std::_Throw_Cpp_error 41 API calls 53186->53187 53188 49f089 53187->53188 53189 41ace0 41 API calls 53188->53189 53190 49f09e 53189->53190 53191 407cf0 41 API calls 53190->53191 53192 49f0b6 53191->53192 53194 4351fb Concurrency::cancel_current_task RaiseException 53192->53194 53193 41ab20 41 API calls 53193->53234 53195 49f0ca 53194->53195 53196 439820 43 API calls 53196->53234 53197 43d0a8 78 API calls 53197->53234 53198 402df0 41 API calls std::_Throw_Cpp_error 53198->53234 53199 4140c0 41 API calls 53199->53234 53200 4032d0 41 API calls std::_Throw_Cpp_error 53200->53234 53201 4e64d0 44 API calls 53201->53234 53203 49efc0 53207 402cf0 std::_Throw_Cpp_error 41 API calls 53203->53207 53204 4185d0 76 API calls 53204->53234 53205 4180a0 41 API calls 53205->53234 53206 416130 41 API calls 53206->53234 53208 49efd7 53207->53208 53209 41ace0 41 API calls 53208->53209 53210 49efec 53209->53210 53212 407cf0 41 API calls 53210->53212 53211 4d6790 148 API calls 53211->53234 53213 49f004 53212->53213 53214 4351fb Concurrency::cancel_current_task RaiseException 53213->53214 53214->53180 53215 49ef86 53217 402cf0 std::_Throw_Cpp_error 41 API calls 53215->53217 53216 4d65f0 87 API calls 53216->53234 53218 49ef99 53217->53218 53219 41ace0 41 API calls 53218->53219 53229 49ee87 53219->53229 53220 407cf0 41 API calls 53220->53213 53221 417ef0 41 API calls 53221->53234 53222 49ee5e 53225 402cf0 std::_Throw_Cpp_error 41 API calls 53222->53225 53223 413d50 41 API calls 53223->53234 53224 424900 41 API calls 53224->53234 53226 49ee72 53225->53226 53227 41ace0 41 API calls 53226->53227 53227->53229 53228 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53228->53234 53229->53220 53230 403040 41 API calls std::_Throw_Cpp_error 53230->53234 53232 426db0 41 API calls 53232->53234 53233 49f014 53235 402cf0 std::_Throw_Cpp_error 41 API calls 53233->53235 53234->53172 53234->53173 53234->53175 53234->53180 53234->53182 53234->53184 53234->53186 53234->53193 53234->53196 53234->53197 53234->53198 53234->53199 53234->53200 53234->53201 53234->53203 53234->53204 53234->53205 53234->53206 53234->53211 53234->53215 53234->53216 53234->53221 53234->53222 53234->53223 53234->53224 53234->53228 53234->53230 53234->53232 53234->53233 53515 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53234->53515 53516 423f40 102 API calls 4 library calls 53234->53516 53236 49f027 53235->53236 53237 41ace0 41 API calls 53236->53237 53237->53229 53239 49af96 53238->53239 53240 417ef0 41 API calls 53239->53240 53241 49afbf 53240->53241 53242 4140c0 41 API calls 53241->53242 53243 49afe9 53242->53243 53244 41af80 41 API calls 53243->53244 53245 49b128 __fread_nolock 53244->53245 53246 49b146 SHGetFolderPathA 53245->53246 53247 41ac50 41 API calls 53246->53247 53248 49b173 53247->53248 53249 41ab20 41 API calls 53248->53249 53250 49b227 __fread_nolock 53249->53250 53251 49b241 GetPrivateProfileSectionNamesA 53250->53251 53310 49b274 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53251->53310 53252 440fae 50 API calls 53252->53310 53253 49d22c lstrlen 53254 49d242 53253->53254 53253->53310 53255 402df0 std::_Throw_Cpp_error 41 API calls 53254->53255 53257 49d251 53255->53257 53256 49b365 GetPrivateProfileStringA 53256->53310 53258 402df0 std::_Throw_Cpp_error 41 API calls 53257->53258 53260 49d260 53258->53260 53259 49d329 53265 438c70 std::_Throw_Cpp_error 41 API calls 53259->53265 53262 402df0 std::_Throw_Cpp_error 41 API calls 53260->53262 53261 41e8a0 41 API calls 53261->53310 53263 49d26c 53262->53263 53263->53065 53264 41abb0 41 API calls 53264->53310 53266 49d333 53265->53266 53518 419e60 RaiseException 53266->53518 53268 49d338 53270 402cf0 std::_Throw_Cpp_error 41 API calls 53268->53270 53269 403040 41 API calls std::_Throw_Cpp_error 53269->53310 53271 49d34f 53270->53271 53272 41ace0 41 API calls 53271->53272 53273 49d364 53272->53273 53274 407cf0 41 API calls 53273->53274 53276 49d37c 53274->53276 53275 41ab20 41 API calls 53275->53310 53277 4351fb Concurrency::cancel_current_task RaiseException 53276->53277 53279 49d390 53277->53279 53278 439820 43 API calls 53278->53310 53280 43d0a8 78 API calls 53280->53310 53281 4140c0 41 API calls 53281->53310 53282 4e64d0 44 API calls 53282->53310 53284 49d281 53288 402cf0 std::_Throw_Cpp_error 41 API calls 53284->53288 53285 4032d0 41 API calls std::_Throw_Cpp_error 53285->53310 53286 4185d0 76 API calls 53286->53310 53287 4180a0 41 API calls 53287->53310 53290 49d298 53288->53290 53289 416130 41 API calls 53289->53310 53291 41ace0 41 API calls 53290->53291 53292 49d2ad 53291->53292 53294 407cf0 41 API calls 53292->53294 53293 4d6790 148 API calls 53293->53310 53295 49d2c5 53294->53295 53297 4351fb Concurrency::cancel_current_task RaiseException 53295->53297 53296 41af80 41 API calls 53296->53310 53297->53259 53298 49d0d3 53301 402cf0 std::_Throw_Cpp_error 41 API calls 53298->53301 53299 4d65f0 87 API calls 53299->53310 53300 413d50 41 API calls 53300->53310 53302 49d0e6 53301->53302 53303 41ace0 41 API calls 53302->53303 53318 49d0fb 53303->53318 53304 407cf0 41 API calls 53304->53295 53305 41fbf0 41 API calls 53305->53310 53306 418f00 std::_Throw_Cpp_error 41 API calls 53306->53310 53307 402df0 41 API calls std::_Throw_Cpp_error 53307->53310 53308 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53308->53310 53309 417ef0 41 API calls 53309->53310 53310->53252 53310->53253 53310->53256 53310->53259 53310->53261 53310->53264 53310->53266 53310->53268 53310->53269 53310->53275 53310->53278 53310->53280 53310->53281 53310->53282 53310->53284 53310->53285 53310->53286 53310->53287 53310->53289 53310->53293 53310->53296 53310->53298 53310->53299 53310->53300 53310->53305 53310->53306 53310->53307 53310->53308 53310->53309 53311 426db0 41 API calls 53310->53311 53312 4163b0 std::_Throw_Cpp_error 41 API calls 53310->53312 53313 49d2d5 53310->53313 53314 424900 41 API calls 53310->53314 53517 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53310->53517 53311->53310 53312->53310 53315 402cf0 std::_Throw_Cpp_error 41 API calls 53313->53315 53314->53310 53316 49d2e8 53315->53316 53317 41ace0 41 API calls 53316->53317 53317->53318 53318->53304 53320 4986e6 53319->53320 53321 417ef0 41 API calls 53320->53321 53322 49870f 53321->53322 53323 4140c0 41 API calls 53322->53323 53324 498739 53323->53324 53325 41af80 41 API calls 53324->53325 53326 4987d4 __fread_nolock 53325->53326 53327 4987f2 SHGetFolderPathA 53326->53327 53328 41ac50 41 API calls 53327->53328 53329 49881f 53328->53329 53330 41ab20 41 API calls 53329->53330 53331 4988c4 __fread_nolock 53330->53331 53332 4988de GetPrivateProfileSectionNamesA 53331->53332 53386 498914 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53332->53386 53333 440fae 50 API calls 53333->53386 53334 49ae10 lstrlen 53335 49ae29 53334->53335 53334->53386 53336 402df0 std::_Throw_Cpp_error 41 API calls 53335->53336 53338 49ae38 53336->53338 53337 498a05 GetPrivateProfileStringA 53337->53386 53339 402df0 std::_Throw_Cpp_error 41 API calls 53338->53339 53341 49ae47 53339->53341 53340 49aef7 53346 438c70 std::_Throw_Cpp_error 41 API calls 53340->53346 53343 402df0 std::_Throw_Cpp_error 41 API calls 53341->53343 53342 41e8a0 41 API calls 53342->53386 53344 49ae53 53343->53344 53344->53065 53345 41abb0 41 API calls 53345->53386 53347 49af01 53346->53347 53349 402cf0 std::_Throw_Cpp_error 41 API calls 53347->53349 53348 402df0 41 API calls std::_Throw_Cpp_error 53348->53386 53350 49af15 53349->53350 53351 41ace0 41 API calls 53350->53351 53352 49af2a 53351->53352 53353 407cf0 41 API calls 53352->53353 53354 49af42 53353->53354 53356 4351fb Concurrency::cancel_current_task RaiseException 53354->53356 53355 41ab20 41 API calls 53355->53386 53357 49af56 53356->53357 53358 439820 43 API calls 53358->53386 53359 43d0a8 78 API calls 53359->53386 53360 417ef0 41 API calls 53360->53386 53361 4140c0 41 API calls 53361->53386 53362 4e64d0 44 API calls 53362->53386 53364 49ae68 53367 402cf0 std::_Throw_Cpp_error 41 API calls 53364->53367 53365 4032d0 41 API calls std::_Throw_Cpp_error 53365->53386 53366 4185d0 76 API calls 53366->53386 53368 49ae7f 53367->53368 53370 41ace0 41 API calls 53368->53370 53369 416130 41 API calls 53369->53386 53371 49ad42 53370->53371 53373 407cf0 41 API calls 53371->53373 53372 4d6790 148 API calls 53372->53386 53374 49aee3 53373->53374 53376 4351fb Concurrency::cancel_current_task RaiseException 53374->53376 53375 41af80 41 API calls 53375->53386 53376->53340 53377 4d65f0 87 API calls 53377->53386 53378 49ad1a 53381 402cf0 std::_Throw_Cpp_error 41 API calls 53378->53381 53379 413d50 41 API calls 53379->53386 53380 424900 41 API calls 53380->53386 53382 49ad2d 53381->53382 53383 41ace0 41 API calls 53382->53383 53383->53371 53384 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53384->53386 53385 403040 41 API calls std::_Throw_Cpp_error 53385->53386 53386->53333 53386->53334 53386->53337 53386->53340 53386->53342 53386->53345 53386->53347 53386->53348 53386->53355 53386->53358 53386->53359 53386->53360 53386->53361 53386->53362 53386->53364 53386->53365 53386->53366 53386->53369 53386->53372 53386->53375 53386->53377 53386->53378 53386->53379 53386->53380 53386->53384 53386->53385 53387 426db0 41 API calls 53386->53387 53388 4412f6 50 API calls 53386->53388 53389 402fe0 41 API calls std::_Throw_Cpp_error 53386->53389 53391 4180a0 41 API calls 53386->53391 53392 49aea3 53386->53392 53519 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53386->53519 53520 42c080 41 API calls 2 library calls 53386->53520 53387->53386 53388->53386 53389->53386 53391->53386 53393 402cf0 std::_Throw_Cpp_error 41 API calls 53392->53393 53394 49aeb6 53393->53394 53395 41ace0 41 API calls 53394->53395 53395->53371 53397 4963e6 53396->53397 53398 417ef0 41 API calls 53397->53398 53399 49640f 53398->53399 53400 4140c0 41 API calls 53399->53400 53401 496439 53400->53401 53402 41af80 41 API calls 53401->53402 53403 4964d4 __fread_nolock 53402->53403 53404 4964f2 SHGetFolderPathA 53403->53404 53405 41ac50 41 API calls 53404->53405 53406 49651f 53405->53406 53407 41ab20 41 API calls 53406->53407 53408 4965c4 __fread_nolock 53407->53408 53409 4965de GetPrivateProfileSectionNamesA 53408->53409 53412 496611 std::ios_base::_Ios_base_dtor __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::_Locinfo::_Locinfo_ctor 53409->53412 53410 440fae 50 API calls 53410->53412 53411 49854e lstrlen 53411->53412 53413 498564 53411->53413 53412->53410 53412->53411 53415 496702 GetPrivateProfileStringA 53412->53415 53420 49864b 53412->53420 53421 41e8a0 41 API calls 53412->53421 53424 41abb0 41 API calls 53412->53424 53425 498655 53412->53425 53432 41ab20 41 API calls 53412->53432 53435 439820 43 API calls 53412->53435 53436 43d0a8 78 API calls 53412->53436 53437 402df0 41 API calls std::_Throw_Cpp_error 53412->53437 53438 4140c0 41 API calls 53412->53438 53439 4e64d0 44 API calls 53412->53439 53440 4032d0 41 API calls std::_Throw_Cpp_error 53412->53440 53442 4985a3 53412->53442 53443 4185d0 76 API calls 53412->53443 53444 4180a0 41 API calls 53412->53444 53445 416130 41 API calls 53412->53445 53449 4d6790 148 API calls 53412->53449 53453 41af80 41 API calls 53412->53453 53455 4d65f0 87 API calls 53412->53455 53456 4983f5 53412->53456 53457 424900 41 API calls 53412->53457 53463 41fbf0 41 API calls 53412->53463 53464 418f00 std::_Throw_Cpp_error 41 API calls 53412->53464 53465 433672 std::_Facet_Register 3 API calls 53412->53465 53466 426db0 41 API calls 53412->53466 53467 4412f6 50 API calls 53412->53467 53468 403040 41 API calls std::_Throw_Cpp_error 53412->53468 53469 4985f7 53412->53469 53470 417ef0 41 API calls 53412->53470 53472 413d50 41 API calls 53412->53472 53521 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53412->53521 53414 402df0 std::_Throw_Cpp_error 41 API calls 53413->53414 53416 498573 53414->53416 53415->53412 53417 402df0 std::_Throw_Cpp_error 41 API calls 53416->53417 53418 498582 53417->53418 53419 402df0 std::_Throw_Cpp_error 41 API calls 53418->53419 53422 49858e 53419->53422 53423 438c70 std::_Throw_Cpp_error 41 API calls 53420->53423 53421->53412 53422->53065 53423->53425 53424->53412 53426 402cf0 std::_Throw_Cpp_error 41 API calls 53425->53426 53427 49866c 53426->53427 53428 41ace0 41 API calls 53427->53428 53429 498681 53428->53429 53430 407cf0 41 API calls 53429->53430 53431 498699 53430->53431 53433 4351fb Concurrency::cancel_current_task RaiseException 53431->53433 53432->53412 53434 4986ad 53433->53434 53435->53412 53436->53412 53437->53412 53438->53412 53439->53412 53440->53412 53446 402cf0 std::_Throw_Cpp_error 41 API calls 53442->53446 53443->53412 53444->53412 53445->53412 53447 4985ba 53446->53447 53448 41ace0 41 API calls 53447->53448 53450 4985cf 53448->53450 53449->53412 53451 407cf0 41 API calls 53450->53451 53452 4985e7 53451->53452 53454 4351fb Concurrency::cancel_current_task RaiseException 53452->53454 53453->53412 53454->53420 53455->53412 53458 402cf0 std::_Throw_Cpp_error 41 API calls 53456->53458 53457->53412 53459 498408 53458->53459 53460 41ace0 41 API calls 53459->53460 53461 49841d 53460->53461 53462 407cf0 41 API calls 53461->53462 53462->53452 53463->53412 53464->53412 53465->53412 53466->53412 53467->53412 53468->53412 53471 402cf0 std::_Throw_Cpp_error 41 API calls 53469->53471 53470->53412 53473 49860a 53471->53473 53472->53412 53474 41ace0 41 API calls 53473->53474 53474->53461 53476 441005 53475->53476 53477 440fbd 53475->53477 53512 44101b 50 API calls 3 library calls 53476->53512 53479 440fc3 53477->53479 53480 440fe0 53477->53480 53508 4416ff 14 API calls __dosmaperr 53479->53508 53488 440ffe 53480->53488 53510 4416ff 14 API calls __dosmaperr 53480->53510 53481 440fd3 53481->53132 53483 440fc8 53509 438c60 41 API calls __fread_nolock 53483->53509 53486 440fef 53511 438c60 41 API calls __fread_nolock 53486->53511 53488->53132 53489->53132 53490->53132 53492 41325c 53491->53492 53495 413225 53491->53495 53493 402cf0 std::_Throw_Cpp_error 41 API calls 53492->53493 53494 413269 53493->53494 53513 407b10 41 API calls 3 library calls 53494->53513 53496 413235 53495->53496 53499 402cf0 std::_Throw_Cpp_error 41 API calls 53495->53499 53496->53132 53498 413281 53500 4351fb Concurrency::cancel_current_task RaiseException 53498->53500 53501 41329f 53499->53501 53500->53495 53514 407b10 41 API calls 3 library calls 53501->53514 53503 4132b7 53504 4351fb Concurrency::cancel_current_task RaiseException 53503->53504 53505 4132c8 53504->53505 53506->53132 53507->53132 53508->53483 53509->53481 53510->53486 53511->53481 53512->53481 53513->53498 53514->53503 53515->53234 53516->53234 53517->53310 53519->53386 53520->53386 53521->53412 53707 4c7b00 53708 4c7ecc 53707->53708 53716 4c7b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 53707->53716 53709 4c7b87 setsockopt recv WSAGetLastError 53709->53708 53709->53716 53711 4c7e15 recv 53714 4c7eaf Sleep 53711->53714 53713 4c7eb7 Sleep 53713->53708 53713->53716 53714->53713 53715 418dc0 41 API calls 53717 4c7c2d recv 53715->53717 53716->53709 53716->53711 53716->53713 53716->53714 53716->53715 53719 409280 44 API calls 53716->53719 53720 4c7ee1 53716->53720 53721 4163b0 std::_Throw_Cpp_error 41 API calls 53716->53721 53722 4c7cd6 setsockopt recv 53716->53722 53723 418dc0 41 API calls 53716->53723 53727 4c8590 WSAStartup 53716->53727 53740 4c7ef0 53716->53740 53812 433069 53716->53812 53717->53716 53718 4c7c4e recv 53717->53718 53718->53716 53719->53716 53724 438c70 std::_Throw_Cpp_error 41 API calls 53720->53724 53721->53716 53722->53716 53723->53722 53725 4c7ee6 53724->53725 53728 4c8696 53727->53728 53730 4c85c8 53727->53730 53728->53716 53729 4c85fe getaddrinfo 53731 4c8646 53729->53731 53732 4c8690 WSACleanup 53729->53732 53730->53728 53730->53729 53733 4c86a4 FreeAddrInfoW 53731->53733 53735 4c8654 socket 53731->53735 53732->53728 53733->53732 53734 4c86b0 53733->53734 53734->53716 53735->53732 53736 4c866a connect 53735->53736 53737 4c867c closesocket 53736->53737 53738 4c86a0 53736->53738 53737->53735 53739 4c8686 FreeAddrInfoW 53737->53739 53738->53733 53739->53732 53741 4c7f6c 53740->53741 53742 4c7f3e 53740->53742 53744 4c7f8e 53741->53744 53745 4c7f74 53741->53745 53743 402cf0 std::_Throw_Cpp_error 41 API calls 53742->53743 53746 4c7f50 53743->53746 53748 4c7f96 53744->53748 53749 4c7fb0 53744->53749 53815 416290 41 API calls 53745->53815 53752 409280 44 API calls 53746->53752 53816 416290 41 API calls 53748->53816 53750 4c7fb8 53749->53750 53751 4c7fd5 53749->53751 53782 4c7f64 53750->53782 53817 416290 41 API calls 53750->53817 53754 4c7fdd 53751->53754 53755 4c7ffb 53751->53755 53752->53782 53818 4412b7 50 API calls __fread_nolock 53754->53818 53760 4c801b 53755->53760 53761 4c82c0 53755->53761 53755->53782 53758 402df0 std::_Throw_Cpp_error 41 API calls 53759 4c84f1 53758->53759 53759->53716 53819 405400 85 API calls std::_Throw_Cpp_error 53760->53819 53762 4c82c8 53761->53762 53763 4c831b 53761->53763 53765 41b430 53 API calls 53762->53765 53766 4c8376 53763->53766 53767 4c8323 53763->53767 53765->53782 53769 4c837e 53766->53769 53770 4c83d1 53766->53770 53768 41b430 53 API calls 53767->53768 53768->53782 53773 41b430 53 API calls 53769->53773 53771 4c842c 53770->53771 53772 4c83d9 53770->53772 53777 4c8484 53771->53777 53778 4c8434 53771->53778 53776 41b430 53 API calls 53772->53776 53773->53782 53774 4c82a5 53779 432baa RtlReleaseSRWLockExclusive 53774->53779 53775 402cf0 std::_Throw_Cpp_error 41 API calls 53789 4c8040 53775->53789 53776->53782 53777->53782 53824 458b00 50 API calls 2 library calls 53777->53824 53780 41b430 53 API calls 53778->53780 53779->53782 53780->53782 53782->53758 53783 4c849a 53784 4162c0 41 API calls 53783->53784 53786 4c84a9 53784->53786 53785 41ace0 41 API calls 53785->53789 53787 402df0 std::_Throw_Cpp_error 41 API calls 53786->53787 53787->53782 53788 402df0 41 API calls std::_Throw_Cpp_error 53788->53789 53789->53774 53789->53775 53789->53785 53789->53788 53790 4c810b 53789->53790 53820 402d30 41 API calls std::_Throw_Cpp_error 53790->53820 53792 4c812f 53821 4d62c0 43 API calls 5 library calls 53792->53821 53794 4c8140 53795 402df0 std::_Throw_Cpp_error 41 API calls 53794->53795 53796 4c814f 53795->53796 53797 4c81b2 GetCurrentProcess 53796->53797 53801 4c81e5 53796->53801 53798 4163b0 std::_Throw_Cpp_error 41 API calls 53797->53798 53799 4c81ce 53798->53799 53822 4cf280 61 API calls 3 library calls 53799->53822 53802 439820 43 API calls 53801->53802 53804 4c8247 53802->53804 53803 4c81dd 53805 4c8279 53803->53805 53804->53805 53807 441628 75 API calls 53804->53807 53823 415230 41 API calls std::_Throw_Cpp_error 53805->53823 53809 4c8273 53807->53809 53808 4c8296 53810 402df0 std::_Throw_Cpp_error 41 API calls 53808->53810 53811 43d0a8 78 API calls 53809->53811 53810->53774 53811->53805 53825 43361d 53812->53825 53815->53782 53816->53782 53817->53782 53818->53782 53819->53789 53820->53792 53821->53794 53822->53803 53823->53808 53824->53783 53826 433659 GetSystemTimeAsFileTime 53825->53826 53827 43364d GetSystemTimePreciseAsFileTime 53825->53827 53828 433077 53826->53828 53827->53828 53828->53716 45662 419950 45663 419968 45662->45663 45664 419978 std::ios_base::_Ios_base_dtor 45662->45664 45663->45664 45674 438c70 45663->45674 45679 438bac 41 API calls __fread_nolock 45674->45679 45676 438c7f 45680 438c8d 11 API calls std::locale::_Setgloballocale 45676->45680 45678 438c8c 45679->45676 45680->45678 45681 420ad0 45686 4214a0 45681->45686 45683 420ae0 45685 420b2a 45683->45685 45691 429e20 45683->45691 45687 4214cb 45686->45687 45688 4214ee 45687->45688 45689 429e20 41 API calls 45687->45689 45688->45683 45690 42150b 45689->45690 45690->45683 45692 429e62 45691->45692 45693 429f76 45691->45693 45695 429e7c 45692->45695 45696 429eca 45692->45696 45697 429eba 45692->45697 45718 403330 RaiseException 45693->45718 45709 433672 45695->45709 45702 433672 std::_Facet_Register 3 API calls 45696->45702 45706 429e9a std::_Locinfo::_Locinfo_ctor 45696->45706 45697->45695 45698 429f7b 45697->45698 45719 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 45698->45719 45701 429e8f 45703 429f80 45701->45703 45701->45706 45702->45706 45704 438c70 std::_Throw_Cpp_error 41 API calls 45703->45704 45705 429f85 45704->45705 45717 4277d0 41 API calls 2 library calls 45706->45717 45708 429f47 45708->45685 45711 433677 45709->45711 45710 433691 45710->45701 45711->45710 45714 402b50 Concurrency::cancel_current_task 45711->45714 45723 445a89 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45711->45723 45713 43369d 45713->45713 45714->45713 45720 4351fb 45714->45720 45716 402b6c ___std_exception_copy 45716->45701 45717->45708 45719->45703 45721 435242 RaiseException 45720->45721 45722 435215 45720->45722 45721->45716 45722->45721 45723->45711 46548 45dcd0 46549 45de11 46548->46549 46550 45dd1d 46548->46550 46551 41ab20 41 API calls 46549->46551 46552 41ab20 41 API calls 46550->46552 46553 45de6d 46551->46553 46554 45dd79 46552->46554 46555 4163b0 std::_Throw_Cpp_error 41 API calls 46553->46555 46635 41b980 41 API calls 46554->46635 46557 45de88 46555->46557 46568 481c10 46557->46568 46558 45ddd0 46636 4e5ff0 11 API calls 46558->46636 46562 402df0 std::_Throw_Cpp_error 41 API calls 46565 45dea7 46562->46565 46563 45ddf0 46637 4188d0 46563->46637 46566 45de02 46567 402df0 std::_Throw_Cpp_error 41 API calls 46566->46567 46567->46549 46569 4e6ca0 86 API calls 46568->46569 46585 481c6c __fread_nolock std::_Locinfo::_Locinfo_ctor 46569->46585 46570 48443c 46571 402df0 std::_Throw_Cpp_error 41 API calls 46570->46571 46572 45de95 46571->46572 46572->46562 46573 48449d 46574 402cf0 std::_Throw_Cpp_error 41 API calls 46573->46574 46575 4844ad 46574->46575 46724 407b10 41 API calls 3 library calls 46575->46724 46577 4844c8 46580 4351fb Concurrency::cancel_current_task RaiseException 46577->46580 46578 484598 46579 402cf0 std::_Throw_Cpp_error 41 API calls 46578->46579 46581 4845a8 46579->46581 46582 4844dc 46580->46582 46727 407b10 41 API calls 3 library calls 46581->46727 46584 438c70 std::_Throw_Cpp_error 41 API calls 46582->46584 46588 4844e1 46584->46588 46585->46570 46585->46573 46585->46578 46585->46582 46586 48445e 46585->46586 46585->46588 46594 4844e6 46585->46594 46596 41af80 41 API calls 46585->46596 46600 4844eb 46585->46600 46601 41b0e0 41 API calls 46585->46601 46607 484544 46585->46607 46619 4e64d0 44 API calls 46585->46619 46620 4032d0 41 API calls std::_Throw_Cpp_error 46585->46620 46621 482793 SHGetFolderPathA 46585->46621 46622 482a95 SHGetFolderPathA 46585->46622 46623 482d93 SHGetFolderPathA 46585->46623 46624 4830f3 SHGetFolderPathA 46585->46624 46625 48341b SHGetFolderPathA 46585->46625 46626 402fe0 41 API calls std::_Throw_Cpp_error 46585->46626 46627 483725 SHGetFolderPathA 46585->46627 46629 403040 41 API calls std::_Throw_Cpp_error 46585->46629 46630 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46585->46630 46631 418b00 41 API calls 46585->46631 46632 4185d0 76 API calls 46585->46632 46633 4163b0 41 API calls std::_Throw_Cpp_error 46585->46633 46634 402df0 41 API calls std::_Throw_Cpp_error 46585->46634 46642 4412b7 50 API calls __fread_nolock 46585->46642 46643 4845e0 46585->46643 46722 416130 41 API calls 2 library calls 46585->46722 46589 402cf0 std::_Throw_Cpp_error 41 API calls 46586->46589 46587 4845c3 46590 4351fb Concurrency::cancel_current_task RaiseException 46587->46590 46725 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 46588->46725 46592 48446e 46589->46592 46593 4845d7 46590->46593 46723 407b10 41 API calls 3 library calls 46592->46723 46726 403330 RaiseException 46594->46726 46596->46585 46598 484489 46599 4351fb Concurrency::cancel_current_task RaiseException 46598->46599 46599->46573 46602 402cf0 std::_Throw_Cpp_error 41 API calls 46600->46602 46601->46585 46603 484503 46602->46603 46604 41ace0 41 API calls 46603->46604 46605 484518 46604->46605 46606 407cf0 41 API calls 46605->46606 46608 484530 46606->46608 46611 402cf0 std::_Throw_Cpp_error 41 API calls 46607->46611 46610 4351fb Concurrency::cancel_current_task RaiseException 46608->46610 46610->46607 46613 484557 46611->46613 46614 41ace0 41 API calls 46613->46614 46615 48456c 46614->46615 46616 407cf0 41 API calls 46615->46616 46617 484584 46616->46617 46618 4351fb Concurrency::cancel_current_task RaiseException 46617->46618 46618->46578 46619->46585 46620->46585 46621->46585 46622->46585 46623->46585 46624->46585 46625->46585 46626->46585 46627->46585 46629->46585 46630->46585 46631->46585 46632->46585 46633->46585 46634->46585 46635->46558 46636->46563 46638 418914 std::ios_base::_Ios_base_dtor 46637->46638 46639 4188f3 46637->46639 46638->46566 46639->46638 46640 438c70 std::_Throw_Cpp_error 41 API calls 46639->46640 46641 418947 46640->46641 46642->46585 46644 484641 46643->46644 46645 485d64 46643->46645 46647 4e6ca0 86 API calls 46644->46647 46648 485dda 46644->46648 46780 4339b3 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive SleepConditionVariableSRW 46645->46780 46650 484651 46647->46650 46781 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 46648->46781 46652 484a38 46650->46652 46655 4163b0 std::_Throw_Cpp_error 41 API calls 46650->46655 46660 485c79 46650->46660 46651 485ddf 46782 403330 RaiseException 46651->46782 46656 4163b0 std::_Throw_Cpp_error 41 API calls 46652->46656 46652->46660 46654 485de4 46661 438c70 std::_Throw_Cpp_error 41 API calls 46654->46661 46658 4846b0 46655->46658 46659 484a58 46656->46659 46657 485ce9 46665 485d0c 46657->46665 46666 485d15 46657->46666 46728 4c6000 46658->46728 46663 4c6000 45 API calls 46659->46663 46660->46657 46660->46660 46667 403040 std::_Throw_Cpp_error 41 API calls 46660->46667 46664 485dee 46661->46664 46720 484a6f std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 46663->46720 46778 413340 41 API calls 2 library calls 46665->46778 46779 413340 41 API calls 2 library calls 46666->46779 46672 485cc7 46667->46672 46668 484a26 46673 4185d0 76 API calls 46668->46673 46671 485c67 46675 4185d0 76 API calls 46671->46675 46676 4e6770 93 API calls 46672->46676 46673->46652 46674 485d11 46677 402df0 std::_Throw_Cpp_error 41 API calls 46674->46677 46675->46660 46678 485cd7 46676->46678 46680 485d28 46677->46680 46681 402df0 std::_Throw_Cpp_error 41 API calls 46678->46681 46679 4163b0 std::_Throw_Cpp_error 41 API calls 46685 4846c7 46679->46685 46682 402df0 std::_Throw_Cpp_error 41 API calls 46680->46682 46681->46657 46684 485d34 46682->46684 46687 4185d0 76 API calls 46684->46687 46685->46668 46685->46679 46694 48474a 46685->46694 46751 415350 46685->46751 46774 485fa0 76 API calls std::_Throw_Cpp_error 46685->46774 46689 485d40 46687->46689 46690 4185d0 76 API calls 46689->46690 46691 485d4f 46690->46691 46691->46585 46692 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46692->46720 46693 41ab20 41 API calls 46693->46694 46694->46693 46695 41ad80 41 API calls 46694->46695 46697 402df0 std::_Throw_Cpp_error 41 API calls 46694->46697 46695->46694 46696 4163b0 41 API calls std::_Throw_Cpp_error 46696->46720 46698 484870 CreateDirectoryA 46697->46698 46700 41ab20 41 API calls 46698->46700 46699 41ad80 41 API calls 46699->46720 46707 484961 46700->46707 46704 415350 41 API calls 46704->46720 46705 41e8a0 41 API calls 46705->46720 46709 4e7220 79 API calls 46709->46720 46710 4032d0 41 API calls std::_Throw_Cpp_error 46710->46720 46711 485032 CreateDirectoryA 46711->46720 46712 485bbc CopyFileA 46713 485bdf 46712->46713 46712->46720 46713->46720 46714 402df0 41 API calls std::_Throw_Cpp_error 46714->46720 46715 418b00 41 API calls 46715->46720 46717 4852f2 CoInitialize 46717->46720 46718 4188d0 41 API calls 46718->46720 46719 4854fe PathFindExtensionA 46719->46720 46720->46648 46720->46651 46720->46654 46720->46671 46720->46692 46720->46696 46720->46699 46720->46704 46720->46705 46720->46709 46720->46710 46720->46711 46720->46712 46720->46714 46720->46715 46720->46717 46720->46718 46720->46719 46721 403040 41 API calls std::_Throw_Cpp_error 46720->46721 46775 485fa0 76 API calls std::_Throw_Cpp_error 46720->46775 46776 485df0 104 API calls std::_Throw_Cpp_error 46720->46776 46777 4d3320 43 API calls 46720->46777 46721->46720 46722->46585 46723->46598 46724->46577 46725->46594 46727->46587 46729 4c6082 46728->46729 46730 4c6072 46728->46730 46731 41ab20 41 API calls 46729->46731 46730->46729 46732 402df0 std::_Throw_Cpp_error 41 API calls 46730->46732 46733 4c6125 FindFirstFileA 46731->46733 46732->46730 46735 402df0 std::_Throw_Cpp_error 41 API calls 46733->46735 46746 4c6159 std::ios_base::_Ios_base_dtor 46735->46746 46736 4c6463 46737 402df0 std::_Throw_Cpp_error 41 API calls 46736->46737 46739 4c6479 46737->46739 46738 4c6437 FindNextFileA 46740 4c644d GetLastError 46738->46740 46738->46746 46739->46685 46741 4c645c FindClose 46740->46741 46740->46746 46741->46736 46742 41ab20 41 API calls 46742->46746 46743 403040 std::_Throw_Cpp_error 41 API calls 46743->46746 46744 418f00 std::_Throw_Cpp_error 41 API calls 46744->46746 46745 4c648e 46747 438c70 std::_Throw_Cpp_error 41 API calls 46745->46747 46746->46736 46746->46738 46746->46742 46746->46743 46746->46744 46746->46745 46748 4242a0 41 API calls 46746->46748 46750 402df0 std::_Throw_Cpp_error 41 API calls 46746->46750 46749 4c6493 46747->46749 46748->46746 46750->46746 46752 4153a0 46751->46752 46766 415439 46751->46766 46753 415469 46752->46753 46754 4153ab 46752->46754 46790 403330 RaiseException 46753->46790 46755 4153e2 46754->46755 46756 4153b9 46754->46756 46762 433672 std::_Facet_Register 3 API calls 46755->46762 46765 4153d7 46755->46765 46758 4153c4 46756->46758 46759 41546e 46756->46759 46762->46765 46765->46766 46766->46685 46774->46685 46775->46720 46776->46720 46777->46720 46778->46674 46779->46674 46780->46644 46781->46651 49699 461e10 49700 461e60 49699->49700 49701 41ab20 41 API calls 49700->49701 49702 461f34 49701->49702 49703 4e6ca0 86 API calls 49702->49703 49704 461f5a 49703->49704 49705 4e6c10 85 API calls 49704->49705 49707 461f7d 49704->49707 49705->49707 49706 46299f 49709 4e6770 93 API calls 49706->49709 49710 4629be 49706->49710 49707->49706 49708 41b260 41 API calls 49707->49708 49707->49710 49747 461fad 49708->49747 49709->49710 49711 41ab20 41 API calls 49710->49711 49713 462aa3 49711->49713 49712 462990 49771 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49712->49771 49715 4e6ca0 86 API calls 49713->49715 49716 462ac9 49715->49716 49717 4e6c10 85 API calls 49716->49717 49720 462aec 49716->49720 49717->49720 49718 463529 49722 402df0 std::_Throw_Cpp_error 41 API calls 49718->49722 49719 46350e 49719->49718 49724 4e6770 93 API calls 49719->49724 49720->49718 49720->49719 49721 41b260 41 API calls 49720->49721 49767 462b1c 49721->49767 49725 46353b 49722->49725 49723 4130f0 41 API calls 49723->49747 49724->49718 49726 402df0 std::_Throw_Cpp_error 41 API calls 49725->49726 49727 46354a 49726->49727 49728 4634ff 49774 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49728->49774 49730 41b260 41 API calls 49730->49747 49732 4130f0 41 API calls 49732->49767 49733 413200 41 API calls 49733->49767 49734 4163b0 41 API calls std::_Throw_Cpp_error 49734->49747 49735 41b260 41 API calls 49735->49767 49737 402df0 41 API calls std::_Throw_Cpp_error 49737->49747 49739 4163b0 41 API calls std::_Throw_Cpp_error 49739->49767 49740 4e6c10 85 API calls 49740->49747 49741 4e6ca0 86 API calls 49741->49747 49742 41ac50 41 API calls 49742->49767 49743 439820 43 API calls 49743->49747 49744 41ac50 41 API calls 49744->49747 49745 416240 41 API calls 49745->49767 49746 41ae20 41 API calls 49746->49747 49747->49712 49747->49723 49747->49730 49747->49734 49747->49737 49747->49740 49747->49741 49747->49743 49747->49744 49747->49746 49748 41abb0 41 API calls 49747->49748 49751 416240 41 API calls 49747->49751 49753 413200 41 API calls 49747->49753 49754 43d0a8 78 API calls 49747->49754 49757 402cf0 41 API calls std::_Throw_Cpp_error 49747->49757 49762 41b400 41 API calls 49747->49762 49763 41af80 41 API calls 49747->49763 49764 403350 78 API calls 49747->49764 49769 416210 41 API calls std::_Throw_Cpp_error 49747->49769 49770 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49747->49770 49748->49747 49750 402cf0 41 API calls std::_Throw_Cpp_error 49750->49767 49751->49747 49752 4e6ca0 86 API calls 49752->49767 49753->49747 49754->49747 49755 439820 43 API calls 49755->49767 49756 4e6c10 85 API calls 49756->49767 49757->49747 49758 41ae20 41 API calls 49758->49767 49759 41abb0 41 API calls 49759->49767 49760 43d0a8 78 API calls 49760->49767 49761 402df0 41 API calls std::_Throw_Cpp_error 49761->49767 49762->49747 49763->49747 49764->49747 49765 41af80 41 API calls 49765->49767 49766 403350 78 API calls 49766->49767 49767->49728 49767->49732 49767->49733 49767->49735 49767->49739 49767->49742 49767->49745 49767->49750 49767->49752 49767->49755 49767->49756 49767->49758 49767->49759 49767->49760 49767->49761 49767->49765 49767->49766 49768 41b400 41 API calls 49767->49768 49772 416210 41 API calls std::_Throw_Cpp_error 49767->49772 49773 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49767->49773 49768->49767 49769->49747 49770->49747 49771->49706 49772->49767 49773->49767 49774->49719 45724 45f460 45725 45f4cc 45724->45725 45726 45f4ad 45724->45726 45730 4163b0 45726->45730 45728 45f4bf 45735 493f40 45728->45735 45732 4163d8 45730->45732 45731 4163e7 45731->45728 45732->45731 45870 4032d0 45732->45870 45734 41642a std::_Locinfo::_Locinfo_ctor 45734->45728 45885 4359b0 45735->45885 45738 494100 45738->45738 45887 403040 45738->45887 45740 49411c 45893 41fbf0 45740->45893 45743 495779 45746 438c70 std::_Throw_Cpp_error 41 API calls 45743->45746 45744 49414d std::ios_base::_Ios_base_dtor 45744->45743 45902 4e6ca0 45744->45902 45748 49577e 45746->45748 45917 417ef0 45748->45917 45755 4957dd 45936 4140c0 45755->45936 45871 4032e2 45870->45871 45875 403306 45870->45875 45872 4032e9 45871->45872 45873 40331f 45871->45873 45877 433672 std::_Facet_Register 3 API calls 45872->45877 45884 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 45873->45884 45874 403318 45874->45734 45875->45874 45878 433672 std::_Facet_Register 3 API calls 45875->45878 45879 4032ef 45877->45879 45880 403310 45878->45880 45881 438c70 std::_Throw_Cpp_error 41 API calls 45879->45881 45882 4032f8 45879->45882 45880->45734 45883 403329 45881->45883 45882->45734 45884->45879 45886 4359c7 SHGetFolderPathA 45885->45886 45886->45738 45888 4030c8 45887->45888 45890 403052 45887->45890 45889 403057 std::_Locinfo::_Locinfo_ctor 45889->45740 45890->45889 45891 4032d0 std::_Throw_Cpp_error 41 API calls 45890->45891 45892 4030a3 std::_Locinfo::_Locinfo_ctor 45891->45892 45892->45740 45895 41fc8d 45893->45895 45899 41fc12 std::_Locinfo::_Locinfo_ctor 45893->45899 45894 41fd5e 45895->45894 45896 4032d0 std::_Throw_Cpp_error 41 API calls 45895->45896 45898 41fce1 std::_Locinfo::_Locinfo_ctor 45896->45898 45897 41fd3a std::_Locinfo::_Locinfo_ctor 45897->45744 45898->45897 46102 402fe0 41 API calls 2 library calls 45898->46102 45899->45744 45901 41fd27 45901->45744 46103 432b99 45902->46103 45905 4e6d4d 46109 432534 45905->46109 45906 4e6cd7 45908 4e6d54 45906->45908 45909 4e6ce3 45906->45909 45910 432534 std::_Throw_Cpp_error 76 API calls 45908->45910 45914 4e6cfb GetFileAttributesA 45909->45914 45916 4e6d12 45909->45916 45911 4e6d65 45910->45911 45915 4e6d07 GetLastError 45914->45915 45914->45916 45915->45916 46106 432baa 45916->46106 45918 418034 45917->45918 45919 417f1d 45917->45919 45927 402cf0 std::_Throw_Cpp_error 41 API calls 45918->45927 45930 417f29 45918->45930 45920 417fcb 45919->45920 45921 417f83 45919->45921 45922 417f24 45919->45922 45923 417f2b 45919->45923 45924 417f7c 45919->45924 45920->45755 45929 433672 std::_Facet_Register 3 API calls 45921->45929 46241 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45922->46241 45926 433672 std::_Facet_Register 3 API calls 45923->45926 46242 41cf80 41 API calls 2 library calls 45924->46242 45926->45930 45931 41804f 45927->45931 45929->45930 45930->45755 46243 407f90 41 API calls 2 library calls 45931->46243 45933 418062 45934 4351fb Concurrency::cancel_current_task RaiseException 45933->45934 45935 418073 45934->45935 45938 4140ff 45936->45938 45937 433672 std::_Facet_Register 3 API calls 45939 41412e 45937->45939 45938->45937 45940 4141ac 45939->45940 46244 42bf30 45939->46244 46102->45901 46117 432bc8 GetCurrentThreadId 46103->46117 46110 43254a std::_Throw_Cpp_error 46109->46110 46141 4324e7 46110->46141 46118 432bf2 46117->46118 46119 432c11 46117->46119 46122 432bf7 RtlAcquireSRWLockExclusive 46118->46122 46128 432c07 46118->46128 46120 432c31 46119->46120 46121 432c1a 46119->46121 46124 432c90 46120->46124 46131 432c49 46120->46131 46123 432c25 RtlAcquireSRWLockExclusive 46121->46123 46121->46128 46122->46128 46123->46128 46126 432c97 RtlTryAcquireSRWLockExclusive 46124->46126 46124->46128 46126->46128 46127 432ba6 46127->45905 46127->45906 46132 433d77 46128->46132 46130 432c80 RtlTryAcquireSRWLockExclusive 46130->46128 46130->46131 46131->46128 46131->46130 46139 43302b GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 46131->46139 46133 433d80 IsProcessorFeaturePresent 46132->46133 46134 433d7f 46132->46134 46136 43455a 46133->46136 46134->46127 46140 43451d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46136->46140 46138 43463d 46138->46127 46139->46131 46140->46138 46241->45930 46242->45930 46243->45933 53522 466d20 53523 466d6a 53522->53523 53524 41ab20 41 API calls 53523->53524 53526 468712 53523->53526 53531 46974b 53523->53531 53528 466e01 53524->53528 53525 469b34 53639 492440 53525->53639 53529 41ab20 41 API calls 53526->53529 53530 4e6ca0 86 API calls 53528->53530 53532 4687eb 53529->53532 53534 466e27 53530->53534 53531->53525 53536 41ab20 41 API calls 53531->53536 53538 439820 43 API calls 53532->53538 53533 469e50 53682 412c30 41 API calls 2 library calls 53533->53682 53540 4e6c10 85 API calls 53534->53540 53545 466e4a 53534->53545 53541 469838 53536->53541 53537 469e62 53542 468813 53538->53542 53539 469b42 53539->53533 53547 41ab20 41 API calls 53539->53547 53540->53545 53546 439820 43 API calls 53541->53546 53543 402df0 std::_Throw_Cpp_error 41 API calls 53542->53543 53555 46882a 53543->53555 53544 468700 53548 402df0 std::_Throw_Cpp_error 41 API calls 53544->53548 53545->53544 53549 41b260 41 API calls 53545->53549 53554 467b0b 53545->53554 53550 469860 53546->53550 53551 469c31 53547->53551 53548->53526 53633 466e79 53549->53633 53552 402df0 std::_Throw_Cpp_error 41 API calls 53550->53552 53557 439820 43 API calls 53551->53557 53564 46987a 53552->53564 53553 4686e5 53553->53544 53562 4e6770 93 API calls 53553->53562 53554->53553 53556 41b260 41 API calls 53554->53556 53555->53531 53560 403350 78 API calls 53555->53560 53636 467b2e 53556->53636 53561 469c59 53557->53561 53558 467afc 53677 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53558->53677 53568 4688bd 53560->53568 53563 402df0 std::_Throw_Cpp_error 41 API calls 53561->53563 53562->53544 53571 469c73 53563->53571 53564->53525 53567 403350 78 API calls 53564->53567 53565 4686d6 53679 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53565->53679 53589 469911 53567->53589 53570 41b260 41 API calls 53568->53570 53577 469003 53568->53577 53612 4688e3 53570->53612 53571->53533 53573 403350 78 API calls 53571->53573 53572 469b2e 53576 43d0a8 78 API calls 53572->53576 53590 469d0a 53573->53590 53574 4130f0 41 API calls 53574->53636 53575 413200 41 API calls 53575->53633 53576->53525 53578 469743 53577->53578 53581 41b260 41 API calls 53577->53581 53580 43d0a8 78 API calls 53578->53580 53579 468ff4 53680 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53579->53680 53580->53531 53617 469026 53581->53617 53582 469e4a 53584 43d0a8 78 API calls 53582->53584 53584->53533 53585 413200 41 API calls 53585->53636 53586 469734 53681 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53586->53681 53588 402cf0 41 API calls std::_Throw_Cpp_error 53588->53636 53589->53572 53591 403350 78 API calls 53589->53591 53590->53582 53593 403350 78 API calls 53590->53593 53591->53589 53592 4130f0 41 API calls 53592->53612 53593->53590 53594 4130f0 41 API calls 53594->53617 53595 413200 41 API calls 53595->53612 53596 413200 41 API calls 53596->53617 53597 402cf0 41 API calls std::_Throw_Cpp_error 53597->53617 53598 402cf0 41 API calls std::_Throw_Cpp_error 53598->53612 53599 41b400 41 API calls 53599->53633 53600 41af80 41 API calls 53600->53633 53601 41af80 41 API calls 53601->53612 53602 41af80 41 API calls 53602->53636 53603 41b400 41 API calls 53603->53636 53604 402df0 41 API calls std::_Throw_Cpp_error 53604->53636 53605 41ac50 41 API calls 53605->53636 53606 4e6ca0 86 API calls 53606->53633 53607 402df0 41 API calls std::_Throw_Cpp_error 53607->53612 53608 41b400 41 API calls 53608->53612 53609 4e6ca0 86 API calls 53609->53636 53610 403350 78 API calls 53610->53612 53611 41af80 41 API calls 53611->53617 53612->53579 53612->53592 53612->53595 53612->53598 53612->53601 53612->53607 53612->53608 53612->53610 53613 403350 78 API calls 53613->53617 53614 4163b0 41 API calls std::_Throw_Cpp_error 53614->53636 53615 4163b0 41 API calls std::_Throw_Cpp_error 53615->53633 53616 41b400 41 API calls 53616->53617 53617->53586 53617->53594 53617->53596 53617->53597 53617->53611 53617->53613 53617->53616 53618 402df0 41 API calls std::_Throw_Cpp_error 53617->53618 53618->53617 53620 402cf0 41 API calls std::_Throw_Cpp_error 53620->53633 53622 416240 41 API calls 53622->53636 53623 4e6d70 78 API calls 53623->53633 53625 4e6d70 78 API calls 53625->53636 53626 402df0 41 API calls std::_Throw_Cpp_error 53626->53633 53627 439820 43 API calls 53627->53633 53628 4e6c10 85 API calls 53628->53636 53629 41ac50 41 API calls 53629->53633 53630 439820 43 API calls 53630->53636 53631 403350 78 API calls 53631->53633 53632 416240 41 API calls 53632->53633 53633->53558 53633->53575 53633->53599 53633->53600 53633->53606 53633->53615 53633->53620 53633->53623 53633->53626 53633->53627 53633->53629 53633->53631 53633->53632 53634 43d0a8 78 API calls 53633->53634 53637 4e6c10 85 API calls 53633->53637 53666 4130f0 53633->53666 53675 4e6470 41 API calls 53633->53675 53676 416210 41 API calls std::_Throw_Cpp_error 53633->53676 53634->53633 53635 403350 78 API calls 53635->53636 53636->53565 53636->53574 53636->53585 53636->53588 53636->53602 53636->53603 53636->53604 53636->53605 53636->53609 53636->53614 53636->53622 53636->53625 53636->53628 53636->53630 53636->53635 53638 43d0a8 78 API calls 53636->53638 53678 416210 41 API calls std::_Throw_Cpp_error 53636->53678 53637->53633 53638->53636 53683 493b60 53639->53683 53641 4924ad 53641->53539 53642 4924a7 53642->53641 53643 403040 std::_Throw_Cpp_error 41 API calls 53642->53643 53644 4924ee 53643->53644 53646 418f00 std::_Throw_Cpp_error 41 API calls 53644->53646 53647 4925a0 53646->53647 53701 4938d0 45 API calls 2 library calls 53647->53701 53649 492a33 53650 4185d0 76 API calls 53649->53650 53652 492a49 53650->53652 53651 492a74 53655 438c70 std::_Throw_Cpp_error 41 API calls 53651->53655 53653 402df0 std::_Throw_Cpp_error 41 API calls 53652->53653 53653->53641 53654 41e8a0 41 API calls 53665 4925c7 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 53654->53665 53657 492a7e 53655->53657 53656 41ad80 41 API calls 53656->53665 53658 41ab20 41 API calls 53658->53665 53661 4032d0 std::_Throw_Cpp_error 41 API calls 53661->53665 53662 4163b0 41 API calls std::_Throw_Cpp_error 53662->53665 53664 402df0 41 API calls std::_Throw_Cpp_error 53664->53665 53665->53649 53665->53651 53665->53654 53665->53656 53665->53658 53665->53661 53665->53662 53665->53664 53702 493080 46 API calls 4 library calls 53665->53702 53703 492a80 50 API calls 5 library calls 53665->53703 53704 422ac0 41 API calls 4 library calls 53665->53704 53667 413114 53666->53667 53668 41316c 53666->53668 53667->53633 53669 402cf0 std::_Throw_Cpp_error 41 API calls 53668->53669 53670 413179 53669->53670 53706 407b10 41 API calls 3 library calls 53670->53706 53672 413191 53673 4351fb Concurrency::cancel_current_task RaiseException 53672->53673 53674 4131a2 53673->53674 53675->53633 53676->53633 53677->53554 53678->53636 53679->53553 53680->53577 53681->53578 53682->53537 53684 493ba5 __fread_nolock 53683->53684 53685 493bd7 RegOpenKeyExA 53684->53685 53686 493f1b 53685->53686 53687 493d97 RegQueryValueExA RegCloseKey 53685->53687 53686->53642 53687->53686 53688 493dc5 53687->53688 53689 403040 std::_Throw_Cpp_error 41 API calls 53688->53689 53690 493dea 53689->53690 53691 493e19 53690->53691 53692 493f30 53690->53692 53693 403040 std::_Throw_Cpp_error 41 API calls 53691->53693 53705 419e60 RaiseException 53692->53705 53695 493e35 std::_Locinfo::_Locinfo_ctor 53693->53695 53696 438c70 std::_Throw_Cpp_error 41 API calls 53695->53696 53698 493e97 std::ios_base::_Ios_base_dtor 53695->53698 53696->53698 53697 438c70 std::_Throw_Cpp_error 41 API calls 53699 493f3f 53697->53699 53698->53697 53700 493ee9 std::ios_base::_Ios_base_dtor 53698->53700 53700->53642 53701->53665 53702->53665 53703->53665 53704->53665 53706->53672 49775 463830 49781 463879 49775->49781 49776 463891 49777 465b82 49776->49777 49778 402df0 std::_Throw_Cpp_error 41 API calls 49776->49778 49780 41ab20 41 API calls 49777->49780 49778->49776 49779 41ab20 41 API calls 49779->49781 49782 465c69 49780->49782 49781->49776 49781->49779 49797 4e6770 93 API calls 49781->49797 49810 41b260 41 API calls 49781->49810 49812 408ab0 41 API calls 49781->49812 49816 4163b0 41 API calls std::_Throw_Cpp_error 49781->49816 49818 4e6ca0 86 API calls 49781->49818 49820 416210 41 API calls 49781->49820 49822 416240 41 API calls 49781->49822 49827 439820 43 API calls 49781->49827 49828 41ac50 41 API calls 49781->49828 49830 4e6c10 85 API calls 49781->49830 49831 41ae20 41 API calls 49781->49831 49833 41abb0 41 API calls 49781->49833 49835 4130f0 41 API calls 49781->49835 49836 413200 41 API calls 49781->49836 49837 43d0a8 78 API calls 49781->49837 49839 402cf0 41 API calls std::_Throw_Cpp_error 49781->49839 49845 41b400 41 API calls 49781->49845 49846 41bae0 41 API calls 49781->49846 49847 41af80 41 API calls 49781->49847 49848 41b1e0 41 API calls 49781->49848 49849 403350 78 API calls 49781->49849 49850 402df0 41 API calls std::_Throw_Cpp_error 49781->49850 49783 4e6ca0 86 API calls 49782->49783 49784 465c8f 49783->49784 49785 465c93 CreateDirectoryA 49784->49785 49786 465cbe 49784->49786 49785->49786 49788 4667d7 49785->49788 49789 41b260 41 API calls 49786->49789 49799 4667bc 49786->49799 49787 402df0 std::_Throw_Cpp_error 41 API calls 49790 466a3b 49787->49790 49794 41ab20 41 API calls 49788->49794 49805 466a29 49788->49805 49841 465ce6 49789->49841 49792 4185d0 76 API calls 49790->49792 49791 4e6770 93 API calls 49791->49788 49793 466a47 49792->49793 49798 466922 49794->49798 49795 4667ad 49854 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49795->49854 49797->49781 49800 439820 43 API calls 49798->49800 49799->49788 49799->49791 49801 46694a 49800->49801 49802 402df0 std::_Throw_Cpp_error 41 API calls 49801->49802 49806 466964 49802->49806 49803 466a23 49804 43d0a8 78 API calls 49803->49804 49804->49805 49805->49787 49806->49803 49806->49805 49808 403350 78 API calls 49806->49808 49807 413200 41 API calls 49807->49841 49808->49806 49809 41b260 41 API calls 49809->49841 49810->49781 49812->49781 49813 4163b0 41 API calls std::_Throw_Cpp_error 49813->49841 49814 41ac50 41 API calls 49814->49841 49815 416240 41 API calls 49815->49841 49816->49781 49818->49781 49819 402cf0 41 API calls std::_Throw_Cpp_error 49819->49841 49820->49781 49821 465ea9 CreateDirectoryA 49821->49841 49822->49781 49823 4e6ca0 86 API calls 49823->49841 49824 439820 43 API calls 49824->49841 49825 465fb8 CreateDirectoryA 49825->49841 49826 41ae20 41 API calls 49826->49841 49827->49781 49828->49781 49829 41abb0 41 API calls 49829->49841 49830->49781 49831->49781 49832 4130f0 41 API calls 49832->49841 49833->49781 49834 43d0a8 78 API calls 49834->49841 49835->49781 49836->49781 49837->49781 49838 41af80 41 API calls 49838->49841 49839->49781 49840 41b400 41 API calls 49840->49841 49841->49795 49841->49807 49841->49809 49841->49813 49841->49814 49841->49815 49841->49819 49841->49821 49841->49823 49841->49824 49841->49825 49841->49826 49841->49829 49841->49832 49841->49834 49841->49838 49841->49840 49842 402df0 41 API calls std::_Throw_Cpp_error 49841->49842 49843 403350 78 API calls 49841->49843 49851 416210 41 API calls std::_Throw_Cpp_error 49841->49851 49852 415310 44 API calls std::_Throw_Cpp_error 49841->49852 49853 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49841->49853 49842->49841 49843->49841 49845->49781 49846->49781 49847->49781 49848->49781 49849->49781 49850->49781 49851->49841 49852->49841 49853->49841 49854->49799

                                      Executed Functions

                                      Function 0040B8E0 Relevance: 65.9, APIs: 40, Instructions: 5855fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BAD2
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040BF80
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C47A
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C575
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C969
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040CD72
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D17B
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D29A
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D6F8
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D9DC
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DAD7
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040DE41
                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 0040E55A
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040ECF6
                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040EEEA
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F45B
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F525
                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 004101ED
                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410580
                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0041088D
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00410DC4
                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 0041173C
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411904
                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00411CD7
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411E6E
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411FBE
                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410B14
                                        • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00410F12
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FEF1
                                        • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FC55
                                        • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F933
                                        • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                        • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                        • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                        • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                        • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040E6FA
                                        • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                        • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 0042910D
                                        • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00429155
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DF3C
                                        • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                        • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                                        • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                                        • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D5FD
                                        • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BB07
                                        • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BD08
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BD37
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C0CC
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C196
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Directory$Create$File$Copy$Find$Cpp_errorThrow_std::_$AttributesErrorFirstLast$FolderPath___std_fs_convert_narrow_to_wide@20$CloseDeleteNextRemove
                                      • String ID:
                                      • API String ID: 1172780710-0
                                      • Opcode ID: 29938c2e1f67a8f7752316edec3deb9e51ef0fd2753200a526bf6a5ee63613ca
                                      • Instruction ID: 57087eddf2f8576e704702d152c9cc5b4e2b87ff67a8e07952ed474be97f1841
                                      • Opcode Fuzzy Hash: 29938c2e1f67a8f7752316edec3deb9e51ef0fd2753200a526bf6a5ee63613ca
                                      • Instruction Fuzzy Hash: 56F3E2B4D0425D8BDF25CF99C981AEEBBB1BF18304F1041AAD849B7341DB385A85CF69
                                      Function 004AA200 Relevance: 56.8, APIs: 10, Strings: 11, Instructions: 20001COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 004AA277
                                        • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: FileFindFirstFolderPath
                                      • String ID: ;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$Jzv"$WUa5$X<b.$cannot use operator[] with a string argument with $cannot use push_back() with
                                      • API String ID: 2195519125-383699475
                                      • Opcode ID: 50e8e4793368ede4cbbfd3faa21feedc2e24d7a6a0abfa470dc452715c78d4b8
                                      • Instruction ID: d5c29c46e18a526762dbfc7c8aed9f945ae13eab665394adbd88e65e82b678fb
                                      • Opcode Fuzzy Hash: 50e8e4793368ede4cbbfd3faa21feedc2e24d7a6a0abfa470dc452715c78d4b8
                                      • Instruction Fuzzy Hash: 29B433B0D052698BDB25CF68C984BEEBBB1BF49304F1081DAD449A7281DB746F84CF95
                                      Function 004D7600 Relevance: 52.8, APIs: 31, Instructions: 6337fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,0055B192,000000FF), ref: 004D766C
                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004D7693
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7959
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7CBB
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004D8DF7
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D9992
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA31E
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DA3EF
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA712
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAA7D
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DAB4E
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAE39
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 004DB0C9
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB27C
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB556
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB93C
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 004DBCF1
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DBEA4
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC17E
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC564
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9FB3
                                        • Part of subcall function 004DFF00: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004E0556
                                        • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E05A0
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC99C
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DCAF3
                                        • Part of subcall function 004DE430: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9C53
                                        • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                        • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                        • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                        • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                        • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                        • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 004D9648
                                        • Part of subcall function 004DFF00: FindNextFileA.KERNEL32(00000000,?), ref: 004E056C
                                        • Part of subcall function 004DFF00: FindClose.KERNEL32(00000000), ref: 004E057C
                                        • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E0582
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004D91DD
                                        • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                        • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                                        • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                                        • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 004D896A
                                        • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D8B1D
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004D8362
                                        • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 004D8623
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D801B
                                        • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                        • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Directory$Create$File$Find$ErrorLast$CopyCpp_errorThrow_std::_$AttributesFolderPath$CloseFirstNext$DeleteRemove
                                      • String ID:
                                      • API String ID: 1140557632-0
                                      • Opcode ID: 5390f64dea3d9a6db721b8f9ffaf1a58166a76a045dce46671a256603e264793
                                      • Instruction ID: 6b404ecdfd53acb60f6cf5d734e717c5294ca690171ae70fa85b8f1a38f34a58
                                      • Opcode Fuzzy Hash: 5390f64dea3d9a6db721b8f9ffaf1a58166a76a045dce46671a256603e264793
                                      • Instruction Fuzzy Hash: 76F3F2B4D0525A8BCF15CFA9C9916EEBBB0BF18304F20419AD549B7341DB346B84CFA6
                                      Function 00490440 Relevance: 28.0, APIs: 13, Strings: 2, Instructions: 1749registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?), ref: 0049083B
                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0049086F
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00490895
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490A2C
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490CB3
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490DA0
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490EE1
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490FCB
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 004910B5
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 0049119F
                                      • RegCloseKey.ADVAPI32(?), ref: 0049229B
                                      • RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 004922D1
                                      • RegCloseKey.ADVAPI32(?), ref: 004922E5
                                      Strings
                                      • cannot use push_back() with , xrefs: 00492345
                                      • cannot use operator[] with a string argument with , xrefs: 0049239E, 004923F3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseEnumOpen
                                      • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                      • API String ID: 2041898428-3306948993
                                      • Opcode ID: 70dc1500677c7a069f3ca8e8a388d3e6c552643b7932719280e578cc7331c2d8
                                      • Instruction ID: 6d5f253b48c5edfa20594e0b0a8a78ae050bf84d77acb07cc1b8e3b44561805a
                                      • Opcode Fuzzy Hash: 70dc1500677c7a069f3ca8e8a388d3e6c552643b7932719280e578cc7331c2d8
                                      • Instruction Fuzzy Hash: 511322B0C042698BDB25CF68CD84BEEBBB4BF49304F1042EAD549A7241EB756B85CF54
                                      Function 00493F40 Relevance: 24.7, APIs: 11, Strings: 2, Instructions: 1966fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00493FA7
                                        • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • FindFirstFileA.KERNEL32(?,?), ref: 0049455F
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0049496C
                                      • FindClose.KERNEL32(00000000), ref: 0049497C
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494A53
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494B19
                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00494C9D
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494E44
                                      • CopyFileA.KERNEL32(00000000,?,00000000), ref: 004950F8
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00495638
                                      • CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000004), ref: 004959FD
                                        • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,0041ABA8,?,?,?,00431D09,0041ABA8,005799D8,00000000,0041ABA8), ref: 0043525B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: File$CopyCreateDirectoryFind$Cpp_errorThrow_std::_$AttributesCloseCredEnumerateErrorExceptionFirstFolderLastNextPathRaise
                                      • String ID: cannot use operator[] with a string argument with $tmX
                                      • API String ID: 2195218309-2011928656
                                      • Opcode ID: dd678a44b54076545ed104e8e989b712f5d1fef106f46798f1d704958ff365a8
                                      • Instruction ID: 1c5c2bc117abc336d538eb0f3ab0e4b698252c7f2e821ac10c87ad1798346723
                                      • Opcode Fuzzy Hash: dd678a44b54076545ed104e8e989b712f5d1fef106f46798f1d704958ff365a8
                                      • Instruction Fuzzy Hash: 0E3310B4C042698BDB25CFA8C994BEDBBB0BF18304F1041EAD849A7351EB346B85CF55
                                      Function 00481C10 Relevance: 21.5, APIs: 7, Strings: 4, Instructions: 2202COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 004827AB
                                      • SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00482AA7
                                      • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00482DA5
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00483105
                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00483433
                                      • SHGetFolderPathA.SHELL32(00000000,00000008,00000000,00000000,?), ref: 00483737
                                      • Concurrency::cancel_current_task.LIBCPMT ref: 004844E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: FolderPath$AttributesConcurrency::cancel_current_taskErrorFileLast
                                      • String ID: cannot compare iterators of different containers$cannot get value$type must be boolean, but is $type must be string, but is
                                      • API String ID: 1974481932-2698695959
                                      • Opcode ID: 194ef8c2ddfd07120c963886e5dc8c143c382c21f38e9d7e1e981fd7ee2d9e21
                                      • Instruction ID: 7d592af2553ac1c7978d8671279e796c0dcb22ab630186640302ddbce1f3b4fb
                                      • Opcode Fuzzy Hash: 194ef8c2ddfd07120c963886e5dc8c143c382c21f38e9d7e1e981fd7ee2d9e21
                                      • Instruction Fuzzy Hash: D74334B0C042698BDB25DF28C994BEEBBB5BF48304F1082DAD449A7281DB756F84CF55
                                      Function 004E6770 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 334fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 7670 4e6770-4e67c3 call 432b99 7673 4e67c9-4e67d3 7670->7673 7674 4e6be5-4e6be7 call 432534 7670->7674 7676 4e6bec-4e6bf8 call 432534 7673->7676 7677 4e67d9-4e6822 7673->7677 7674->7676 7679 4e6bfd call 402c60 7676->7679 7677->7679 7680 4e6828-4e682e 7677->7680 7685 4e6c02 call 438c70 7679->7685 7682 4e6832-4e6854 call 41e8a0 7680->7682 7683 4e6830 7680->7683 7689 4e6856-4e6862 7682->7689 7690 4e6882-4e68f1 call 402df0 FindFirstFileA 7682->7690 7683->7682 7688 4e6c07-4e6c0f call 438c70 7685->7688 7692 4e6878-4e687f call 4338f3 7689->7692 7693 4e6864-4e6872 7689->7693 7699 4e6b2a 7690->7699 7700 4e68f7 7690->7700 7692->7690 7693->7685 7693->7692 7701 4e6b2c-4e6b36 7699->7701 7702 4e6900-4e6909 7700->7702 7703 4e6b38-4e6b44 7701->7703 7704 4e6b64-4e6b80 7701->7704 7705 4e6910-4e6915 7702->7705 7708 4e6b5a-4e6b61 call 4338f3 7703->7708 7709 4e6b46-4e6b54 7703->7709 7706 4e6baa-4e6be4 call 432baa 7704->7706 7707 4e6b82-4e6b8e 7704->7707 7705->7705 7710 4e6917-4e6922 7705->7710 7711 4e6ba0-4e6ba7 call 4338f3 7707->7711 7712 4e6b90-4e6b9e 7707->7712 7708->7704 7709->7688 7709->7708 7715 4e692d-4e6930 7710->7715 7716 4e6924-4e6927 7710->7716 7711->7706 7712->7688 7712->7711 7718 4e6932-4e6935 7715->7718 7719 4e6943-4e6969 7715->7719 7716->7715 7717 4e6aae-4e6ac1 FindNextFileA 7716->7717 7717->7702 7726 4e6ac7-4e6adb FindClose GetLastError 7717->7726 7718->7719 7723 4e6937-4e693d 7718->7723 7719->7679 7724 4e696f-4e6975 7719->7724 7723->7717 7723->7719 7727 4e6979-4e69a1 call 41e8a0 7724->7727 7728 4e6977 7724->7728 7726->7701 7729 4e6add-4e6ae3 7726->7729 7738 4e69a4-4e69a9 7727->7738 7728->7727 7731 4e6ae7-4e6af5 SetFileAttributesA 7729->7731 7732 4e6ae5 7729->7732 7734 4e6af7-4e6b00 7731->7734 7735 4e6b02-4e6b06 7731->7735 7732->7731 7734->7701 7736 4e6b0a-4e6b13 RemoveDirectoryA 7735->7736 7737 4e6b08 7735->7737 7736->7699 7740 4e6b15-4e6b1e 7736->7740 7737->7736 7738->7738 7741 4e69ab-4e6a59 call 418f00 call 402df0 * 3 7738->7741 7740->7701 7751 4e6a5b-4e6a6e call 4e6770 7741->7751 7752 4e6a79-4e6a92 SetFileAttributesA 7741->7752 7751->7701 7757 4e6a74-4e6a77 7751->7757 7754 4e6a98-4e6aac DeleteFileA 7752->7754 7755 4e6b20-4e6b28 GetLastError 7752->7755 7754->7717 7754->7755 7755->7701 7757->7717
                                      APIs
                                      • FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                      • DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                      • FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                      • FindClose.KERNEL32(?), ref: 004E6ACA
                                      • GetLastError.KERNEL32 ref: 004E6AD0
                                      • SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                      • RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                      • GetLastError.KERNEL32 ref: 004E6B20
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: File$Find$AttributesCpp_errorErrorLastThrow_std::_$CloseDeleteDirectoryFirstNextRemove
                                      • String ID: \*.*
                                      • API String ID: 460640838-1173974218
                                      • Opcode ID: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                                      • Instruction ID: d809dff945c313677263d2cc5f51936a643c350294cf92fd29307912c56e1fe7
                                      • Opcode Fuzzy Hash: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                                      • Instruction Fuzzy Hash: EDD11670C00288CFDB10DFA9C9487EEBBB1FF65305F20425AE454BB292D7786A89DB55
                                      Function 0049F0D0 Relevance: 20.7, APIs: 6, Strings: 4, Instructions: 3171stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049F224
                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049F322
                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049F515
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1C76
                                        • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1F5D
                                      • lstrlen.KERNEL32(?), ref: 004A348E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
                                      • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with $~]d
                                      • API String ID: 2833034228-1763774129
                                      • Opcode ID: 1f0a8e9f4f1f97e1b7edb0a67155eabc9adf5731a86d5cbd02439c3b507358c4
                                      • Instruction ID: 3f98b5ef17dcfaa8f689e4fcb5a5d7fbbd5e2711f2842c60bb6495c93d0a2e70
                                      • Opcode Fuzzy Hash: 1f0a8e9f4f1f97e1b7edb0a67155eabc9adf5731a86d5cbd02439c3b507358c4
                                      • Instruction Fuzzy Hash: 2793DCB4D052A98ADB65CF29C990BEDBBB1BF59304F0081EAD84DA7241DB742BC4CF45
                                      Function 004963B0 Relevance: 17.5, APIs: 5, Strings: 4, Instructions: 1775stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00496504
                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00496602
                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 004967F5
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498078
                                      • lstrlen.KERNEL32(?), ref: 0049854F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$FolderNamesPathSectionStringUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                      • String ID: ;Yb.$Tz}9$cannot use operator[] with a string argument with $cannot use push_back() with
                                      • API String ID: 3203477177-4100205650
                                      • Opcode ID: 5e2fa55dabf0acb2d678fdf2b5874fc61568f89e3c6ed4d55f5cfcc09f9d57bb
                                      • Instruction ID: 6b3be8cf9a559e92d133cc3b6572ed682d4dab2050fd03768d9c929fe5be15d2
                                      • Opcode Fuzzy Hash: 5e2fa55dabf0acb2d678fdf2b5874fc61568f89e3c6ed4d55f5cfcc09f9d57bb
                                      • Instruction Fuzzy Hash: 352300B0D052688BDB25CF28C9947EDBBB5BF49304F1082EAE449A7281DB746BC4CF55
                                      Function 004986B0 Relevance: 16.1, APIs: 4, Strings: 4, Instructions: 2129stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00498804
                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00498902
                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00498AF8
                                      • lstrlen.KERNEL32(?), ref: 0049AE11
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                      • String ID: ;Yb.$AN|5$cannot use operator[] with a string argument with $cannot use push_back() with
                                      • API String ID: 1311570089-1903585501
                                      • Opcode ID: f6f3a3acf082bd0a5d9ff748caf757a0c6485fd0694072b41d9b2b738c563dec
                                      • Instruction ID: e112265f5291f7fbed9e5ebb381307dd27655726dfd0f1f0b2bb5fda635101ca
                                      • Opcode Fuzzy Hash: f6f3a3acf082bd0a5d9ff748caf757a0c6485fd0694072b41d9b2b738c563dec
                                      • Instruction Fuzzy Hash: D44322B0D052688BDB25CF28C8947EEBBB5BF49304F1082EAD449A7242DB756BC4CF55
                                      Function 0049AF60 Relevance: 14.1, APIs: 4, Strings: 3, Instructions: 1876stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049B158
                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049B265
                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049B458
                                      • lstrlen.KERNEL32(?), ref: 0049D22D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                      • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with
                                      • API String ID: 1311570089-747751661
                                      • Opcode ID: 9e0cfae2292340650dd180be020e1692664da05a1eb25defc7f8f7f2b803398a
                                      • Instruction ID: b2dbe3f5757ef5304a2bca7f4d9e3a7c922558eb406562d1b13ccbd165419304
                                      • Opcode Fuzzy Hash: 9e0cfae2292340650dd180be020e1692664da05a1eb25defc7f8f7f2b803398a
                                      • Instruction Fuzzy Hash: BF2321B0D042688BDB25CF28C9947EDBBB1BF59304F1082EAE449A7281DB746BC4CF55
                                      Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 9717 4c8590-4c85c2 WSAStartup 9718 4c85c8-4c85f2 call 4ea420 * 2 9717->9718 9719 4c8696-4c869f 9717->9719 9724 4c85fe-4c8644 getaddrinfo 9718->9724 9725 4c85f4-4c85f8 9718->9725 9726 4c8646-4c864c 9724->9726 9727 4c8690 WSACleanup 9724->9727 9725->9719 9725->9724 9728 4c864e 9726->9728 9729 4c86a4-4c86ae FreeAddrInfoW 9726->9729 9727->9719 9731 4c8654-4c8668 socket 9728->9731 9729->9727 9730 4c86b0-4c86b8 9729->9730 9731->9727 9732 4c866a-4c867a connect 9731->9732 9733 4c867c-4c8684 closesocket 9732->9733 9734 4c86a0 9732->9734 9733->9731 9735 4c8686-4c868a FreeAddrInfoW 9733->9735 9734->9729 9735->9727
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                      • String ID:
                                      • API String ID: 448659506-0
                                      • Opcode ID: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                      • Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
                                      • Opcode Fuzzy Hash: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                      • Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7
                                      Function 0049D3A0 Relevance: 12.1, APIs: 4, Strings: 2, Instructions: 1570stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049D4F4
                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049D5F2
                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049D7E5
                                      • lstrlen.KERNEL32(?), ref: 0049EF32
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                      • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                      • API String ID: 1311570089-3306948993
                                      • Opcode ID: c6cbefe6cdfd718c914dfa6f95648d9804452b726278078694caf46b48fbcca4
                                      • Instruction ID: d38aed82ee4788d52106214de1412b854dd9129e0c255bb6c7140376d04d8967
                                      • Opcode Fuzzy Hash: c6cbefe6cdfd718c914dfa6f95648d9804452b726278078694caf46b48fbcca4
                                      • Instruction Fuzzy Hash: 570334B0D042688BDB25CF28C9947EEBBB4BF59304F1042EED449A7281EB746B84CF55
                                      Function 004C6D80 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 535fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 13392 4c6d80-4c6ddc 13393 4c7004-4c7018 call 4339b3 13392->13393 13394 4c6de2-4c6df1 call 432b99 13392->13394 13393->13394 13399 4c701e-4c704a call 408710 call 4338de call 433962 13393->13399 13400 4c704f-4c7051 call 432534 13394->13400 13401 4c6df7-4c6e01 13394->13401 13399->13394 13404 4c7056-4c71ad call 432534 call 41ae80 call 4163b0 call 4e74c0 DeleteFileA call 4359b0 call 435270 call 4359b0 call 435270 call 4359b0 call 435270 13400->13404 13401->13404 13405 4c6e07-4c6eff call 4ea420 call 41ab20 call 41ad80 call 409280 call 402df0 13401->13405 13462 4c71af-4c71b6 13404->13462 13463 4c71c0-4c71c5 call 418dc0 13404->13463 13432 4c6fb5-4c7003 call 4163b0 call 432baa call 402df0 * 2 13405->13432 13433 4c6f05-4c6f0c 13405->13433 13433->13432 13436 4c6f12-4c6f1e GetPEB 13433->13436 13439 4c6f20-4c6f34 13436->13439 13442 4c6f36-4c6f3b 13439->13442 13443 4c6f87-4c6f89 13439->13443 13442->13443 13446 4c6f3d-4c6f43 13442->13446 13443->13439 13449 4c6f45-4c6f5a 13446->13449 13452 4c6f5c 13449->13452 13453 4c6f7d-4c6f85 13449->13453 13456 4c6f60-4c6f73 13452->13456 13453->13443 13453->13449 13456->13456 13459 4c6f75-4c6f7b 13456->13459 13459->13453 13460 4c6f8b-4c6faf 13459->13460 13460->13432 13460->13436 13464 4c71b8 13462->13464 13465 4c71ba-4c71be 13462->13465 13468 4c71ca-4c71d1 13463->13468 13464->13465 13465->13468 13469 4c71d5-4c71e9 13468->13469 13470 4c71d3 13468->13470 13471 4c71ed-4c7204 13469->13471 13472 4c71eb 13469->13472 13470->13469 13473 4c7208-4c7224 13471->13473 13474 4c7206 13471->13474 13472->13471 13475 4c7228-4c722f 13473->13475 13476 4c7226 13473->13476 13474->13473 13477 4c7231 13475->13477 13478 4c7233-4c72ef call 435270 call 4ea420 13475->13478 13476->13475 13477->13478 13483 4c72f2-4c72f7 13478->13483 13483->13483 13484 4c72f9-4c7347 call 403040 call 409280 call 4ea420 13483->13484 13491 4c734d-4c7413 call 408f20 call 4ea420 13484->13491 13492 4c7349 13484->13492 13497 4c7416-4c741b 13491->13497 13492->13491 13497->13497 13498 4c741d-4c7438 call 403040 call 409280 13497->13498 13502 4c743d-4c744c 13498->13502 13503 4c746d-4c7476 13502->13503 13504 4c744e-4c7455 13502->13504 13506 4c7478-4c747f 13503->13506 13507 4c7496-4c74c3 call 402df0 * 2 13503->13507 13504->13503 13505 4c7457-4c7464 13504->13505 13505->13503 13514 4c7466-4c7468 13505->13514 13506->13507 13509 4c7481-4c748d 13506->13509 13509->13507 13515 4c748f-4c7491 13509->13515 13514->13503 13515->13507
                                      APIs
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004C7051
                                        • Part of subcall function 00432534: __EH_prolog3.LIBCMT ref: 00432570
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004C7062
                                        • Part of subcall function 004E74C0: __fread_nolock.LIBCMT ref: 004E7609
                                      • DeleteFileA.KERNELBASE(?), ref: 004C70EB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Cpp_errorThrow_std::_$DeleteFileH_prolog3__fread_nolock
                                      • String ID: 131$binga
                                      • API String ID: 3880692912-2981407559
                                      • Opcode ID: 1d3039ac34b0bace3428b3acdb5220c0de971d4708e8a6c219af6cb8fbb17908
                                      • Instruction ID: 7966019704e3fd473910eda9b3190c6326d4c2da0caac65bea49cbac806563d6
                                      • Opcode Fuzzy Hash: 1d3039ac34b0bace3428b3acdb5220c0de971d4708e8a6c219af6cb8fbb17908
                                      • Instruction Fuzzy Hash: 1E32ACB4D04248CFCB04DFA8C985BAEBBB1BF58304F14419EE8056B392D779AA45CF95
                                      Function 004FAD00 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 13517 4fad00-4fad1e call 4fbf00 13520 4fb35e-4fb364 13517->13520 13521 4fad24-4fad2d 13517->13521 13522 4fad2f-4fad31 13521->13522 13523 4fad33-4fad39 13521->13523 13524 4fad53-4fad59 13522->13524 13525 4fad3f-4fad50 13523->13525 13526 4fad3b-4fad3d 13523->13526 13527 4fad5b-4fad61 13524->13527 13528 4fad63-4fad6a 13524->13528 13525->13524 13526->13524 13529 4fad72-4fad8f call 54a0f0 13527->13529 13528->13529 13530 4fad6c 13528->13530 13533 4fb348 13529->13533 13534 4fad95-4fada7 call 4359b0 13529->13534 13530->13529 13536 4fb34a 13533->13536 13539 4fadeb-4fadf0 13534->13539 13540 4fada9-4fadb0 13534->13540 13538 4fb34f-4fb354 call 54b110 13536->13538 13549 4fb356-4fb35b 13538->13549 13544 4fadfc-4faeb4 call 54a8c0 13539->13544 13545 4fadf2-4fadf9 13539->13545 13542 4fadc9-4fadd9 13540->13542 13543 4fadb2-4fadc4 call 549d90 13540->13543 13542->13539 13556 4faddb-4fade6 call 549d90 13542->13556 13543->13536 13554 4faf19-4faf88 call 4fb370 * 4 13544->13554 13555 4faeb6-4faec4 call 5475d0 13544->13555 13545->13544 13549->13520 13566 4faec9-4faece 13554->13566 13580 4faf8e 13554->13580 13564 4faec7 13555->13564 13556->13536 13564->13566 13568 4faeda-4faee2 13566->13568 13569 4faed0-4faed7 13566->13569 13571 4fb31b-4fb321 13568->13571 13572 4faee8-4faeed 13568->13572 13569->13568 13571->13536 13574 4fb323-4fb32c 13571->13574 13572->13571 13576 4faef3-4faef8 13572->13576 13574->13538 13578 4fb32e-4fb330 13574->13578 13576->13571 13579 4faefe-4faf18 13576->13579 13578->13549 13581 4fb332-4fb347 13578->13581 13582 4faf93-4faf97 13580->13582 13582->13582 13583 4faf99-4fafaf 13582->13583 13584 4fafb1-4fafbd 13583->13584 13585 4fb000 13583->13585 13587 4fafbf-4fafc1 13584->13587 13588 4faff0-4faffe 13584->13588 13586 4fb002-4fb015 call 5461b0 13585->13586 13593 4fb01c 13586->13593 13594 4fb017-4fb01a 13586->13594 13590 4fafc3-4fafe2 13587->13590 13588->13586 13590->13590 13592 4fafe4-4fafed 13590->13592 13592->13588 13595 4fb01e-4fb063 call 4fb370 call 4fb5d0 13593->13595 13594->13595 13600 4fb065-4fb07e call 5475d0 13595->13600 13601 4fb083-4fb0d1 call 51ba20 * 2 13595->13601 13600->13564 13601->13564 13608 4fb0d7-4fb102 call 5475d0 call 4fb710 13601->13608 13613 4fb108-4fb10d 13608->13613 13614 4fb1a4-4fb1b2 13608->13614 13615 4fb110-4fb114 13613->13615 13616 4fb1b8-4fb1bd 13614->13616 13617 4fb2c1-4fb2cb 13614->13617 13615->13615 13619 4fb116-4fb127 13615->13619 13618 4fb1c0-4fb1c7 13616->13618 13620 4fb2df-4fb2e3 13617->13620 13621 4fb2cd-4fb2d2 13617->13621 13622 4fb1cd-4fb1dc 13618->13622 13623 4fb1c9-4fb1cb 13618->13623 13624 4fb129-4fb130 13619->13624 13625 4fb133-4fb14b call 51bbd0 13619->13625 13620->13566 13627 4fb2e9-4fb2ef 13620->13627 13621->13620 13626 4fb2d4-4fb2d9 13621->13626 13629 4fb1e8-4fb1ee 13622->13629 13640 4fb1de-4fb1e5 13622->13640 13623->13629 13624->13625 13637 4fb14d-4fb166 call 4fb710 13625->13637 13638 4fb169-4fb16e 13625->13638 13626->13566 13626->13620 13627->13566 13628 4fb2f5-4fb30e call 5475d0 call 4fbbd0 13627->13628 13651 4fb313-4fb316 13628->13651 13634 4fb1f7-4fb1fc 13629->13634 13635 4fb1f0-4fb1f5 13629->13635 13641 4fb1ff-4fb201 13634->13641 13635->13641 13637->13638 13644 4fb185-4fb18f 13638->13644 13645 4fb170-4fb180 call 5475d0 13638->13645 13640->13629 13646 4fb20d-4fb214 13641->13646 13647 4fb203-4fb20a 13641->13647 13654 4fb19b-4fb19e 13644->13654 13655 4fb191-4fb198 13644->13655 13645->13644 13648 4fb216-4fb227 13646->13648 13649 4fb242-4fb244 13646->13649 13647->13646 13665 4fb23f 13648->13665 13666 4fb229-4fb23c call 5475d0 13648->13666 13657 4fb246-4fb24d 13649->13657 13658 4fb2b0-4fb2bb 13649->13658 13651->13566 13654->13614 13659 4fb1a0 13654->13659 13655->13654 13662 4fb24f-4fb256 13657->13662 13663 4fb2a6 13657->13663 13658->13617 13658->13618 13659->13614 13667 4fb258-4fb25f 13662->13667 13668 4fb262-4fb282 13662->13668 13670 4fb2ad 13663->13670 13665->13649 13666->13665 13667->13668 13674 4fb28a-4fb29b 13668->13674 13675 4fb284 13668->13675 13670->13658 13674->13658 13677 4fb29d-4fb2a4 13674->13677 13675->13674 13677->13670
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
                                      • API String ID: 0-1885142750
                                      • Opcode ID: 86b60c77fac7b795ac9b7615c1f9e16c37b5b525381de673a4f5b77e4c01622b
                                      • Instruction ID: 5912c9be0b5fe0253428befa1510005b8e6d21b15bd6994098c8da1f87b2af15
                                      • Opcode Fuzzy Hash: 86b60c77fac7b795ac9b7615c1f9e16c37b5b525381de673a4f5b77e4c01622b
                                      • Instruction Fuzzy Hash: 510258B0A007089BEB209F15DC4577B7BE4EF51304F14442EEA4A9B391EBB9E944CBC6
                                      Function 004DF030 Relevance: 8.4, APIs: 5, Instructions: 876COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 13710 4df030-4df14d call 4359b0 SHGetFolderPathA 13713 4df150-4df155 13710->13713 13713->13713 13714 4df157-4df179 call 403040 13713->13714 13717 4df180-4df185 13714->13717 13717->13717 13718 4df187-4df1e9 call 41fbf0 13717->13718 13721 4df1eb-4df1fa 13718->13721 13722 4df21a-4df247 call 4e6ca0 13718->13722 13724 4df1fc-4df20a 13721->13724 13725 4df210-4df217 call 4338f3 13721->13725 13729 4df24d-4df310 call 41ab20 call 4e6ca0 13722->13729 13730 4dfe6b-4dfe7b 13722->13730 13724->13725 13727 4dfed9 call 438c70 13724->13727 13725->13722 13734 4dfede call 402c60 13727->13734 13751 4df333-4df3c3 13729->13751 13752 4df312-4df32d CreateDirectoryA 13729->13752 13735 4dfe7d-4dfe89 13730->13735 13736 4dfea5-4dfed8 call 402df0 13730->13736 13745 4dfee3 call 402c60 13734->13745 13740 4dfe9b-4dfea2 call 4338f3 13735->13740 13741 4dfe8b-4dfe99 13735->13741 13740->13736 13741->13740 13746 4dfeed-4dfef2 call 438c70 13741->13746 13753 4dfee8 call 402c60 13745->13753 13756 4df3c6-4df3cb 13751->13756 13752->13751 13755 4dfe59 13752->13755 13753->13746 13758 4dfe5c-4dfe66 call 402df0 13755->13758 13756->13756 13759 4df3cd-4df3dd 13756->13759 13758->13730 13759->13734 13761 4df3e3-4df44b call 41e8a0 call 4e6ca0 call 402df0 13759->13761 13768 4df65e-4df6ee 13761->13768 13769 4df451-4df511 call 41ab20 call 4e6ca0 13761->13769 13771 4df6f1-4df6f6 13768->13771 13778 4df534-4df603 call 4163b0 call 41ab20 call 4dff00 13769->13778 13779 4df513-4df52e CreateDirectoryA 13769->13779 13771->13771 13773 4df6f8-4df703 13771->13773 13773->13745 13775 4df709-4df76b call 41e8a0 call 4e6ca0 call 402df0 13773->13775 13791 4df771-4df831 call 41ab20 call 4e6ca0 13775->13791 13792 4df982-4dfa9b 13775->13792 13797 4df60d-4df64a call 402cf0 call 4e6770 call 402df0 13778->13797 13798 4df605-4df60b 13778->13798 13779->13778 13781 4df64f-4df659 call 402df0 13779->13781 13781->13768 13808 4df858-4df927 call 4163b0 call 41ab20 call 4dff00 13791->13808 13809 4df833-4df852 CreateDirectoryA 13791->13809 13795 4dfaa0-4dfaa5 13792->13795 13795->13795 13800 4dfaa7-4dfab0 13795->13800 13797->13781 13798->13781 13800->13753 13803 4dfab6-4dfb18 call 41e8a0 call 4e6ca0 call 402df0 13800->13803 13803->13758 13823 4dfb1e-4dfc64 call 41ab20 call 4e6ca0 13803->13823 13827 4df929-4df92f 13808->13827 13828 4df931-4df96e call 402cf0 call 4e6770 call 402df0 13808->13828 13809->13808 13812 4df973-4df97d call 402df0 13809->13812 13812->13792 13835 4dfc8b-4dfdfe call 4163b0 call 41ab20 call 4dff00 13823->13835 13836 4dfc66-4dfc85 CreateDirectoryA 13823->13836 13827->13812 13828->13812 13847 4dfe08-4dfe45 call 402cf0 call 4e6770 call 402df0 13835->13847 13848 4dfe00-4dfe06 13835->13848 13836->13835 13838 4dfe4a-4dfe54 call 402df0 13836->13838 13838->13755 13847->13838 13848->13838
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DF09A
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF329
                                        • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF52A
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF84A
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DFC7D
                                        • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesErrorFindFirstFolderLastPath
                                      • String ID:
                                      • API String ID: 2127212259-0
                                      • Opcode ID: 2482f94120ed5ea93039516545623d95f61e970846a000b1fcdf438d4bcd209a
                                      • Instruction ID: 8e27dc709fe3b7ff7b62f4d1f71842afe3ac2492894b6e8ccfd466f18f63ab33
                                      • Opcode Fuzzy Hash: 2482f94120ed5ea93039516545623d95f61e970846a000b1fcdf438d4bcd209a
                                      • Instruction Fuzzy Hash: DBA202B4D0425D8BDF25CFA8C995AEEBBB0BF18304F2041AAD949B7351D7341A84CFA5
                                      Function 004DE430 Relevance: 8.2, APIs: 5, Instructions: 731fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 13854 4de430-4de53b call 4359b0 SHGetFolderPathA 13857 4de540-4de545 13854->13857 13857->13857 13858 4de547-4de563 call 403040 13857->13858 13861 4de566-4de56b 13858->13861 13861->13861 13862 4de56d-4de64d call 41fbf0 call 418f00 13861->13862 13867 4de64f-4de65e 13862->13867 13868 4de67e-4de6a6 13862->13868 13869 4de674-4de67b call 4338f3 13867->13869 13870 4de660-4de66e 13867->13870 13871 4de6a8-4de6b7 13868->13871 13872 4de6d7-4de70a call 4e6ca0 13868->13872 13869->13868 13870->13869 13873 4df016 call 438c70 13870->13873 13875 4de6cd-4de6d4 call 4338f3 13871->13875 13876 4de6b9-4de6c7 13871->13876 13884 4def96-4defa6 13872->13884 13885 4de710-4de7ca call 41ab20 call 4e6d70 13872->13885 13882 4df01b call 402c60 13873->13882 13875->13872 13876->13873 13876->13875 13891 4df020 call 402c60 13882->13891 13887 4defa8-4defb7 13884->13887 13888 4defd3-4df015 call 402df0 * 2 13884->13888 13906 4deb14-4deba4 13885->13906 13907 4de7d0-4de8b0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 13885->13907 13892 4defc9-4defd0 call 4338f3 13887->13892 13893 4defb9-4defc7 13887->13893 13902 4df025 call 402c60 13891->13902 13892->13888 13893->13892 13897 4df02a-4df02f call 438c70 13893->13897 13902->13897 13911 4deba7-4debac 13906->13911 13926 4de8d7-4de982 call 41ab20 13907->13926 13927 4de8b2-4de8d1 CreateDirectoryA 13907->13927 13911->13911 13913 4debae-4debb9 13911->13913 13913->13891 13915 4debbf-4dec27 call 41e8a0 call 4e6ca0 call 402df0 13913->13915 13915->13884 13931 4dec2d-4ded01 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 13915->13931 13935 4de984 13926->13935 13936 4de986-4dea19 13926->13936 13927->13926 13929 4deb05-4deb0f call 402df0 13927->13929 13929->13906 13951 4ded1f-4dedaf 13931->13951 13952 4ded03-4ded19 CreateDirectoryA 13931->13952 13935->13936 13938 4dea20-4dea25 13936->13938 13938->13938 13940 4dea27-4dea32 13938->13940 13940->13882 13942 4dea38-4deab1 call 41e8a0 CopyFileA call 402df0 * 2 13940->13942 13960 4deabe-4deafb call 402cf0 call 4e6770 call 402df0 13942->13960 13961 4deab3-4deabc 13942->13961 13955 4dedb2-4dedb7 13951->13955 13952->13951 13954 4def87 13952->13954 13956 4def8a-4def91 call 402df0 13954->13956 13955->13955 13958 4dedb9-4dedc2 13955->13958 13956->13884 13958->13902 13962 4dedc8-4dee57 call 41e8a0 call 402df0 * 2 call 4e6ca0 13958->13962 13963 4deb00 13960->13963 13961->13963 13977 4dee59-4dee6f CreateDirectoryA 13962->13977 13978 4dee75-4def41 call 4163b0 call 41ab20 call 4dff00 13962->13978 13963->13929 13977->13956 13977->13978 13985 4def4e-4def82 call 402cf0 call 4e6770 call 402df0 13978->13985 13986 4def43-4def4c 13978->13986 13985->13954 13986->13954
                                      APIs
                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                                        • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DE8C9
                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DEA83
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DED11
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DEE67
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesCopyErrorFolderLastPath
                                      • String ID:
                                      • API String ID: 1001086254-0
                                      • Opcode ID: 26680b1becdb41978357c0f33f45d202fe4b356215f4adaeaf7733656648b968
                                      • Instruction ID: 4de69712ac24b7a09e9bc2c7d11d42553b755471a164b72fa8c1d2b7ead1c118
                                      • Opcode Fuzzy Hash: 26680b1becdb41978357c0f33f45d202fe4b356215f4adaeaf7733656648b968
                                      • Instruction Fuzzy Hash: 298225B0C042598BCB15CFA9C995BEEBBB0BF18304F10419ED549BB382DB745A85CFA5
                                      Function 004C6000 Relevance: 6.3, APIs: 4, Instructions: 310fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 14881 4c6000-4c6070 14882 4c608a-4c6133 call 41ab20 14881->14882 14883 4c6072 14881->14883 14889 4c6135 14882->14889 14890 4c6137-4c615c FindFirstFileA call 402df0 14882->14890 14885 4c6074-4c6080 call 402df0 14883->14885 14891 4c6082-4c6087 14885->14891 14889->14890 14894 4c6162-4c6166 14890->14894 14895 4c6463-4c648d call 402df0 14890->14895 14891->14882 14896 4c6168-4c616f 14894->14896 14897 4c6177-4c617e 14894->14897 14899 4c6175 14896->14899 14900 4c6437-4c6447 FindNextFileA 14896->14900 14897->14900 14902 4c6184-4c618d 14897->14902 14899->14902 14900->14894 14903 4c644d-4c6456 GetLastError 14900->14903 14904 4c6190-4c6195 14902->14904 14903->14894 14906 4c645c-4c645d FindClose 14903->14906 14904->14904 14905 4c6197-4c61a2 14904->14905 14907 4c61ad-4c61b0 14905->14907 14908 4c61a4-4c61a7 14905->14908 14906->14895 14909 4c61b2-4c61b5 14907->14909 14910 4c61c3-4c61c7 14907->14910 14908->14900 14908->14907 14909->14910 14911 4c61b7-4c61bd 14909->14911 14912 4c61cd-4c6295 call 41ab20 14910->14912 14913 4c6385-4c63b7 call 403040 14910->14913 14911->14900 14911->14910 14918 4c6298-4c629d 14912->14918 14919 4c63b9-4c63e1 14913->14919 14920 4c63e3-4c63ea call 4242a0 14913->14920 14918->14918 14921 4c629f-4c62ef call 418f00 14918->14921 14922 4c63f2-4c63f9 14919->14922 14924 4c63ef 14920->14924 14933 4c62f1-4c6310 14921->14933 14934 4c6312-4c631e call 4242a0 14921->14934 14925 4c63fb-4c6409 14922->14925 14926 4c6425-4c6433 14922->14926 14924->14922 14928 4c641b-4c6422 call 4338f3 14925->14928 14929 4c640b-4c6419 14925->14929 14926->14900 14928->14926 14929->14928 14931 4c648e-4c6493 call 438c70 14929->14931 14936 4c6321-4c632e 14933->14936 14934->14936 14941 4c635c-4c6380 call 402df0 14936->14941 14942 4c6330-4c633c 14936->14942 14941->14900 14943 4c633e-4c634c 14942->14943 14944 4c6352-4c6359 call 4338f3 14942->14944 14943->14931 14943->14944 14944->14941
                                      APIs
                                      • FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                      • FindNextFileA.KERNELBASE(00000000,00000010), ref: 004C643F
                                      • GetLastError.KERNEL32 ref: 004C644D
                                      • FindClose.KERNEL32(00000000), ref: 004C645D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseErrorFirstLastNext
                                      • String ID:
                                      • API String ID: 819619735-0
                                      • Opcode ID: 90cf4eca11af66bb089fdb4a1b4223e767fc84b405f6936ed3c5d03910aaf901
                                      • Instruction ID: afe6fe270f27518361ed143ef8865d869d8c660e8b4c9bb3a5978c93709ae348
                                      • Opcode Fuzzy Hash: 90cf4eca11af66bb089fdb4a1b4223e767fc84b405f6936ed3c5d03910aaf901
                                      • Instruction Fuzzy Hash: ACD17CB4C043488FDB24CF98C994BEEBBB1BF45314F14829ED4496B392D7785A84CB59
                                      Function 004C6B00 Relevance: 4.7, APIs: 3, Instructions: 206encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004C6B57
                                      • LocalFree.KERNEL32(?), ref: 004C6B86
                                      • LocalFree.KERNEL32(?), ref: 004C6C82
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: FreeLocal$CryptDataUnprotect
                                      • String ID:
                                      • API String ID: 2835072361-0
                                      • Opcode ID: 6647244c26512a52de21afd46b75caebb72f7fadd5b90fb549dccdfd3791c3cc
                                      • Instruction ID: 6019ec204b0dd747d4126109e6a4f8e7bf51aa55734569d67b400ef60c6c0d13
                                      • Opcode Fuzzy Hash: 6647244c26512a52de21afd46b75caebb72f7fadd5b90fb549dccdfd3791c3cc
                                      • Instruction Fuzzy Hash: 6171B171C002489BDB00DFA8C945BEEFBB4EF14314F10826EE851B3391EB786A44DBA5
                                      Function 0053F550 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                                      Download Yara Rule
                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053F705
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053FA07
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 885266447-0
                                      • Opcode ID: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                                      • Instruction ID: 1f76d2344d35fe0e13097961589cbfb84b6978ae6f877586e2245b879765d82e
                                      • Opcode Fuzzy Hash: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                                      • Instruction Fuzzy Hash: E3029C71A04702AFDB18CF29C840B6ABBE4BF88318F14867DE859D7650D774ED94CB92
                                      Function 0044002D Relevance: .3, Instructions: 318COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                                      • Instruction ID: 127d1e6b524efbadbaaaff55744b8fab0cc6e196c82b7e7b6ae44d0b7ee8643f
                                      • Opcode Fuzzy Hash: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                                      • Instruction Fuzzy Hash: 3BB1F67090060A9BFB28CE68D855ABFBBB1AF04304F140A1FDA52A7791C77D9D21CB59
                                      Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279networksleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 8282 4c7b00-4c7b38 8283 4c7ecc-4c7ee0 8282->8283 8284 4c7b3e 8282->8284 8285 4c7b44-4c7b4c 8284->8285 8286 4c7b4e-4c7b74 call 4c8590 8285->8286 8287 4c7b87-4c7bd0 setsockopt recv WSAGetLastError 8285->8287 8292 4c7b79-4c7b81 8286->8292 8287->8283 8289 4c7bd6-4c7bd9 8287->8289 8290 4c7bdf-4c7be6 8289->8290 8291 4c7e2a-4c7e53 call 433069 call 458660 8289->8291 8293 4c7bec-4c7c48 call 418dc0 recv 8290->8293 8294 4c7e15-4c7e25 recv 8290->8294 8297 4c7eaf-4c7eb1 Sleep 8291->8297 8306 4c7e55 8291->8306 8292->8287 8296 4c7eb7-4c7ec6 Sleep 8292->8296 8302 4c7c4e-4c7c69 recv 8293->8302 8303 4c7dc3-4c7dd0 8293->8303 8294->8297 8296->8283 8296->8285 8297->8296 8302->8303 8305 4c7c6f-4c7caa 8302->8305 8307 4c7dfe-4c7e10 8303->8307 8308 4c7dd2-4c7dde 8303->8308 8309 4c7cac-4c7cb1 8305->8309 8310 4c7d1d-4c7d7d call 4163b0 call 408d50 call 4c7ef0 8305->8310 8311 4c7e5f-4c7e97 call 409280 8306->8311 8312 4c7e57-4c7e5d 8306->8312 8307->8297 8313 4c7df4-4c7dfb call 4338f3 8308->8313 8314 4c7de0-4c7dee 8308->8314 8315 4c7cc7-4c7cd1 call 418dc0 8309->8315 8316 4c7cb3-4c7cc5 8309->8316 8332 4c7d7f-4c7d8b 8310->8332 8333 4c7dab-4c7dbf 8310->8333 8323 4c7e9c-4c7eaa 8311->8323 8312->8297 8312->8311 8313->8307 8314->8313 8318 4c7ee1-4c7ee6 call 438c70 8314->8318 8321 4c7cd6-4c7d1b setsockopt recv 8315->8321 8316->8321 8321->8310 8323->8297 8334 4c7d8d-4c7d9b 8332->8334 8335 4c7da1-4c7da3 call 4338f3 8332->8335 8333->8303 8334->8318 8334->8335 8337 4c7da8 8335->8337 8337->8333
                                      APIs
                                      • setsockopt.WS2_32(0000036C,0000FFFF,00001006,?,00000008), ref: 004C7BA6
                                      • recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
                                      • WSAGetLastError.WS2_32 ref: 004C7BC5
                                      • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
                                      • recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
                                      • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
                                      • recv.WS2_32(00000000,?,00000008), ref: 004C7D1B
                                        • Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
                                        • Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
                                        • Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
                                        • Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
                                        • Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
                                        • Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
                                        • Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690
                                      • recv.WS2_32(?,00000004,00000008), ref: 004C7E23
                                      • __Xtime_get_ticks.LIBCPMT ref: 004C7E2A
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
                                      • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
                                      • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
                                      • String ID:
                                      • API String ID: 3089209366-0
                                      • Opcode ID: 22b059c2bf6a44bc48976c4274571e0fd76720a3154fb2fdee491ad85608cae8
                                      • Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
                                      • Opcode Fuzzy Hash: 22b059c2bf6a44bc48976c4274571e0fd76720a3154fb2fdee491ad85608cae8
                                      • Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95
                                      Function 0045E140 Relevance: 17.4, APIs: 11, Instructions: 889COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 8667 45e140-45e246 call 40b8e0 call 4132d0 call 41ab20 CreateDirectoryA 8674 45e8e1-45e8e8 8667->8674 8675 45e24c-45e250 8667->8675 8676 45f16d-45f452 call 402df0 8674->8676 8677 45e8ee-45e98a call 4132d0 call 41ab20 CreateDirectoryA 8674->8677 8678 45e252-45e26d 8675->8678 8695 45e990-45e994 8677->8695 8696 45f15e-45f168 call 402df0 8677->8696 8681 45e8a5-45e8d0 call 4163b0 call 4df030 8678->8681 8682 45e273-45e3bd call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8678->8682 8681->8674 8698 45e8d2-45e8d9 call 4e6770 8681->8698 8739 45e3dd-45e4b0 call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8682->8739 8740 45e3bf-45e3d7 CreateDirectoryA 8682->8740 8699 45e996-45e9b1 8695->8699 8696->8676 8709 45e8de 8698->8709 8702 45e9b7-45eb07 call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8699->8702 8703 45f11f-45f14d call 4163b0 call 4d7600 8699->8703 8756 45eb27-45ebfa call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8702->8756 8757 45eb09-45eb21 CreateDirectoryA 8702->8757 8703->8696 8721 45f14f-45f156 call 4e6770 8703->8721 8709->8674 8727 45f15b 8721->8727 8727->8696 8791 45e4d0-45e4d7 8739->8791 8792 45e4b2-45e4ca CreateDirectoryA 8739->8792 8740->8739 8742 45e854-45e8a0 call 402df0 * 5 8740->8742 8742->8678 8816 45ebfc-45ec14 CreateDirectoryA 8756->8816 8817 45ec1a-45ec21 8756->8817 8757->8756 8760 45f0ce-45f11a call 402df0 * 5 8757->8760 8760->8699 8795 45e5e0-45e5e4 8791->8795 8796 45e4dd-45e59d call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8791->8796 8792->8742 8792->8791 8797 45e5e6-45e649 call 4132d0 8795->8797 8798 45e64e-45e652 8795->8798 8853 45e5c2-45e5cc call 416290 8796->8853 8854 45e59f-45e5c0 CreateDirectoryA 8796->8854 8813 45e704-45e7f2 call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 4162c0 call 402df0 * 3 call 4e6ca0 8797->8813 8805 45e654-45e6b7 call 4132d0 8798->8805 8806 45e6b9-45e6ff call 4132d0 8798->8806 8805->8813 8806->8813 8905 45e7f4-45e80c CreateDirectoryA 8813->8905 8906 45e80e-45e84e call 4163b0 * 2 call 4dff00 8813->8906 8816->8760 8816->8817 8820 45ec27-45ece7 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8817->8820 8821 45ed2a-45ed2e 8817->8821 8882 45ed0c-45ed16 call 416290 8820->8882 8883 45ece9-45ed0a CreateDirectoryA 8820->8883 8825 45ed34-45edce call 4132d0 call 41ab20 call 4e6ca0 8821->8825 8826 45ee43-45ee47 8821->8826 8870 45edd0-45edf1 CreateDirectoryA 8825->8870 8871 45edf3-45ee31 call 4163b0 * 2 call 4dff00 8825->8871 8831 45eeb1-45eeb5 8826->8831 8832 45ee49-45eeac call 4132d0 8826->8832 8839 45eeb7-45ef1a call 4132d0 8831->8839 8840 45ef1c-45ef7a call 4132d0 8831->8840 8849 45ef7f-45f04e call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 402df0 * 2 call 4e6ca0 8832->8849 8839->8849 8840->8849 8912 45f050-45f071 CreateDirectoryA 8849->8912 8913 45f073-45f0b9 call 4163b0 * 2 call 4dff00 8849->8913 8860 45e5d1-45e5db call 402df0 8853->8860 8854->8853 8854->8860 8860->8795 8870->8871 8875 45ee34-45ee3e 8870->8875 8871->8875 8880 45f0c9 call 402df0 8875->8880 8880->8760 8888 45ed1b-45ed25 call 402df0 8882->8888 8883->8882 8883->8888 8888->8821 8905->8742 8905->8906 8906->8742 8921 45e850 8906->8921 8912->8913 8914 45f0bf-45f0c3 8912->8914 8913->8914 8925 45f0bb 8913->8925 8914->8880 8921->8742 8925->8914
                                      APIs
                                        • Part of subcall function 0040B8E0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E242
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045E3D3
                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045E4C6
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045E5BC
                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 0045E808
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E986
                                      • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045EB1D
                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045EC10
                                        • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045ED06
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045EDED
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045F06D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                      • String ID:
                                      • API String ID: 453214671-0
                                      • Opcode ID: bd257381b72f24b865c35424aca81356a138dcccbec74b51b3f8208da1a3af36
                                      • Instruction ID: 0e418cf523baa0a35c0a910b93c4bb77d5942d6061cfe1063ad62b245a56bb8b
                                      • Opcode Fuzzy Hash: bd257381b72f24b865c35424aca81356a138dcccbec74b51b3f8208da1a3af36
                                      • Instruction Fuzzy Hash: 4FA226B0D012688BCB25DB65CD95BDDBBB4AF14304F0040EED44A67282EB785F88DF5A
                                      Function 004E4720 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 291registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 9337 4e4720-4e4a78 call 4359b0 RegGetValueA 9340 4e4a7a-4e4a89 9337->9340 9341 4e4aa8-4e4aac 9337->9341 9342 4e4a90-4e4a95 9340->9342 9343 4e4bad-4e4bc0 9341->9343 9344 4e4ab2-4e4ae4 call 4359b0 GetComputerNameExA 9341->9344 9342->9342 9345 4e4a97-4e4aa3 call 416130 9342->9345 9349 4e4b08-4e4b0c 9344->9349 9350 4e4ae6-4e4aef 9344->9350 9345->9341 9349->9343 9351 4e4b12-4e4b3d call 4359b0 LsaOpenPolicy 9349->9351 9352 4e4af0-4e4af5 9350->9352 9357 4e4b3f-4e4b50 LsaQueryInformationPolicy 9351->9357 9358 4e4b85-4e4b92 9351->9358 9352->9352 9353 4e4af7-4e4b03 call 416130 9352->9353 9353->9349 9359 4e4b7c-4e4b7f LsaClose 9357->9359 9360 4e4b52-4e4b59 9357->9360 9361 4e4b95-4e4b9a 9358->9361 9359->9358 9362 4e4b5e-4e4b76 call 403440 LsaFreeMemory 9360->9362 9363 4e4b5b 9360->9363 9361->9361 9364 4e4b9c-4e4ba8 call 416130 9361->9364 9362->9359 9363->9362 9364->9343
                                      APIs
                                      • RegGetValueA.KERNELBASE(80000002,?,?,0001FFFF,?,?,00000104), ref: 004E4A70
                                      • GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 004E4ADC
                                      • LsaOpenPolicy.ADVAPI32(00000000,00587684,00000001,?), ref: 004E4B35
                                      • LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 004E4B48
                                      • LsaFreeMemory.ADVAPI32(?), ref: 004E4B76
                                      • LsaClose.ADVAPI32(?), ref: 004E4B7F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
                                      • String ID: %wZ$&"N$;Yb.
                                      • API String ID: 762890658-4094109456
                                      • Opcode ID: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                                      • Instruction ID: db120a3af714b361d6db134a28a940fef9e0d4b71911d12d67c4190411436b99
                                      • Opcode Fuzzy Hash: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                                      • Instruction Fuzzy Hash: 1EE101B4D0425A8FDB14CF98C985BEEBBB4BF08304F2041AAE949B7341D7745A85CFA5
                                      Function 00448910 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 13284 448910-448920 13285 448922-448935 call 4416ec call 4416ff 13284->13285 13286 44893a-44893c 13284->13286 13304 448c94 13285->13304 13287 448942-448948 13286->13287 13288 448c7c-448c89 call 4416ec call 4416ff 13286->13288 13287->13288 13290 44894e-448977 13287->13290 13305 448c8f call 438c60 13288->13305 13290->13288 13293 44897d-448986 13290->13293 13296 4489a0-4489a2 13293->13296 13297 448988-44899b call 4416ec call 4416ff 13293->13297 13302 448c78-448c7a 13296->13302 13303 4489a8-4489ac 13296->13303 13297->13305 13306 448c97-448c9a 13302->13306 13303->13302 13308 4489b2-4489b6 13303->13308 13304->13306 13305->13304 13308->13297 13311 4489b8-4489cf 13308->13311 13313 448a04-448a0a 13311->13313 13314 4489d1-4489d4 13311->13314 13315 448a0c-448a13 13313->13315 13316 4489de-4489f5 call 4416ec call 4416ff call 438c60 13313->13316 13317 4489d6-4489dc 13314->13317 13318 4489fa-448a02 13314->13318 13320 448a15 13315->13320 13321 448a17-448a35 call 44b094 call 44b01a * 2 13315->13321 13347 448baf 13316->13347 13317->13316 13317->13318 13319 448a77-448a96 13318->13319 13324 448b52-448b5b call 453be3 13319->13324 13325 448a9c-448aa8 13319->13325 13320->13321 13351 448a37-448a4d call 4416ff call 4416ec 13321->13351 13352 448a52-448a75 call 4425fd 13321->13352 13336 448bcc 13324->13336 13337 448b5d-448b6f 13324->13337 13325->13324 13329 448aae-448ab0 13325->13329 13329->13324 13333 448ab6-448ad7 13329->13333 13333->13324 13338 448ad9-448aef 13333->13338 13340 448bd0-448be6 ReadFile 13336->13340 13337->13336 13342 448b71-448b80 GetConsoleMode 13337->13342 13338->13324 13343 448af1-448af3 13338->13343 13345 448c44-448c4f GetLastError 13340->13345 13346 448be8-448bee 13340->13346 13342->13336 13348 448b82-448b86 13342->13348 13343->13324 13349 448af5-448b18 13343->13349 13353 448c51-448c63 call 4416ff call 4416ec 13345->13353 13354 448c68-448c6b 13345->13354 13346->13345 13355 448bf0 13346->13355 13357 448bb2-448bbc call 44b01a 13347->13357 13348->13340 13356 448b88-448ba0 ReadConsoleW 13348->13356 13349->13324 13358 448b1a-448b30 13349->13358 13351->13347 13352->13319 13353->13347 13366 448c71-448c73 13354->13366 13367 448ba8-448bae call 4416a5 13354->13367 13363 448bf3-448c05 13355->13363 13364 448bc1-448bca 13356->13364 13365 448ba2 GetLastError 13356->13365 13357->13306 13358->13324 13359 448b32-448b34 13358->13359 13359->13324 13370 448b36-448b4d 13359->13370 13363->13357 13374 448c07-448c0b 13363->13374 13364->13363 13365->13367 13366->13357 13367->13347 13370->13324 13378 448c24-448c31 13374->13378 13379 448c0d-448c1d call 448622 13374->13379 13384 448c33 call 448779 13378->13384 13385 448c3d-448c42 call 448468 13378->13385 13390 448c20-448c22 13379->13390 13391 448c38-448c3b 13384->13391 13385->13391 13390->13357 13391->13390
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f0ebc92e5ca6f275d4bbb75147d6ad3a24cc47560e82a7b4de6b8652cd53fa6b
                                      • Instruction ID: d4d7462daa34083545f9d93f0c5ebf53bf58a01a885379ada905c47cec286c1a
                                      • Opcode Fuzzy Hash: f0ebc92e5ca6f275d4bbb75147d6ad3a24cc47560e82a7b4de6b8652cd53fa6b
                                      • Instruction Fuzzy Hash: E2B1F4B0A00245AFFB11DF99C881BAE7BB1FF55304F14015EE414AB392CB78AD81CB69
                                      Function 004D6BA0 Relevance: 9.2, APIs: 6, Instructions: 164fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 13679 4d6ba0-4d6bd8 GetLastError 13680 4d6bde-4d6bf1 13679->13680 13681 4d6d19-4d6d31 CopyFileA 13679->13681 13684 4d6bf4-4d6bf9 13680->13684 13682 4d6d73-4d6d85 13681->13682 13683 4d6d33-4d6d38 GetLastError 13681->13683 13685 4d6d5f-4d6d72 13683->13685 13686 4d6d3a-4d6d3c call 4e77e0 13683->13686 13684->13684 13687 4d6bfb-4d6c5a call 429070 call 4359b0 6CE47CF0 13684->13687 13691 4d6d41-4d6d5e CopyFileA 13686->13691 13694 4d6cf4-4d6d13 SetLastError call 4188d0 13687->13694 13695 4d6c60-4d6c9b call 415eb0 13687->13695 13694->13681 13702 4d6c9d-4d6cc3 13695->13702 13703 4d6ce2-4d6cef call 4188d0 13695->13703 13706 4d6ccd-4d6cd1 13702->13706 13707 4d6cc5-4d6ccb 13702->13707 13703->13694 13706->13703 13708 4d6cd3-4d6ce0 13706->13708 13707->13703 13707->13706 13708->13703
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                      • 6CE47CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                      • SetLastError.KERNEL32(00000000), ref: 004D6CFE
                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D25
                                      • GetLastError.KERNEL32(?,?,00000000), ref: 004D6D33
                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D47
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CopyFile
                                      • String ID:
                                      • API String ID: 936320341-0
                                      • Opcode ID: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                      • Instruction ID: cca443e56f4e81c83c2dc89493b37bcb85ee1d7da0cfa031959f485395bd6110
                                      • Opcode Fuzzy Hash: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                      • Instruction Fuzzy Hash: 6051C172D01219ABCB21CF94DC55BEEBBB8EB04320F10026AE804B3390D7396E05CBA4
                                      Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382libraryloadernetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 13992 409280-4092dd call 4163b0 13995 409413-409521 call 402df0 call 4ea420 13992->13995 13996 4092e3-4092e9 13992->13996 14012 409523-409535 13995->14012 14013 409537-40953f call 418dc0 13995->14013 13997 4092f0-409313 13996->13997 13999 409324-409331 13997->13999 14000 409315-40931f 13997->14000 14003 409342-40934f 13999->14003 14004 409333-40933d 13999->14004 14002 409403-409406 14000->14002 14006 409409-40940d 14002->14006 14007 409360-40936d 14003->14007 14008 409351-40935b 14003->14008 14004->14002 14006->13995 14006->13997 14010 40937e-40938b 14007->14010 14011 40936f-409379 14007->14011 14008->14002 14014 409399-4093a6 14010->14014 14015 40938d-409397 14010->14015 14011->14002 14016 409544-409597 call 4ea420 * 2 14012->14016 14013->14016 14018 4093b4-4093c1 14014->14018 14019 4093a8-4093b2 14014->14019 14015->14002 14029 409599-4095c8 call 4ea420 call 435270 14016->14029 14030 4095cb-4095e1 call 4ea420 14016->14030 14021 4093c3-4093cd 14018->14021 14022 4093cf-4093dc 14018->14022 14019->14002 14021->14002 14024 4093ea-4093f4 14022->14024 14025 4093de-4093e8 14022->14025 14024->14006 14028 4093f6-4093ff 14024->14028 14025->14002 14028->14002 14029->14030 14036 4096e2 14030->14036 14037 4095e7-4095ed 14030->14037 14040 4096e6-4096f0 14036->14040 14039 4095f0-4096ce GetModuleHandleA GetProcAddress WSASend 14037->14039 14041 4096d4-4096dc 14039->14041 14042 40975f-409763 14039->14042 14043 4096f2-4096fe 14040->14043 14044 40971e-40973d 14040->14044 14041->14036 14041->14039 14042->14040 14045 409700-40970e 14043->14045 14046 409714-40971b call 4338f3 14043->14046 14047 40976f-409796 14044->14047 14048 40973f-40974b 14044->14048 14045->14046 14049 409797-4097fe call 438c70 call 402df0 * 2 14045->14049 14046->14044 14051 409765-40976c call 4338f3 14048->14051 14052 40974d-40975b 14048->14052 14051->14047 14052->14049 14054 40975d 14052->14054 14054->14051
                                      APIs
                                      • GetModuleHandleA.KERNEL32(Ws2_32.dll), ref: 004096A6
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
                                      • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 004096C9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcSend
                                      • String ID: Ws2_32.dll
                                      • API String ID: 2819740048-3093949381
                                      • Opcode ID: 774b9c4b9187c83634f0aff28f756a2d2202c529353b41c2e594352841e16a85
                                      • Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
                                      • Opcode Fuzzy Hash: 774b9c4b9187c83634f0aff28f756a2d2202c529353b41c2e594352841e16a85
                                      • Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96
                                      Function 00463830 Relevance: 6.9, APIs: 3, Instructions: 2365COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • Part of subcall function 004E6C10: CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00465CB0
                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465FD5
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                        • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465EC6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                      • String ID:
                                      • API String ID: 453214671-0
                                      • Opcode ID: c1b21f399d309448afd63e0aa7f7554c44f6e0905c5994cb67049cb66184fefb
                                      • Instruction ID: bdb7de5e538d98cc2bc1e856d074b668cb5d4ba5ca64421d2565693f44b24664
                                      • Opcode Fuzzy Hash: c1b21f399d309448afd63e0aa7f7554c44f6e0905c5994cb67049cb66184fefb
                                      • Instruction Fuzzy Hash: 8053CFB0D052688FDB65DF55C994BDDBBB0BB58304F0041EAD44AA7292EB382F84DF49
                                      Function 004E6CA0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                      • String ID:
                                      • API String ID: 995686243-0
                                      • Opcode ID: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                                      • Instruction ID: 241e2f942859b358e1133ab4bf22632851a161ac9c5554c12c2f2fb0b7350d8e
                                      • Opcode Fuzzy Hash: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                                      • Instruction Fuzzy Hash: DF11CE71A0028496DB205F6A5C08F6A7F60EB22772F64031BD8359B3D4DB3948058759
                                      Function 004D6790 Relevance: 4.8, APIs: 3, Instructions: 278fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6A20
                                        • Part of subcall function 004D6BA0: GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                        • Part of subcall function 004D6BA0: 6CE47CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B84
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B95
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Cpp_errorThrow_std::_$CopyErrorFileLast
                                      • String ID:
                                      • API String ID: 1723067277-0
                                      • Opcode ID: 9fad268e1b32fb5342daa8b04bbb0199fc585924ca8808c03fe502974afbaa59
                                      • Instruction ID: af59b977606615079acd7a310a8afa41bd250120d803ccb4a837ad8b48953fd5
                                      • Opcode Fuzzy Hash: 9fad268e1b32fb5342daa8b04bbb0199fc585924ca8808c03fe502974afbaa59
                                      • Instruction Fuzzy Hash: 5BD18BB0C00249DBDB04DFA9C9557EEBBB1BF54304F14419ED80577382EB785A45CBA6
                                      Function 00493B60 Relevance: 4.8, APIs: 3, Instructions: 264registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 00493D89
                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?), ref: 00493DAC
                                      • RegCloseKey.ADVAPI32(?), ref: 00493DB7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                                      • Instruction ID: c2861601c7c989816088ca7cd521e7ac3defefe444e22908af63c5fcea44e6b0
                                      • Opcode Fuzzy Hash: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                                      • Instruction Fuzzy Hash: C8C136B1D042499FDB14CFA8D986BAEBBB0EF09314F204169E905B7391E7345A84CFA5
                                      Function 004E6C10 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                                        • Part of subcall function 00432BAA: RtlReleaseSRWLockExclusive.NTDLL(004E6D30), ref: 00432BBE
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C84
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C95
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Cpp_errorThrow_std::_$CreateDirectoryExclusiveLockRelease
                                      • String ID:
                                      • API String ID: 1881651058-0
                                      • Opcode ID: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                                      • Instruction ID: b54f6e02dbe68d52aaf8ce57ceccae370b453a77f91dfdb3bbc81736346272f4
                                      • Opcode Fuzzy Hash: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                                      • Instruction Fuzzy Hash: B2F049B1500640FBD7109F999D06B6ABBA8FB05731F14031AFC35A63D0D7B5190087AA
                                      Function 0044B9D0 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNELBASE(?,?,0043D2B1,?), ref: 0044B9D8
                                      • GetLastError.KERNEL32(?,0043D2B1,?), ref: 0044B9E2
                                      • __dosmaperr.LIBCMT ref: 0044B9E9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: DeleteErrorFileLast__dosmaperr
                                      • String ID:
                                      • API String ID: 1545401867-0
                                      • Opcode ID: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                                      • Instruction ID: 29a5b21677c8caf908dcad016bfb5ae84cbfd6cad116b975ceede8be2d8f2443
                                      • Opcode Fuzzy Hash: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                                      • Instruction Fuzzy Hash: 00D0C9321146086BEA106BB6BC089163B6D9A913797140616F52CC52A0EE25C895A665
                                      Function 004E57F0 Relevance: 3.4, APIs: 2, Instructions: 350COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004E588F
                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004E5B9B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: DirectoryInformationVolumeWindows
                                      • String ID:
                                      • API String ID: 3487004747-0
                                      • Opcode ID: 0a0dcd09eef47cc32d5847b2942677d40245ae2126d3bdebcd0edae20a9bad6e
                                      • Instruction ID: 009fea26e280c08ebde66711631a2368a09a7ac58c7b38572a32fddf838a6e16
                                      • Opcode Fuzzy Hash: 0a0dcd09eef47cc32d5847b2942677d40245ae2126d3bdebcd0edae20a9bad6e
                                      • Instruction Fuzzy Hash: 81F157B0D002499BDB14CFA8C9957EEBBB1FF08304F24425EE545BB381DB756A84CBA5
                                      Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(0B60023A,00000000,00000000,0043D0C7), ref: 00448F02
                                      • WriteFile.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,?,004E6E3C,?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7), ref: 0044990E
                                      • GetLastError.KERNEL32(?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7,004E6E3C,?,00000000,?), ref: 00449918
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: ConsoleErrorFileLastOutputWrite
                                      • String ID:
                                      • API String ID: 2915228174-0
                                      • Opcode ID: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                                      • Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
                                      • Opcode Fuzzy Hash: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                                      • Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65
                                      Function 004D65F0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D676A
                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D677B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Cpp_errorThrow_std::_
                                      • String ID:
                                      • API String ID: 2134207285-0
                                      • Opcode ID: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                                      • Instruction ID: 177bb7d1701b8dda1f5a90c4ee3be826f8175b366ab48e47effb054e9b4aa952
                                      • Opcode Fuzzy Hash: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                                      • Instruction Fuzzy Hash: 6441F2B1E002058BC720DF68995136EBBA1BB94314F19072FE815673D1EB79EA04C795
                                      Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E55
                                      • GetLastError.KERNEL32(?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E5F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: ChangeCloseErrorFindLastNotification
                                      • String ID:
                                      • API String ID: 1687624791-0
                                      • Opcode ID: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                                      • Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
                                      • Opcode Fuzzy Hash: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                                      • Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D
                                      Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(00000000,00000000,0043D0C7,00000000,00000002,00000000,00000000,00000000,00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000), ref: 00442558
                                      • GetLastError.KERNEL32(00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000,?,0044982E,00000000,00000000,00000000,00000002,0043D0C7,00000000), ref: 00442565
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                                      • Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
                                      • Opcode Fuzzy Hash: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                                      • Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4
                                      Function 0044B01A Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B030
                                      • GetLastError.KERNEL32(?,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B03B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 485612231-0
                                      • Opcode ID: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                      • Instruction ID: f233056e1464041c82b2d36bf1c88bdb576215b3e64377b8de55bab97aefa9e3
                                      • Opcode Fuzzy Hash: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                      • Instruction Fuzzy Hash: 66E08C32100204ABEB212FA5AC0CB9A3B69EF00756F15802AF608971B0DB38C894D798
                                      Function 004C7EF0 Relevance: 1.9, APIs: 1, Instructions: 399COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 98ad1d256c0ddfb69c72597b5609d37edd2aee79e43187298c3c7066527089eb
                                      • Instruction ID: 65307ecbef6fb9e01e3d4ad067897c34c173f6a72c2a6aa1ef5fcaa49911cde8
                                      • Opcode Fuzzy Hash: 98ad1d256c0ddfb69c72597b5609d37edd2aee79e43187298c3c7066527089eb
                                      • Instruction Fuzzy Hash: 0E02A070D04248DFDB14DF68C945BDDBBB0AB14308F14419ED8057B386EBB95E88DB9A
                                      Function 00413D50 Relevance: 1.8, APIs: 1, Instructions: 253COMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00414093
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task
                                      • String ID:
                                      • API String ID: 118556049-0
                                      • Opcode ID: 292ee55504a0c84bc4dce0c46bca906e9555851c0c64a8d595c00ed0b9889e27
                                      • Instruction ID: 20828e305faf8902bc30eee05bf9285b15bc31f2c0f4ddd4d11a1ed2060bf189
                                      • Opcode Fuzzy Hash: 292ee55504a0c84bc4dce0c46bca906e9555851c0c64a8d595c00ed0b9889e27
                                      • Instruction Fuzzy Hash: 21C138B0901249DFDB00CFA9C444799FBF0AF49314F28C1AEE458AB391D77A9A45CF95
                                      Function 00415350 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0041546E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task
                                      • String ID:
                                      • API String ID: 118556049-0
                                      • Opcode ID: d8e0c2d8605fadc367f8379d6fda68e220b434a80e24b35f09aa55ac94478e6c
                                      • Instruction ID: bd448271620100f3a1b1b6e8090fbb17c8ec551eb96fe3ea9a7077eb077db61a
                                      • Opcode Fuzzy Hash: d8e0c2d8605fadc367f8379d6fda68e220b434a80e24b35f09aa55ac94478e6c
                                      • Instruction Fuzzy Hash: AF6199B1A00614DFCB10CF59C984B9ABBF5FF88310F24816EE8199B391C778EA41CB95
                                      Function 00423800 Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::cancel_current_task.LIBCPMT ref: 004239F6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task
                                      • String ID:
                                      • API String ID: 118556049-0
                                      • Opcode ID: 0b30ede6d2177858bd02f28407913f6a139226577b0ddbf2f8e8131ed222de7e
                                      • Instruction ID: ae0d64c3ee62d8e2c2672323fae3dbdcf3c597174b0ef38ce080d0ce73c77a4b
                                      • Opcode Fuzzy Hash: 0b30ede6d2177858bd02f28407913f6a139226577b0ddbf2f8e8131ed222de7e
                                      • Instruction Fuzzy Hash: 7E51D671B001149FCB04EF68DD82A6EBBB5AB48304F54462EF801EB3D1DB78AA44CB95
                                      Function 00438E02 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                                      • Instruction ID: 9663080612542d3e5f9b84a36c3ecf1ef98ea00319430370267f097460dfd66c
                                      • Opcode Fuzzy Hash: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                                      • Instruction Fuzzy Hash: 2651C670A00204AFDF14DF59C881AAABBA2EF8D328F24915EF8089B352D775DD41CB55
                                      Function 00429E20 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00429F7B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task
                                      • String ID:
                                      • API String ID: 118556049-0
                                      • Opcode ID: 8482c0d6c957f33918d9138d1bd6797b8604ed2ab317032aa5cc83da2685a5d5
                                      • Instruction ID: efe4cd6a287aa12a83b409d23e88dd93d6c4865ddef84cf0d949cd52fc0f7608
                                      • Opcode Fuzzy Hash: 8482c0d6c957f33918d9138d1bd6797b8604ed2ab317032aa5cc83da2685a5d5
                                      • Instruction Fuzzy Hash: AA410271E001259FCB14DF68C9419AEBBB9EB89310F64422EE815E7381D738DE01CBE4
                                      Function 004E7640 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: __fread_nolock
                                      • String ID:
                                      • API String ID: 2638373210-0
                                      • Opcode ID: 197287f306943a7eaf2b7af720c5d2f6f148b8bd07183e9c25995d5497f4cfff
                                      • Instruction ID: 028c77ef4637c0ac0bfd58be9ca2c186fed01019b569c5d695070078eed700b9
                                      • Opcode Fuzzy Hash: 197287f306943a7eaf2b7af720c5d2f6f148b8bd07183e9c25995d5497f4cfff
                                      • Instruction Fuzzy Hash: A8517FB0D043499BDB10DF99D986BAEFBB4FF44714F10012EE8416B381D7796A44CBA5
                                      Function 004E74C0 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: __fread_nolock
                                      • String ID:
                                      • API String ID: 2638373210-0
                                      • Opcode ID: 0af5f4a60814f08790e3d5c9fcafef44908044cc60dbeb0b5656bde3db2df168
                                      • Instruction ID: 959dba962c579710b3c8227977385e6342f185642bc3a86ace1f34c607c4467c
                                      • Opcode Fuzzy Hash: 0af5f4a60814f08790e3d5c9fcafef44908044cc60dbeb0b5656bde3db2df168
                                      • Instruction Fuzzy Hash: 78416CB0D04248EBDB14DF99D985BEEBBB4FF48714F10416EE801AB381D7799901CBA5
                                      Function 00406870 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 00406908
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: ___std_fs_directory_iterator_open@12
                                      • String ID:
                                      • API String ID: 29801545-0
                                      • Opcode ID: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                                      • Instruction ID: 382a6ddcba4688358f9e0a4ad0208e6a3358ad319658d54a7c18dfc33c73484c
                                      • Opcode Fuzzy Hash: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                                      • Instruction Fuzzy Hash: AB21AE76E00619ABCB14EF49D841BAAB7B4FB84324F00466EED1663780DB396D10CB94
                                      Function 004E5D00 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetupDiGetClassDevsA.SETUPAPI(0055D560,00000000,00000000), ref: 004E5D47
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: ClassDevsSetup
                                      • String ID:
                                      • API String ID: 2330331845-0
                                      • Opcode ID: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                                      • Instruction ID: 3af1858aaf6aa964ebdd9f4359c5c99147492c850a3065a18f0c0dee6211d041
                                      • Opcode Fuzzy Hash: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                                      • Instruction Fuzzy Hash: A0110EB1D04B449BE3208F28DD0A757BBF0EB00B28F10471EE850573C1E3BA6A4887E2
                                      Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0040331F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task
                                      • String ID:
                                      • API String ID: 118556049-0
                                      • Opcode ID: 6b439644f511b7bf5bd0b924e2b63d29697b7510f9c6a7035d7f710025fe36b7
                                      • Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
                                      • Opcode Fuzzy Hash: 6b439644f511b7bf5bd0b924e2b63d29697b7510f9c6a7035d7f710025fe36b7
                                      • Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788
                                      Function 0044A65A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,000000FF,00000000), ref: 0044A69B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 44fe68ec2fca24d705c4288583a30094579fd4d4051ae38cb78614132530c581
                                      • Instruction ID: 9689b7dccde3e7d2c1426315cc49502dff6dd5535dcc2f3da2dc3831567fdc71
                                      • Opcode Fuzzy Hash: 44fe68ec2fca24d705c4288583a30094579fd4d4051ae38cb78614132530c581
                                      • Instruction Fuzzy Hash: 4CF0E0311905246BFB216A66DC05B5B375CAF41760F1E8117EC84EB190CA3CDC3146EE
                                      Function 00406840 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406853
                                        • Part of subcall function 00431F7B: FindNextFileW.KERNELBASE(?,?,?,00406858,?,?,?,?,0040691A,?,?,?,00000000,?,?), ref: 00431F84
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                                      • String ID:
                                      • API String ID: 3878998205-0
                                      • Opcode ID: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                                      • Instruction ID: f155dccb83496c4d8f98fbb14974b26749813e83e467fdfa34ea523ab42003ff
                                      • Opcode Fuzzy Hash: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                                      • Instruction Fuzzy Hash: 63D05E22701520118D24752738085AF06498DC66A8A42447FB84AB32C2EA2D8C0311AD
                                      Function 004466D5 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2007848217.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.2007817904.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2007973463.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008013177.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008044442.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008072531.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000755000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000076E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000077C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.0000000000788000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2008102325.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2009017637.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_7rA1iX60wh.jbxd
                                      Similarity
                                      • API ID: H_prolog3
                                      • String ID:
                                      • API String ID: 431132790-0
                                      • Opcode ID: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                                      • Instruction ID: ccf5b3b5ee64302dd7184922bc8d264c22512182c10063c293431932d1ea205a
                                      • Opcode Fuzzy Hash: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                                      • Instruction Fuzzy Hash: 13E09AB2C0020D9ADB00DFD5C452BEFBBB8AB08315F50446BA205E6181EB789748CBE5