Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
plTAoSCew2.exe

Overview

General Information

Sample name:plTAoSCew2.exe
renamed because original name is a hash value
Original sample name:ad7b4598918c9f75bcad2d3837abc47e.exe
Analysis ID:1460407
MD5:ad7b4598918c9f75bcad2d3837abc47e
SHA1:c216e887a2559bc45f4b75d8f97e8d2450f16213
SHA256:d0e3c511f4c02b9dd4130462ac716024ad29581a072a9095f40ac7c348c7ede6
Tags:exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • plTAoSCew2.exe (PID: 432 cmdline: "C:\Users\user\Desktop\plTAoSCew2.exe" MD5: AD7B4598918C9F75BCAD2D3837ABC47E)
    • schtasks.exe (PID: 1072 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 1236 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 1068 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: AD7B4598918C9F75BCAD2D3837ABC47E)
    • WerFault.exe (PID: 7464 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1876 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 6288 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: AD7B4598918C9F75BCAD2D3837ABC47E)
    • WerFault.exe (PID: 7512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 1744 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: AD7B4598918C9F75BCAD2D3837ABC47E)
  • RageMP131.exe (PID: 7840 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: AD7B4598918C9F75BCAD2D3837ABC47E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\RRyR9q5fccm7OnjvPC2dXYR.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\i6XbcxN8dLmuU_sWPwGcEWP.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000000.00000002.1966042254.00000000057EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000005.00000003.1817420453.00000000056E4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000005.00000003.1786962093.00000000056E3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              00000005.00000003.1786825043.00000000056E3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                Click to see the 15 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\plTAoSCew2.exe, ProcessId: 432, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                Snort Signatures

                Timestamp:06/20/24-23:37:06.459517
                SID:2046269
                Source Port:49731
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:36:58.414569
                SID:2049060
                Source Port:49731
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:37:20.478810
                SID:2046266
                Source Port:58709
                Destination Port:49754
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:37:07.984285
                SID:2046269
                Source Port:49734
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:37:12.469216
                SID:2046266
                Source Port:58709
                Destination Port:49742
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:37:01.576649
                SID:2046266
                Source Port:58709
                Destination Port:49734
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:37:23.984675
                SID:2046269
                Source Port:49754
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:36:59.610617
                SID:2046266
                Source Port:58709
                Destination Port:49731
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:37:01.475795
                SID:2046266
                Source Port:58709
                Destination Port:49733
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:37:07.937383
                SID:2046269
                Source Port:49733
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:36:59.830397
                SID:2046267
                Source Port:58709
                Destination Port:49731
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:37:01.695305
                SID:2046267
                Source Port:58709
                Destination Port:49733
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-23:37:01.804652
                SID:2046267
                Source Port:58709
                Destination Port:49734
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: malware
                Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: malware
                Source: http://77.91.77.81/mine/amadka.exe.1Avira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/go.exePAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exeisepro_botAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exe963Avira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exe00.1Avira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: phishing
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 51%
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 51%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: plTAoSCew2.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004C6B00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,5_2_004C6B00
                Source: plTAoSCew2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49747 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49757 version: TLS 1.2
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004C6000
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,5_2_004E6770
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,5_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,5_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError,5_2_00431F9C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,5_2_00432022
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004938D0

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49731
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49734
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49733
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49734
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49734 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49742
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49754
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49754 -> 77.91.77.66:58709
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
                Source: global trafficTCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 104.26.5.15 104.26.5.15
                Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
                Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004C8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,0_2_004C8590
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                Source: global trafficDNS traffic detected: DNS query: db-ip.com
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1939291540.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000E3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1952431025.00000000057FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exeP
                Source: plTAoSCew2.exe, 00000000.00000002.1966229091.0000000005825000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1760783961.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1759698387.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791446297.000000000581F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe00.1
                Source: plTAoSCew2.exe, 00000000.00000002.1966229091.0000000005825000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1760783961.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1759698387.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791446297.000000000581F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe963
                Source: MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exeisepro_bot
                Source: MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe.1
                Source: MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                Source: plTAoSCew2.exe, 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmp, plTAoSCew2.exe, 00000000.00000003.1666366479.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938053535.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1698887764.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1699835133.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1950317365.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000A.00000002.1885484407.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000A.00000003.1809231647.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1978107084.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000011.00000003.1889498144.0000000000F10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                Source: plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.000000000106F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/6
                Source: RageMP131.exe, 0000000A.00000002.1886588221.0000000001030000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000001065000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33U
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33XB
                Source: RageMP131.exe, 0000000A.00000002.1886588221.0000000001030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33tA
                Source: MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/i
                Source: MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/u
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/z
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000001030000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
                Source: plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000001010000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.000000000104D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000001041000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Grr
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951132632.0000000000D0B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000001026000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.000000000104D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000DA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Wp
                Source: plTAoSCew2.exe, 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmp, plTAoSCew2.exe, 00000000.00000003.1666366479.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938053535.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1698887764.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1699835133.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1950317365.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000A.00000002.1885484407.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000A.00000003.1809231647.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1978107084.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000011.00000003.1889498144.0000000000F10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/p
                Source: MPGPH131.exe, 00000006.00000002.1951132632.0000000000CDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/t
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951132632.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.000000000102E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
                Source: MPGPH131.exe, 00000006.00000002.1951132632.0000000000C97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33P
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33V0
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000000FD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33e
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33o
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951132632.0000000000D0B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000001026000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.000000000104D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                Source: plTAoSCew2.exe, 00000000.00000003.1746011314.0000000005817000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1748770290.0000000005838000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775059834.0000000005700000.00000004.00000020.00020000.00000000.sdmp, tJraVEZ3gCYZHistory.5.dr, JaptwNSGRKkjHistory.0.dr, BXcENIBcAk_THistory.5.dr, x2c20gF0jhVeHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: tJraVEZ3gCYZHistory.5.dr, JaptwNSGRKkjHistory.0.dr, BXcENIBcAk_THistory.5.dr, x2c20gF0jhVeHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: plTAoSCew2.exe, 00000000.00000003.1746011314.0000000005817000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1748770290.0000000005838000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775059834.0000000005700000.00000004.00000020.00020000.00000000.sdmp, tJraVEZ3gCYZHistory.5.dr, JaptwNSGRKkjHistory.0.dr, BXcENIBcAk_THistory.5.dr, x2c20gF0jhVeHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: tJraVEZ3gCYZHistory.5.dr, JaptwNSGRKkjHistory.0.dr, BXcENIBcAk_THistory.5.dr, x2c20gF0jhVeHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.5F
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.H
                Source: MPGPH131.exe, 00000006.00000002.1951132632.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, RRyR9q5fccm7OnjvPC2dXYR.zip.5.dr, i6XbcxN8dLmuU_sWPwGcEWP.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT-n
                Source: MPGPH131.exe, 00000005.00000002.1939291540.000000000568C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT4
                Source: plTAoSCew2.exe, 00000000.00000002.1966042254.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791524447.00000000057EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTZ
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.0.drString found in binary or memory: https://t.me/risepro_bot
                Source: MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot.46.123.33
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botJ
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botQB
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botX
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000001030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                Source: plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: plTAoSCew2.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: plTAoSCew2.exe, 00000000.00000002.1966229091.0000000005825000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1758383046.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1760783961.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1759698387.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791446297.000000000581F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1952431025.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                Source: plTAoSCew2.exe, 00000000.00000002.1966229091.0000000005825000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1758383046.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1760783961.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1759698387.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791446297.000000000581F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/EH
                Source: plTAoSCew2.exe, 00000000.00000003.1748032372.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745823071.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000002.1966042254.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1746837254.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791524447.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747439986.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1773502573.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1773782077.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1939291540.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769017495.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771529992.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1772016615.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.5.dr, 3b6N2Xdh3CYwplaces.sqlite.5.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: plTAoSCew2.exe, 00000000.00000002.1966229091.0000000005825000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1758383046.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1760783961.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1759698387.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791446297.000000000581F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1952431025.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                Source: plTAoSCew2.exe, 00000000.00000003.1748032372.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745823071.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000002.1966042254.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1746837254.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791524447.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747439986.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1773502573.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1773782077.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1939291540.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769017495.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771529992.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1772016615.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1952431025.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771375415.0000000005812000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.5.dr, 3b6N2Xdh3CYwplaces.sqlite.5.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
                Source: MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxe
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxmChE5
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49747 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49757 version: TLS 1.2
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004E5FF0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,735274A0,DeleteObject,DeleteObject,ReleaseDC,0_2_004E5FF0

                System Summary

                barindex
                PE file contains section with special chars
                Source: plTAoSCew2.exeStatic PE information: section name:
                Source: plTAoSCew2.exeStatic PE information: section name:
                Source: plTAoSCew2.exeStatic PE information: section name:
                Source: plTAoSCew2.exeStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0044002D0_2_0044002D
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DF0300_2_004DF030
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0049F0D00_2_0049F0D0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004AA2000_2_004AA200
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0049D3A00_2_0049D3A0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004963B00_2_004963B0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004904400_2_00490440
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DE4300_2_004DE430
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0053F5500_2_0053F550
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004D76000_2_004D7600
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004986B00_2_004986B0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0040B8E00_2_0040B8E0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00481C100_2_00481C10
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004FAD000_2_004FAD00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00493F400_2_00493F40
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0049AF600_2_0049AF60
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DFF000_2_004DFF00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004930800_2_00493080
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004371A00_2_004371A0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0044036F0_2_0044036F
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004A43200_2_004A4320
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004845E00_2_004845E0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0042F5800_2_0042F580
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004A36100_2_004A3610
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_005486C00_2_005486C0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_005477600_2_00547760
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004E77E00_2_004E77E0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004547BF0_2_004547BF
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0043C9600_2_0043C960
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0043A9280_2_0043A928
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0044DA860_2_0044DA86
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00458BB00_2_00458BB0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004EEC400_2_004EEC40
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004EFC400_2_004EFC40
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00534D400_2_00534D40
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00546D200_2_00546D20
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00545DE00_2_00545DE0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00458E300_2_00458E30
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00541F000_2_00541F00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004F2FD00_2_004F2FD0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0044002D5_2_0044002D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DF0305_2_004DF030
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0049F0D05_2_0049F0D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004AA2005_2_004AA200
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0049D3A05_2_0049D3A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004963B05_2_004963B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004904405_2_00490440
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DE4305_2_004DE430
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0053F5505_2_0053F550
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004D76005_2_004D7600
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004986B05_2_004986B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0040B8E05_2_0040B8E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00481C105_2_00481C10
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004FAD005_2_004FAD00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F405_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0049AF605_2_0049AF60
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DFF005_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004930805_2_00493080
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004371A05_2_004371A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0044036F5_2_0044036F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004A43205_2_004A4320
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004845E05_2_004845E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0042F5805_2_0042F580
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004A36105_2_004A3610
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005486C05_2_005486C0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005477605_2_00547760
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004E77E05_2_004E77E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004547BF5_2_004547BF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0043C9605_2_0043C960
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0043A9285_2_0043A928
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0044DA865_2_0044DA86
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00458BB05_2_00458BB0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004EEC405_2_004EEC40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004EFC405_2_004EFC40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00534D405_2_00534D40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00546D205_2_00546D20
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00545DE05_2_00545DE0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00458E305_2_00458E30
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00541F005_2_00541F00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004F2FD05_2_004F2FD0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0041ACE0 appears 86 times
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: String function: 0041ACE0 appears 86 times
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1920
                Source: plTAoSCew2.exeBinary or memory string: OriginalFilename vs plTAoSCew2.exe
                Source: plTAoSCew2.exe, 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs plTAoSCew2.exe
                Source: plTAoSCew2.exe, 00000000.00000000.1664463109.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs plTAoSCew2.exe
                Source: plTAoSCew2.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs plTAoSCew2.exe
                Source: plTAoSCew2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: plTAoSCew2.exeStatic PE information: Section: ZLIB complexity 0.9988905877088305
                Source: plTAoSCew2.exeStatic PE information: Section: ZLIB complexity 0.9935385338345865
                Source: plTAoSCew2.exeStatic PE information: Section: ZLIB complexity 0.99267578125
                Source: plTAoSCew2.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9988905877088305
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9935385338345865
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99267578125
                Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9988905877088305
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9935385338345865
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99267578125
                Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/60@2/3
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6288
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess432
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1068
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: plTAoSCew2.exe, 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmp, plTAoSCew2.exe, 00000000.00000003.1666366479.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938053535.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1698887764.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1699835133.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1950317365.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000A.00000002.1885484407.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000A.00000003.1809231647.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1978107084.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000011.00000003.1889498144.0000000000F10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: plTAoSCew2.exe, 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmp, plTAoSCew2.exe, 00000000.00000003.1666366479.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938053535.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1698887764.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1699835133.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1950317365.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000A.00000002.1885484407.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000A.00000003.1809231647.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1978107084.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000011.00000003.1889498144.0000000000F10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: MPGPH131.exe, 00000006.00000003.1772122217.0000000005824000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771164349.0000000005824000.00000004.00000020.00020000.00000000.sdmp, lYr9Rb7gll4tLogin Data For Account.0.dr, CVJRxkpfLg0jLogin Data.5.dr, EioxHbeh0kFpLogin Data.0.dr, t2IZA4tw1EDpLogin Data For Account.5.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: plTAoSCew2.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile read: C:\Users\user\Desktop\plTAoSCew2.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\plTAoSCew2.exe "C:\Users\user\Desktop\plTAoSCew2.exe"
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1920
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1876
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 1744
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\Desktop\plTAoSCew2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: plTAoSCew2.exeStatic file information: File size 3529232 > 1048576
                Source: plTAoSCew2.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x2a6200
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: plTAoSCew2.exeStatic PE information: section name:
                Source: plTAoSCew2.exeStatic PE information: section name:
                Source: plTAoSCew2.exeStatic PE information: section name:
                Source: plTAoSCew2.exeStatic PE information: section name:
                Source: plTAoSCew2.exeStatic PE information: section name: .themida
                Source: plTAoSCew2.exeStatic PE information: section name: .boot
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name: .themida
                Source: RageMP131.exe.0.drStatic PE information: section name: .boot
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
                Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_006C88F4 push eax; mov dword ptr [esp], ecx0_2_007E9F46
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_006C88F4 push 2238CB59h; mov dword ptr [esp], ebx0_2_007E9F78
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_006C88F4 push edx; mov dword ptr [esp], ebx0_2_007E9FF0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006C88F4 push eax; mov dword ptr [esp], ecx5_2_007E9F46
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006C88F4 push 2238CB59h; mov dword ptr [esp], ebx5_2_007E9F78
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006C88F4 push edx; mov dword ptr [esp], ebx5_2_007E9FF0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00433F59 push ecx; ret 5_2_00433F6C
                Source: plTAoSCew2.exeStatic PE information: section name: entropy: 7.9802115805595335
                Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.9802115805595335
                Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.9802115805595335
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Users\user\Desktop\plTAoSCew2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Found stalling execution ending in API Sleep call
                Source: C:\Users\user\Desktop\plTAoSCew2.exeStalling execution: Execution stalls by calling Sleepgraph_0-53634
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\plTAoSCew2.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                Source: C:\Users\user\Desktop\plTAoSCew2.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-53655
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                Source: C:\Users\user\Desktop\plTAoSCew2.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-53748
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\plTAoSCew2.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004C6000
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,5_2_004E6770
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,5_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,5_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError,5_2_00431F9C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,5_2_00432022
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,5_2_004938D0
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: MPGPH131.exe, 00000006.00000003.1787428377.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J
                Source: Amcache.hve.9.drBinary or memory string: VMware
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWfsZ
                Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000001030000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000001020000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: RageMP131.exe, 0000000A.00000002.1886588221.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                Source: MPGPH131.exe, 00000005.00000002.1939291540.000000000568C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_55C92DC3.oj
                Source: RageMP131.exe, 00000011.00000003.1901450002.0000000001039000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*?h
                Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: MPGPH131.exe, 00000006.00000002.1951132632.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHq
                Source: plTAoSCew2.exe, 00000000.00000002.1965989888.00000000057C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}+
                Source: MPGPH131.exe, 00000006.00000002.1951132632.0000000000C90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW11
                Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!?
                Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: RageMP131.exe, 00000011.00000002.1979076933.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                Source: RageMP131.exe, 0000000A.00000002.1886588221.000000000100B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                Source: RageMP131.exe, 00000011.00000003.1901450002.0000000001039000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: MPGPH131.exe, 00000005.00000003.1711785629.0000000000DD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}5>
                Source: MPGPH131.exe, 00000005.00000003.1786679262.00000000056DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\Public
                Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW4
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _vmware
                Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \?\scsi_vmwaretual_dif219&0&3f563070-94f2-b8b}~
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&2g
                Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                Source: plTAoSCew2.exe, 00000000.00000002.1965989888.00000000057C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!
                Source: plTAoSCew2.exe, 00000000.00000003.1791446297.000000000581F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_55C92DC3-J
                Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: MPGPH131.exe, 00000006.00000003.1787428377.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_55C92DC3
                Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                Source: MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                Source: RageMP131.exe, 0000000A.00000003.1821753153.0000000001013000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]0_2_004C6D80
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00493F40 mov eax, dword ptr fs:[00000030h]0_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004C6D80 mov eax, dword ptr fs:[00000030h]5_2_004C6D80
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00493F40 mov eax, dword ptr fs:[00000030h]5_2_00493F40
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,0_2_004E9A70
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0043451D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00438A64

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject threads in other processes
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,5_2_004CF280
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: GetLocaleInfoW,0_2_004531CA
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: GetLocaleInfoW,0_2_004533F9
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: GetLocaleInfoW,0_2_0044B734
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: GetLocaleInfoW,0_2_00452D5F
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: EnumSystemLocalesW,0_2_00452E51
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: EnumSystemLocalesW,0_2_00452E06
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: EnumSystemLocalesW,0_2_00452EEC
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,5_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_004531CA
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_0044B1B1
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004532F3
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_004533F9
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_004534CF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_0044B734
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,5_2_00452B5A
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,5_2_00452D5F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_00452E51
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_00452E06
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,5_2_00452EEC
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00452F77
                Source: C:\Users\user\Desktop\plTAoSCew2.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\plTAoSCew2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1966042254.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1817420453.00000000056E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1786962093.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1786825043.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1791524447.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1951132632.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1939291540.00000000056E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1939291540.000000000568C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1786572125.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: plTAoSCew2.exe PID: 432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7396, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7840, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RRyR9q5fccm7OnjvPC2dXYR.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\i6XbcxN8dLmuU_sWPwGcEWP.zip, type: DROPPED
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
                Source: plTAoSCew2.exe, 00000000.00000002.1965989888.00000000057C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\walletsi
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx_&
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: plTAoSCew2.exe, 00000000.00000002.1965989888.00000000057C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000001001000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json*
                Source: plTAoSCew2.exe, 00000000.00000002.1965989888.00000000057C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsPN}Q
                Source: plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                Source: plTAoSCew2.exe, 00000000.00000003.1753421786.000000000580D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\plTAoSCew2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1938691666.0000000000E3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: plTAoSCew2.exe PID: 432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6288, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1966042254.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1817420453.00000000056E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1786962093.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1786825043.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1791524447.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1951132632.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1939291540.00000000056E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1939291540.000000000568C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1786572125.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: plTAoSCew2.exe PID: 432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7396, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7840, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RRyR9q5fccm7OnjvPC2dXYR.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\i6XbcxN8dLmuU_sWPwGcEWP.zip, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                Scheduled Task/Job                		11
                Process Injection                		3
                Obfuscated Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		1
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		2
                Software Packing                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS35
                System Information Discovery                		Distributed Component Object Model1
                Email Collection                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Query Registry                		SSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                Virtualization/Sandbox Evasion                		Cached Domain Credentials351
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Process Injection                		DCSync12
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460407 Sample: plTAoSCew2.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 46 ipinfo.io 2->46 48 db-ip.com 2->48 56 Snort IDS alert for network traffic 2->56 58 Antivirus detection for URL or domain 2->58 60 Yara detected RisePro Stealer 2->60 62 4 other signatures 2->62 8 plTAoSCew2.exe 1 62 2->8         started        13 MPGPH131.exe 55 2->13         started        15 MPGPH131.exe 10 48 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 50 77.91.77.66, 49731, 49733, 49734 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->50 52 ipinfo.io 34.117.186.192, 443, 49732, 49736 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->52 54 db-ip.com 104.26.5.15, 443, 49735, 49738 CLOUDFLARENETUS United States 8->54 36 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->36 dropped 38 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->38 dropped 40 C:\Users\user\...\i6XbcxN8dLmuU_sWPwGcEWP.zip, Zip 8->40 dropped 44 2 other malicious files 8->44 dropped 64 Query firmware table information (likely to detect VMs) 8->64 66 Tries to steal Mail credentials (via file / registry access) 8->66 68 Found many strings related to Crypto-Wallets (likely being stolen) 8->68 80 2 other signatures 8->80 19 WerFault.exe 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        42 C:\Users\user\...\RRyR9q5fccm7OnjvPC2dXYR.zip, Zip 13->42 dropped 70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 74 Found stalling execution ending in API Sleep call 13->74 26 WerFault.exe 13->26         started        76 Tries to harvest and steal browser information (history, passwords, etc) 15->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->78 28 WerFault.exe 15->28         started        file6 signatures7 process8 file9 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->34 dropped 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                plTAoSCew2.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe51%ReversingLabsWin32.Trojan.RiseProStealer
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe51%ReversingLabsWin32.Trojan.RiseProStealer

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                http://upx.sf.net0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                https://ipinfo.io/0%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                https://t.me/risepro_botJ0%Avira URL Cloudsafe
                https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                http://77.91.77.81/mine/amadka.exe100%Avira URL Cloudmalware
                https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%Avira URL Cloudsafe
                https://ipinfo.io:443/widget/demo/8.46.123.330%Avira URL Cloudsafe
                https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                https://db-ip.com:443/demo/home.php?s=8.46.123.33J0%Avira URL Cloudsafe
                http://77.91.77.81/cost/go.exe100%Avira URL Cloudmalware
                https://ipinfo.io/widget/demo/8.46.123.33P0%Avira URL Cloudsafe
                http://77.91.77.81/mine/amadka.exe.1100%Avira URL Cloudphishing
                https://t.me/risepro_botQB0%Avira URL Cloudsafe
                https://db-ip.com/0%Avira URL Cloudsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%Avira URL Cloudsafe
                https://t.me/risepro_botX0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORTZ0%Avira URL Cloudsafe
                https://ipinfo.io/Wp0%Avira URL Cloudsafe
                https://t.me/risepro0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33e0%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.33U0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.330%Avira URL Cloudsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%Avira URL Cloudsafe
                http://77.91.77.81/cost/go.exeP100%Avira URL Cloudphishing
                https://ipinfo.io/p0%Avira URL Cloudsafe
                https://db-ip.com/60%Avira URL Cloudsafe
                https://ipinfo.io/t0%Avira URL Cloudsafe
                https://db-ip.com:443/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33V00%Avira URL Cloudsafe
                https://t.me/risepro_botisepro_bot0%Avira URL Cloudsafe
                https://ipinfo.io/widget/demo/8.46.123.33o0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORT40%Avira URL Cloudsafe
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                https://t.me/risepro_bot.46.123.330%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.33XB0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exeisepro_bot100%Avira URL Cloudphishing
                https://db-ip.com/i0%Avira URL Cloudsafe
                https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
                http://microsoft.co0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
                https://t.H0%Avira URL Cloudsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%Avira URL Cloudsafe
                https://ipinfo.io/Mozilla/5.00%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.33tA0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exe963100%Avira URL Cloudphishing
                https://t.me/risepro_bot0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exe00.1100%Avira URL Cloudphishing
                https://db-ip.com/z0%Avira URL Cloudsafe
                https://t.5F0%Avira URL Cloudsafe
                https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
                https://db-ip.com/u0%Avira URL Cloudsafe
                http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
                https://support.mozilla.org0%Avira URL Cloudsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe
                https://db-ip.com/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
                https://ipinfo.io/Grr0%Avira URL Cloudsafe
                https://t.me/RiseProSUPPORT-n0%Avira URL Cloudsafe
                http://77.91.77.81/cost/lenin.exe100%Avira URL Cloudphishing

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ipinfo.io
                		34.117.186.192
                		truefalse
                  		unknown
                  db-ip.com
                  		104.26.5.15
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/widget/demo/8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/false
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://77.91.77.81/mine/amadka.exeMPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://db-ip.com:443/demo/home.php?s=8.46.123.33JMPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000001030000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabplTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io:443/widget/demo/8.46.123.33plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951132632.0000000000D0B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000001026000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.000000000104D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botJRageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/go.exeplTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1939291540.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000E3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1952431025.00000000057FD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://77.91.77.81/mine/amadka.exe.1MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: phishing
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33PMPGPH131.exe, 00000006.00000002.1951132632.0000000000C97000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.000000000106F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botQBMPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17plTAoSCew2.exe, 00000000.00000003.1746011314.0000000005817000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1748770290.0000000005838000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775059834.0000000005700000.00000004.00000020.00020000.00000000.sdmp, tJraVEZ3gCYZHistory.5.dr, JaptwNSGRKkjHistory.0.dr, BXcENIBcAk_THistory.5.dr, x2c20gF0jhVeHistory.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33UplTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botXRageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/riseproRageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTZplTAoSCew2.exe, 00000000.00000002.1966042254.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791524447.00000000057EE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/WpMPGPH131.exe, 00000005.00000002.1938691666.0000000000DA0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33eRageMP131.exe, 00000011.00000002.1979076933.0000000000FD7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/pplTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F8E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstalltJraVEZ3gCYZHistory.5.dr, JaptwNSGRKkjHistory.0.dr, BXcENIBcAk_THistory.5.dr, x2c20gF0jhVeHistory.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/go.exePMPGPH131.exe, 00000005.00000002.1938691666.0000000000E3A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchplTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com/6RageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/tMPGPH131.exe, 00000006.00000002.1951132632.0000000000CDA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com:443/demo/home.php?s=8.46.123.33plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33oMPGPH131.exe, 00000005.00000002.1938691666.0000000000DBA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_botisepro_botplTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000001030000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/8.46.123.33V0plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_bot.46.123.33MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORT4MPGPH131.exe, 00000005.00000002.1939291540.000000000568C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoplTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33XBMPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exeisepro_botMPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    http://microsoft.coMPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllplTAoSCew2.exe, 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmp, plTAoSCew2.exe, 00000000.00000003.1666366479.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938053535.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1698887764.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1699835133.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1950317365.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000A.00000002.1885484407.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000A.00000003.1809231647.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1978107084.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000011.00000003.1889498144.0000000000F10000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.9.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/RiseProSUPPORTMPGPH131.exe, 00000006.00000002.1951132632.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, RRyR9q5fccm7OnjvPC2dXYR.zip.5.dr, i6XbcxN8dLmuU_sWPwGcEWP.zip.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016plTAoSCew2.exe, 00000000.00000003.1746011314.0000000005817000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1748770290.0000000005838000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775059834.0000000005700000.00000004.00000020.00020000.00000000.sdmp, tJraVEZ3gCYZHistory.5.dr, JaptwNSGRKkjHistory.0.dr, BXcENIBcAk_THistory.5.dr, x2c20gF0jhVeHistory.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.HRageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com/iMPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/Mozilla/5.0plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951132632.0000000000D0B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1886588221.0000000001026000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1979076933.000000000104D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exe963plTAoSCew2.exe, 00000000.00000002.1966229091.0000000005825000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1760783961.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1759698387.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791446297.000000000581F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/risepro_botRageMP131.exe, 00000011.00000002.1979076933.0000000001071000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=8.46.123.33tARageMP131.exe, 0000000A.00000002.1886588221.0000000001030000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/zplTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exe00.1MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://www.maxmind.com/en/locate-my-ip-addressplTAoSCew2.exe, MPGPH131.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/uMPGPH131.exe, 00000006.00000003.1728227491.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.5FplTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.winimage.com/zLibDllplTAoSCew2.exe, 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmp, plTAoSCew2.exe, 00000000.00000003.1666366479.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938053535.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1698887764.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1699835133.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1950317365.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000A.00000002.1885484407.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000A.00000003.1809231647.0000000000F30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1978107084.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000011.00000003.1889498144.0000000000F10000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplestJraVEZ3gCYZHistory.5.dr, JaptwNSGRKkjHistory.0.dr, BXcENIBcAk_THistory.5.dr, x2c20gF0jhVeHistory.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=plTAoSCew2.exe, 00000000.00000003.1749241617.0000000005849000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1745192277.0000000005818000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1747252402.0000000005839000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1769756212.00000000056EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1775878542.0000000005721000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1771654121.000000000570F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1773746105.0000000005860000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1772257779.0000000005850000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776251076.0000000005860000.00000004.00000020.00020000.00000000.sdmp, iNhzurVyetV1Web Data.5.dr, BCrFKBgDjUtEWeb Data.5.dr, A7WIY3rXdqseWeb Data.5.dr, CtJlzgnN12ymWeb Data.0.dr, lbl9TK4Z2XphWeb Data.0.dr, QrwWp85edTOGWeb Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ipinfo.io/GrrRageMP131.exe, 00000011.00000002.1979076933.0000000001041000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://77.91.77.81/cost/lenin.exeplTAoSCew2.exe, 00000000.00000002.1966229091.0000000005825000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1760783961.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1759698387.000000000580D000.00000004.00000020.00020000.00000000.sdmp, plTAoSCew2.exe, 00000000.00000003.1791446297.000000000581F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1938691666.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786597545.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1951555510.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771670751.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788060683.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1771282701.0000000000D32000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://t.me/RiseProSUPPORT-nplTAoSCew2.exe, 00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    34.117.186.192
                    		ipinfo.ioUnited States
                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                    104.26.5.15
                    		db-ip.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    77.91.77.66
                    		unknownRussian Federation
                    		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1460407
                    Start date and time:2024-06-20 23:36:05 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 36s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:plTAoSCew2.exe
                    renamed because original name is a hash value
                    Original Sample Name:ad7b4598918c9f75bcad2d3837abc47e.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@14/60@2/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 68%
                    • Number of executed functions: 52
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 52.182.143.212
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: plTAoSCew2.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:37:22API Interceptor3x Sleep call for process: WerFault.exe modified
                    22:36:58Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                    22:36:58Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                    22:37:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                    22:37:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    34.117.186.192HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/
                    SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                    • ipinfo.io/json
                    Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                    • ipinfo.io/
                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                    • ipinfo.io/
                    w.shGet hashmaliciousXmrigBrowse
                    • /ip
                    Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                    • ipinfo.io/ip
                    104.26.5.15SecuriteInfo.com.Win64.Evo-gen.17494.7440.exeGet hashmaliciousUnknownBrowse
                    • api.db-ip.com/v2/free/127.0.0.1
                    Nemty.exeGet hashmaliciousNemtyBrowse
                    • api.db-ip.com/v2/free/84.17.52.2/countryName
                    227.exeGet hashmaliciousNemtyBrowse
                    • api.db-ip.com/v2/free/102.129.143.40/countryName
                    77.91.77.667rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                      PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                        YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                          AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                            setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                              D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                  2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                    T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ipinfo.io7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                      • 34.117.186.192
                                      PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                      • 34.117.186.192
                                      D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                      • 34.117.186.192
                                      WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      db-ip.com7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                      • 104.26.4.15
                                      PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                      • 104.26.4.15
                                      YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                      • 172.67.75.166
                                      setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                      • 104.26.5.15
                                      D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                      • 104.26.4.15
                                      1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                      • 104.26.4.15
                                      WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                      • 104.26.4.15
                                      2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                      • 104.26.5.15
                                      T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                      • 172.67.75.166
                                      file.exeGet hashmaliciousRisePro StealerBrowse
                                      • 172.67.75.166

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                      • 77.91.77.66
                                      PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                      • 77.91.77.66
                                      YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                      • 77.91.77.66
                                      AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                                      • 77.91.77.66
                                      setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                      • 77.91.77.81
                                      setup.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                      • 77.91.77.81
                                      FN MultiHack v2.exeGet hashmaliciousRedLineBrowse
                                      • 77.91.77.6
                                      D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                      • 77.91.77.66
                                      https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                                      • 77.91.77.5
                                      https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                                      • 77.91.77.5
                                      GOOGLE-AS-APGoogleAsiaPacificPteLtdSG7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                      • 34.117.186.192
                                      PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                      • 34.117.239.71
                                      https://my.visme.co/v/pvmd79je-dj6mqvGet hashmaliciousUnknownBrowse
                                      • 34.117.77.79
                                      setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                      • 34.117.186.192
                                      D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                      • 34.117.186.192
                                      WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                      • 34.117.186.192
                                      CLOUDFLARENETUS7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                      • 104.26.4.15
                                      https://qlwcz.semoxqj.ru/jEmXeUJt/#XGet hashmaliciousUnknownBrowse
                                      • 104.17.2.184
                                      https://qlwcz.semoxqj.ru/jEmXeUJt/#XGet hashmaliciousHTMLPhisherBrowse
                                      • 104.17.3.184
                                      https://sigmaalphalambda.org/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?ver=5.4.8.3Get hashmaliciousUnknownBrowse
                                      • 104.26.7.221
                                      https://i1h.nechole.ru/9Ciz/Get hashmaliciousHTMLPhisherBrowse
                                      • 104.17.2.184
                                      https://criticalsystemsllc-my.sharepoint.com/:o:/p/rlingle/EsvC9Qj-ls9HhKnRaEZ1Lz8BvxH0MI-VHwfPjNPle-U1uw?e=5%3aU5b5yJ&at=9&xsdata=MDV8MDJ8YnBha0BkZXdiZXJyeS5jb218YWEyYWY5MTc3YmRhNDI3YWMwMjUwOGRjOTE1ZjI1OWZ8ODRiN2Y1MzdmYjc2NDJiMmFjMWI0MTVhNTU5Nzc2NmN8MHwwfDYzODU0NTA4NTA0NDA0NDI4OHxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=YmpNTzhSaVBMSktXRzI4YjdkN3g4Um1yTTg1RUtvcGw4enpqT1BjVFpqdz0%3dGet hashmaliciousHTMLPhisherBrowse
                                      • 1.1.1.1
                                      https://qlwcz.semoxqj.ru/jEmXeUJt/#XGet hashmaliciousUnknownBrowse
                                      • 104.17.2.184
                                      Direct - Deposit 6192024.htmlGet hashmaliciousUnknownBrowse
                                      • 188.114.96.3
                                      https://ms-doc.view-saf-eastsuusex-d0c-file239291.com/?Rg=GHhLsGet hashmaliciousHTMLPhisherBrowse
                                      • 1.1.1.1
                                      ReceiptCopy37.htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 104.17.24.14

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      a0e9f5d64349fb13191bc781f81f42e17rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192
                                      Form_Ver-18-13-38.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192
                                      PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192
                                      YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192
                                      Invoice.docmGet hashmaliciousUnknownBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192
                                      file.exeGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192
                                      Setup.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192
                                      setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192
                                      setup.exeGet hashmaliciousLummaCBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192
                                      setup.exeGet hashmaliciousLummaCBrowse
                                      • 104.26.5.15
                                      • 34.117.186.192

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\MPGPH131\MPGPH131.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3529232
                                      Entropy (8bit):7.957508090629618
                                      Encrypted:false
                                      SSDEEP:49152:ustZbif3Y+7iIP/+luqThrrmOWEgersFUx3VDzjtwrbAzToGb+938BLgd4nOKUKj:3tkfH7Okq5yOjFF1iAz8M/OKmiGXq
                                      MD5:AD7B4598918C9F75BCAD2D3837ABC47E
                                      SHA1:C216E887A2559BC45F4B75D8F97E8D2450F16213
                                      SHA-256:D0E3C511F4C02B9DD4130462AC716024AD29581A072A9095F40AC7C348C7EDE6
                                      SHA-512:6DE0D861F74E9710A3953AE2196A42DDE9BEE708DDAF40EE294ABEEADAB097B2E3FC9DE1A21AA146F747C821AF16D92C4CAB94537833BF1BBD7396B315D9BE66
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 51%
                                      Reputation:low
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X [...........@..................................Q6......................................a..........8....................................................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..A..........x..............`....boot....b*.. [..b*..x..............`..`.reloc................5................@................................................................

                                      C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_35771a6693d2f9ed017f28b56de9aedffce803d_f4fd270f_51467a9a-3e89-495a-973b-ac70eee27268\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.042738887564074
                                      Encrypted:false
                                      SSDEEP:192:MnQlLna0zU8ST0Z4LO6E6jj/ZrUUJcUzuiFYZ24IO8q6t:MI+AU/AZ4LhjqUzuiFYY4IO81
                                      MD5:5191D974DDF0EB460B1D7EF9E4FD4D03
                                      SHA1:FFEDE15B1894E58E9AC120F24CC20EEA96AA7CBA
                                      SHA-256:84DEDDEE88653DDDC42086E7910EC493234188BD4C0FE75C28B911F63CFC814B
                                      SHA-512:EAA7DC1B923876DDEDE487C8773813B06D1A79EAF36A54BEF7B50ACB248D531092BDCE2F1FF15EB4DEB1090FAFBB7757E8CB7B02A12E76D174163CCABC83584E
                                      Malicious:false
                                      Reputation:low
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.9.3.0.3.1.7.0.0.8.1.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.9.3.0.3.2.4.3.5.1.9.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.1.4.6.7.a.9.a.-.3.e.8.9.-.4.9.5.a.-.9.7.3.b.-.a.c.7.0.e.e.e.2.7.2.6.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.d.e.8.2.6.c.-.6.4.3.a.-.4.a.4.4.-.a.2.b.b.-.7.e.2.0.c.1.3.3.3.2.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.9.0.-.0.0.0.1.-.0.0.1.4.-.2.d.f.6.-.8.c.f.a.5.9.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.c.2.1.6.e.8.8.7.a.2.5.5.9.b.c.4.5.f.4.b.7.5.d.8.f.9.7.e.8.d.2.4.5.0.f.1.6.2.1.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_35771a6693d2f9ed017f28b56de9aedffce803d_f4fd270f_e476fb89-b538-4349-955e-cbfc95808757\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.0494018492399162
                                      Encrypted:false
                                      SSDEEP:192:6d4Nlhna0zp8ST0Z4LO6E6jjyZrofxjPzuiFYZ24IO8q6t:GIYAp/AZ4LhjLPzuiFYY4IO81
                                      MD5:963DDA56B3EFBB9AF3B1E42B7624F5B2
                                      SHA1:08D5C3DB0129F2614AB2D0BEAE5026B36F66335A
                                      SHA-256:36C913CA36710B351FA0E582F31B1A09F38605AF7783FAD50B314797F1EAFAD0
                                      SHA-512:4655AA92A2C7AE1A976C0CEE0307BC223F8C30B60E23876A275FFC32158373536D185D373912F91ECEC51825FEC3CD12CD1A6F6BD955640C25292CC3BD2BCDE6
                                      Malicious:false
                                      Reputation:low
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.9.3.0.3.1.2.1.7.0.7.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.9.3.0.3.2.4.3.5.8.2.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.7.6.f.b.8.9.-.b.5.3.8.-.4.3.4.9.-.9.5.5.e.-.c.b.f.c.9.5.8.0.8.7.5.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.2.1.4.c.2.7.-.a.d.6.4.-.4.a.b.6.-.9.d.c.b.-.1.c.8.c.e.4.c.d.5.a.c.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.2.c.-.0.0.0.1.-.0.0.1.4.-.9.8.7.b.-.7.a.f.a.5.9.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.c.2.1.6.e.8.8.7.a.2.5.5.9.b.c.4.5.f.4.b.7.5.d.8.f.9.7.e.8.d.2.4.5.0.f.1.6.2.1.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_plTAoSCew2.exe_b578f245089fdb92c49ca29b61d78b5de94bd_4cd93bc8_d4836472-6356-48f9-9aaa-e95ab3a9b742\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.0493586555327477
                                      Encrypted:false
                                      SSDEEP:192:N5oHTC8557B0O0UdJHJG/oaBjyZrosLZuzuiFYZ24IO8+3:qvn7O1UdJHATjyuzuiFYY4IO82
                                      MD5:3701D41B0F5A5AD2352E2AD0CE9E1358
                                      SHA1:81FC5A3C14C8B4C27EF4D8CA65FB719BD9890502
                                      SHA-256:A31FDED36DF3C2C504BB317E41D8C7AE97F73ACC9FB41325336A540F5211D2A4
                                      SHA-512:BE64E4BE4B69364D331E8C467E46D0E068C149A5E191F0EFA55CBA66C4DCF138129CF79E0E9E0344593BBA94BCA909D7280B66DFC4A231AEDB59143F36CA8B30
                                      Malicious:true
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.3.9.3.0.2.8.6.9.3.1.0.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.3.9.3.0.2.9.7.5.5.6.0.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.8.3.6.4.7.2.-.6.3.5.6.-.4.8.f.9.-.9.a.a.a.-.e.9.5.a.b.3.a.9.b.7.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.5.4.b.d.7.d.-.5.2.4.b.-.4.4.1.4.-.9.f.c.f.-.0.f.6.7.7.e.0.3.3.d.c.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.l.T.A.o.S.C.e.w.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.b.0.-.0.0.0.1.-.0.0.1.4.-.8.0.9.6.-.9.9.f.8.5.9.c.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.c.2.1.6.e.8.8.7.a.2.5.5.9.b.c.4.5.f.4.b.7.5.d.8.f.9.7.e.8.d.2.4.5.0.f.1.6.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D82.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 21:37:09 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):104432
                                      Entropy (8bit):2.0484728446565774
                                      Encrypted:false
                                      SSDEEP:384:qPlarGEELI5pzzJFtvJpCLNo3GtAWVw0dOO8vFhvEfXa1a6aJfdYcN7FUyVFgDI4:MarJE8bxFtvJpVMAYw0dOIXyaxCcGj5
                                      MD5:C63021217C57C54B18E31CB6DDB7EAD2
                                      SHA1:2815C4BB5D050841FD81CD584A7E7E3694599EDC
                                      SHA-256:8F776F97089149BF7AE1BC64603918B12B4B4ABA954F3B9AC6A33FD68EF8AAFB
                                      SHA-512:C07A97B6CB7B795E24549B6BC63490CA43916A2ED4FD581F1159D6BEB6B0108A3942973AA4E029B8CE28E52744292DF770B84F186179765A33B9F6F9ADCEC2EE
                                      Malicious:false
                                      Preview:MDMP..a..... .........tf....................................l....#...........L..........`.......8...........T............J..0M...........#...........%..............................................................................eJ.......&......GenuineIntel............T.............tf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3013.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8392
                                      Entropy (8bit):3.7053449914376984
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJJ0I6kgX8Xe6Y9WSUXH64gmffTJJoCJG/wprH89bE4sfQHsm:R6lXJ96JMO6YsSUXtgmfrJJ9AtErfU
                                      MD5:CE00240F000A39EFB5A2A95DCD4CE6E7
                                      SHA1:4A9433FD27636D83B9173898B7A1A40C9C85B581
                                      SHA-256:17E018820BAC475D29E5C4B6EF58464265EA3FE1407796688CFF32D9F5AA7793
                                      SHA-512:33CF47A27608F7DECC218648132F8B35781B6762926AF99C6054255F30EF5F04915D3FD930DBDDA67F8F2F217C40002C448F8D3B64BDC1818930FD1493AF4081
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.2.<./.P.i.d.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3052.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4713
                                      Entropy (8bit):4.523562624799049
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsDJg77aI9+JWpW8VYnYm8M4JQOhF+r+q8TOJ8RY0d:uIjfdI7447VjJQVrZJ8RY0d
                                      MD5:73BD4E3CB3DE9FB06032A65C727A7E7C
                                      SHA1:988414E04653430A89A145CCBC209686E0F623A2
                                      SHA-256:89F544120C6849C0CFA58BC0D64E417354CADB7B442097CA9ED32A9DA2F90459
                                      SHA-512:36505C2B9FA8EC73716317521DE9703A4082AA6CC49AF008DA1A537AB380A6C5320075CB0F0D90B494F4C56CB529C233766A7E9DE2997F132A576C450C13E344
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376599" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3774.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 21:37:11 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):98408
                                      Entropy (8bit):2.079714111680401
                                      Encrypted:false
                                      SSDEEP:384:Vc8zLPjmpp/RZFtvmYnAMxG77BMQKxZdUoWM5zswplb:C0DEpZFtvqMUR4Yg5Zp
                                      MD5:6BFC81AE13E87150878BF026F386505C
                                      SHA1:142DE0E4C56481BFCCFF3EBDF7EBBF39BFE77BC2
                                      SHA-256:F949C70D7D9762005BC9778E460BD1F5B4036104BD75056F8E8C5C876A4BE323
                                      SHA-512:C0B40A9E84936A43EFD5F87BA91C685B7DC49364021DDD60690EBCC251D932C3B78FB9AF4143E8F575B634C96318C7B95C4C2D1DDE37350430545E7618DB4DD4
                                      Malicious:false
                                      Preview:MDMP..a..... .........tf....................................l...`#...........I..........`.......8...........T............I...6...........#...........%..............................................................................eJ......P&......GenuineIntel............T.......,.....tf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER393A.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Thu Jun 20 21:37:11 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):103516
                                      Entropy (8bit):2.0396944247287747
                                      Encrypted:false
                                      SSDEEP:384:/XLPnHsH6PY8Rtvj/NJRzGRPs/9gwoGAwNqD/y+2GFxnC8PknlggVKtyt:/XDHRPY8Rtvj/bsslkt2yq
                                      MD5:755AD5DCE781248BFA6BA01844FF8850
                                      SHA1:BB5792CCF8253C33D842BDB1BD0490F6A3CE55A5
                                      SHA-256:12D3A7C5A1C7A562B1ADAABE3C6DD61D5CE8BA2739797024DE9F3219FFD86505
                                      SHA-512:31A978126F0E18A2164C311714A5A5CA1F4B2220B336BA6ECF05E7C14F5EC1F0C076C37310CF1428DED87C8B351EC6FA435E52D374BD7CA85C46F21243AD728B
                                      Malicious:false
                                      Preview:MDMP..a..... .........tf........................,...........l...$#..........rL..........`.......8...........T............H...K...........#..........|%..............................................................................eJ.......&......GenuineIntel............T.............tf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER39F6.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6366
                                      Entropy (8bit):3.7310048821161064
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJMXus6mjRX5XeYiiJJapr089bdfsf5fm:R6lXJMN6mdJOYBJJ+dEfM
                                      MD5:49F64767136D56F12198D0A6228F1D54
                                      SHA1:E9DC2D4E12C55895355130E1FEAA73D1F764F835
                                      SHA-256:88A5DF2F930869D82C5AD8FEB00B68DE70A4D6F1169D5114DB037366E233A827
                                      SHA-512:5328F1930A19C938C3DB2FA534B849342BDB14473A31502C98B482069A1F0BE4C9D21F35B8F32DE131B2E4C9493B7D776C6CA6E1FE5D54F68E88504B0A4DB4AD
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.6.8.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A26.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4703
                                      Entropy (8bit):4.521239550743665
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsDJg77aI9+JWpW8VYcLYm8M4JHYFWjW+q8zy84nRnnd:uIjfdI7447V2JrWV80Bnd
                                      MD5:48C0F93EB828F84D03802F3093415893
                                      SHA1:FC7977F9A35F5DA56E4BB69FB539A64FE75E9910
                                      SHA-256:B21A058AED77B2B6D64ABF0657219D9700B04E54C470E2167E2F9562E8C1B086
                                      SHA-512:EFD43F4834E3309D16DD22D3A9B1B5659AA2AB2B119AB915560BFA691D40A7E3213DF11F98F45DD84FD9A8EC0CBF9737403CD8225BF96733DC73A8546657E81B
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376599" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A63.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6366
                                      Entropy (8bit):3.7277080038108115
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJNuJ60+wmYiiJJaprr89bG3sfTCm:R6lXJS6RwmYBJJjG8fH
                                      MD5:8FAFDF3FC3C78BF789AA20F9D56D35D6
                                      SHA1:2BABCBEDC3BA5A979E1B667A02EFE6950126A125
                                      SHA-256:ED847B00DA79C5752BCE4538BE24BA5D006F2F589E401424DAE6934580FFC772
                                      SHA-512:0FCFC62E318EB7089E9F88BAA0B5449BDE3054335F353460C2B6B044A87DCFB52075811D7CD43A70DB45663B8140A6E51F33093FB5C9E0126D1E3BFEF6498B5F
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.8.8.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AC2.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4703
                                      Entropy (8bit):4.520833527090707
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsDJg77aI9+JWpW8VYWYm8M4JHYFa+q8zNY84nRn2d:uIjfdI7447ViJTB80B2d
                                      MD5:3C32FEC935E4D790E1AE5623EC6FA144
                                      SHA1:7CE868890F41FA1D8BD91FC9AD12A4199BF227E6
                                      SHA-256:E2FD1E00DA6B4C3B6D306DAE99D1B567AD7AE92E9F79A47A3623414F5168FA0E
                                      SHA-512:F6EB3CA8BEB0E575363B865F1886E95EB45699320A204E08CF50ACFF1F57E112906E6622E96C60051F580F5993439257A39E756A3A023E1D741E4080F11A6F82
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="376599" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3529232
                                      Entropy (8bit):7.957508090629618
                                      Encrypted:false
                                      SSDEEP:49152:ustZbif3Y+7iIP/+luqThrrmOWEgersFUx3VDzjtwrbAzToGb+938BLgd4nOKUKj:3tkfH7Okq5yOjFF1iAz8M/OKmiGXq
                                      MD5:AD7B4598918C9F75BCAD2D3837ABC47E
                                      SHA1:C216E887A2559BC45F4B75D8F97E8D2450F16213
                                      SHA-256:D0E3C511F4C02B9DD4130462AC716024AD29581A072A9095F40AC7C348C7EDE6
                                      SHA-512:6DE0D861F74E9710A3953AE2196A42DDE9BEE708DDAF40EE294ABEEADAB097B2E3FC9DE1A21AA146F747C821AF16D92C4CAB94537833BF1BBD7396B315D9BE66
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 51%
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X [...........@..................................Q6......................................a..........8....................................................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..A..........x..............`....boot....b*.. [..b*..x..............`..`.reloc................5................@................................................................

                                      C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      C:\Users\user\AppData\Local\Temp\RRyR9q5fccm7OnjvPC2dXYR.zip

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                      Category:modified
                                      Size (bytes):5620
                                      Entropy (8bit):7.892603574184713
                                      Encrypted:false
                                      SSDEEP:96:fUT29vHz9WQBavDziBP1Pe4McobRHSIBA6FuXcKjD09KGc50RAL0h3KJD:fUT29Hz9WGFh1Pe4q4gAaRKEq50SLs6d
                                      MD5:56E6512FAAF541CE169EB8010369D34F
                                      SHA1:B55E3AD6C1E6D609976E57292A81C476FBD245D6
                                      SHA-256:50EBAF9B4D8551E74F2AA1EE5F87F0ED6073CF85829EA2BC5894C435D2DFF5A5
                                      SHA-512:9C892457F3D13E654465C95B09A7AD7E86885C19A4D55232FB3525D8C5D084F4EC1975DBC3B1F0748F470B21F657D5CDA272FD25BF66B20618091FC6644F7274
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\RRyR9q5fccm7OnjvPC2dXYR.zip, Author: Joe Security
                                      Preview:PK...........X................Cookies\..PK...........X..s@..../......Cookies\Chrome_Default.txt.G.....5..G.BMx.....%.M...{...?.LH..71.t.....:y3..s./.0.m.%......../. ..!..A.C.........;...x...........!.2.....Z..<....*<.h8..<.q;.....9....gK.}.R.#f...A.E...1...?lR....b.....nS=l.%E&'...>x......h.......E)C..t..'.2<Z_@.........&Lk......0..B.mqk.9M1lf.-e@....E.v..R&..|..-....C.w.Y.K... ...*.....k..3..2W5.!vs.....S.~.......0._.*..e.....U...).....>...g+;...z[Ks....Z..d...|.".v..(...I....+.7.y.X@.H....eV.............Y..c..x...Kw.'S>.d|.....B..k.p..|C|F.......O52....`f.3W..../....i..E...7..c.Kwv..,]..C..j.2.T..+............t.2....6.M>..s..K.M...VJ..>;.......n.<f;]s.K..5...n....~$ ....%......Z#.....Q5...<n...I&......0<:..>..I.K)g.)..KX.H.(Y!..j4W.j..1.V..d\.T..,p...D...T..>z...,.....L.....Mh.t..!....A...!?.U...x..[a7j.N;#..t.\.#.Z.-)f...v_.<..?..`.D0..?......).vX.#...Lw.j...1.....M.#...+.W....h....U.W....G.w......'.Y?.....;.....`...X...C..w..

                                      C:\Users\user\AppData\Local\Temp\i6XbcxN8dLmuU_sWPwGcEWP.zip

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                      Category:modified
                                      Size (bytes):5542
                                      Entropy (8bit):7.896896363447472
                                      Encrypted:false
                                      SSDEEP:96:5WGzqeAoMq+YK0KF8cAJiI2i+uuVhhR/qlUHgJLFzzyWjypn3KJy:NqASpF8wFj3/qOHetApn6Jy
                                      MD5:CDD4AF5DFEC0C20E407C646977BEE603
                                      SHA1:999913D4EEA09837B80079D46928768AEC77530E
                                      SHA-256:E1E9E6D6CB1455A2E28052913DBDC42F21AA9A4CB25F36711200D50AE9432229
                                      SHA-512:B1C5808D82DC77FB4D8D4AF87B1AA056B166CAB27CEE2801E97727AC490DF8C332745F53ED8562ABD31C655CAC98373296DB02D0FC146089A2F06BE0B8AA1DDA
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\i6XbcxN8dLmuU_sWPwGcEWP.zip, Author: Joe Security
                                      Preview:PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                      C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):13
                                      Entropy (8bit):2.7773627950641697
                                      Encrypted:false
                                      SSDEEP:3:L1XQdXC:RIy
                                      MD5:AE34C61723DDF52758CC3F13D7970C57
                                      SHA1:4923AB6CD96582BA7B208F4F9FFCF11BA2F4231F
                                      SHA-256:CBCBDD2A0ABB906D1A83F49912A639195F8C719CA36E262AB0675CC59FD9C543
                                      SHA-512:0AAF44FEC22E411C5F53428B370422E1E0967F9AF41CF572D755067EACBF30794A163340D4978FC8D0CE2C4D71AF9793DC96F9AA80282C2A56194B61FBD1DB7E
                                      Malicious:false
                                      Preview:1718925824311

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\02zdBXl47cvzcookies.sqlite

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):98304
                                      Entropy (8bit):0.08235737944063153
                                      Encrypted:false
                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\3b6N2Xdh3CYwplaces.sqlite

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):5242880
                                      Entropy (8bit):0.037963276276857943
                                      Encrypted:false
                                      SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                      MD5:C0FDF21AE11A6D1FA1201D502614B622
                                      SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                      SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                      SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                      Malicious:false
                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\CtJlzgnN12ymWeb Data

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):106496
                                      Entropy (8bit):1.1358696453229276
                                      Encrypted:false
                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\D87fZN3R3jFeplaces.sqlite

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):5242880
                                      Entropy (8bit):0.037963276276857943
                                      Encrypted:false
                                      SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                      MD5:C0FDF21AE11A6D1FA1201D502614B622
                                      SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                      SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                      SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                      Malicious:false
                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\EioxHbeh0kFpLogin Data

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):40960
                                      Entropy (8bit):0.8553638852307782
                                      Encrypted:false
                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\JaptwNSGRKkjHistory

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                      Category:dropped
                                      Size (bytes):159744
                                      Entropy (8bit):0.7873599747470391
                                      Encrypted:false
                                      SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                      MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                      SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                      SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                      SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\LziObAp_xQYkWeb Data

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):114688
                                      Entropy (8bit):0.9746603542602881
                                      Encrypted:false
                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\NyfGPm9JO5aHLogin Data

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):49152
                                      Entropy (8bit):0.8180424350137764
                                      Encrypted:false
                                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                      MD5:349E6EB110E34A08924D92F6B334801D
                                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\QrwWp85edTOGWeb Data

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):106496
                                      Entropy (8bit):1.1358696453229276
                                      Encrypted:false
                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\RYPsmo4mFY2aHistory

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):126976
                                      Entropy (8bit):0.47147045728725767
                                      Encrypted:false
                                      SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                      MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                      SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                      SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                      SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\cfLC6XtY7TPDHistory

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):126976
                                      Entropy (8bit):0.47147045728725767
                                      Encrypted:false
                                      SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                      MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                      SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                      SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                      SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\lYr9Rb7gll4tLogin Data For Account

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):40960
                                      Entropy (8bit):0.8553638852307782
                                      Encrypted:false
                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\lbl9TK4Z2XphWeb Data

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):106496
                                      Entropy (8bit):1.1358696453229276
                                      Encrypted:false
                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\mzHFeshqUZ3VWeb Data

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):114688
                                      Entropy (8bit):0.9746603542602881
                                      Encrypted:false
                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\rezvwwxF677yCookies

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                      Category:dropped
                                      Size (bytes):28672
                                      Entropy (8bit):2.5793180405395284
                                      Encrypted:false
                                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\wjDnbZn87O29Web Data

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):114688
                                      Entropy (8bit):0.9746603542602881
                                      Encrypted:false
                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\span46Z3XSirMLZy\x2c20gF0jhVeHistory

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                      Category:dropped
                                      Size (bytes):159744
                                      Entropy (8bit):0.7873599747470391
                                      Encrypted:false
                                      SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                      MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                      SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                      SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                      SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\02zdBXl47cvzcookies.sqlite

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):98304
                                      Entropy (8bit):0.08235737944063153
                                      Encrypted:false
                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\1lz2X_hnlF_eWeb Data

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):114688
                                      Entropy (8bit):0.9746603542602881
                                      Encrypted:false
                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\3b6N2Xdh3CYwplaces.sqlite

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):5242880
                                      Entropy (8bit):0.037963276276857943
                                      Encrypted:false
                                      SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                      MD5:C0FDF21AE11A6D1FA1201D502614B622
                                      SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                      SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                      SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                      Malicious:false
                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\A7WIY3rXdqseWeb Data

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):106496
                                      Entropy (8bit):1.1358696453229276
                                      Encrypted:false
                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\BCrFKBgDjUtEWeb Data

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):106496
                                      Entropy (8bit):1.1358696453229276
                                      Encrypted:false
                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\BXcENIBcAk_THistory

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                      Category:dropped
                                      Size (bytes):159744
                                      Entropy (8bit):0.7873599747470391
                                      Encrypted:false
                                      SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                      MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                      SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                      SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                      SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\CVJRxkpfLg0jLogin Data

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):40960
                                      Entropy (8bit):0.8553638852307782
                                      Encrypted:false
                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\D87fZN3R3jFeplaces.sqlite

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):5242880
                                      Entropy (8bit):0.037963276276857943
                                      Encrypted:false
                                      SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                      MD5:C0FDF21AE11A6D1FA1201D502614B622
                                      SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                      SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                      SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                      Malicious:false
                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\K1yVDI_8n9leCookies

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                      Category:dropped
                                      Size (bytes):28672
                                      Entropy (8bit):2.5793180405395284
                                      Encrypted:false
                                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\O360yHtwBjGMHistory

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):126976
                                      Entropy (8bit):0.47147045728725767
                                      Encrypted:false
                                      SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                      MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                      SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                      SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                      SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\Un_yyl_MyyCnWeb Data

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):114688
                                      Entropy (8bit):0.9746603542602881
                                      Encrypted:false
                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\iNhzurVyetV1Web Data

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):106496
                                      Entropy (8bit):1.1358696453229276
                                      Encrypted:false
                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\sxoey4yhYvwRHistory

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):126976
                                      Entropy (8bit):0.47147045728725767
                                      Encrypted:false
                                      SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                      MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                      SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                      SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                      SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\t2IZA4tw1EDpLogin Data For Account

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):40960
                                      Entropy (8bit):0.8553638852307782
                                      Encrypted:false
                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\tJraVEZ3gCYZHistory

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                      Category:dropped
                                      Size (bytes):159744
                                      Entropy (8bit):0.7873599747470391
                                      Encrypted:false
                                      SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                      MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                      SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                      SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                      SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\u2IKyytiUcYXWeb Data

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):114688
                                      Entropy (8bit):0.9746603542602881
                                      Encrypted:false
                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\spanDo7faKvaMiW4\xKOuSFGt78HrLogin Data

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):49152
                                      Entropy (8bit):0.8180424350137764
                                      Encrypted:false
                                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                      MD5:349E6EB110E34A08924D92F6B334801D
                                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\trixy46Z3XSirMLZy\Cookies\Chrome_Default.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6085
                                      Entropy (8bit):6.038274200863744
                                      Encrypted:false
                                      SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                      MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                      SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                      SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                      SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                      Malicious:false
                                      Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                      C:\Users\user\AppData\Local\Temp\trixy46Z3XSirMLZy\information.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:ASCII text, with CRLF, LF line terminators
                                      Category:dropped
                                      Size (bytes):6389
                                      Entropy (8bit):5.479716282283
                                      Encrypted:false
                                      SSDEEP:96:x4khORU2cT4Aisph+9hcmIUXMjJbeagOrIANUbg3x:xs62vAtphWhcmIUXo9gqB
                                      MD5:ADBA9E930088DCCADED408D488BCA524
                                      SHA1:E2F71BDE6EA1471CB105269303E557220D46E411
                                      SHA-256:FD80C0ACB322111E493EF21E60512EA0AF049321A594BAF0DD1DB84F9A27A6FF
                                      SHA-512:3458F09EFC0F18E454BC935A24C18D1CAF0BE568679BDD4364E23FC0C73981E8DFB438E37694F4F6B4E3A90BA710E1BC14B72E6836841BA1BD82020E76DF1D76
                                      Malicious:false
                                      Preview:Build: gemot..Version: 2.0....Date: Thu Jun 20 17:37:03 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 495bfda387306805044874eb6e629f2d....Path: C:\Users\user\Desktop\plTAoSCew2.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy46Z3XSirMLZy....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 347688 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 17:37:3..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe

                                      C:\Users\user\AppData\Local\Temp\trixy46Z3XSirMLZy\passwords.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\plTAoSCew2.exe
                                      File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                      Category:dropped
                                      Size (bytes):4897
                                      Entropy (8bit):2.518316437186352
                                      Encrypted:false
                                      SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                      MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                      SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                      SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                      SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\trixyDo7faKvaMiW4\Cookies\Chrome_Default.txt

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):12170
                                      Entropy (8bit):6.038274200863744
                                      Encrypted:false
                                      SSDEEP:192:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WhHGYUnOTNC5IcXkWFXZQHRFJ5Pts7c3aP:gwsPbtKvCpqq40wsPbtKvCpqq47
                                      MD5:B6F52D24FC4333CE4C66DDA3C3735C85
                                      SHA1:5B69F1D66E95EFE2CF1710E9F58526B2AAEC67E4
                                      SHA-256:0FEE1A764F541EC6733DB89C823296650F6E581CD7D812D5A142B5A0AD9BC9B6
                                      SHA-512:CD2C6D64083061D7C7A7E89CF9C9F7D2B66301C73CFB56D2CCD94D1B810DE42774DAE5B77DB2E567A26FC54989C04D8A60D76225E6F3F91FCD2AE4D2E01F3C4C
                                      Malicious:false
                                      Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                      C:\Users\user\AppData\Local\Temp\trixyDo7faKvaMiW4\information.txt

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:ASCII text, with CRLF, LF line terminators
                                      Category:dropped
                                      Size (bytes):6388
                                      Entropy (8bit):5.480392352298229
                                      Encrypted:false
                                      SSDEEP:96:x4A9ORUDWcT4Aisph+9hcmIUXMjJbeagOrIANUbg3x:xs6DWvAtphWhcmIUXo9gqB
                                      MD5:F94C9954A67D9102136BB9830F916052
                                      SHA1:3E207C4D5F8508868800F435F440B65F9F9542EC
                                      SHA-256:ED8EB3F2D30734281F66C4AD96EF6D67551EABC95F733F98FBC073B9C619843A
                                      SHA-512:77B253CBEED406693F195715798FCBFF3AD63D7007004C0F006AC43D1D6BA0FBD9A122DC08F8B62255FFFE0AE4BAB5FD924BA26734C1C6FD65D4D683E93EB002
                                      Malicious:false
                                      Preview:Build: gemot..Version: 2.0....Date: Thu Jun 20 17:37:07 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 495bfda387306805044874eb6e629f2d....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyDo7faKvaMiW4....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 347688 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 20/6/2024 17:37:7..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe

                                      C:\Users\user\AppData\Local\Temp\trixyDo7faKvaMiW4\passwords.txt

                                      Download File
                                      Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                      Category:dropped
                                      Size (bytes):4897
                                      Entropy (8bit):2.518316437186352
                                      Encrypted:false
                                      SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                      MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                      SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                      SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                      SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                      Malicious:false
                                      Preview:................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\appcompat\Programs\Amcache.hve

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:MS Windows registry file, NT/2000 or above
                                      Category:dropped
                                      Size (bytes):1835008
                                      Entropy (8bit):4.469055216455085
                                      Encrypted:false
                                      SSDEEP:6144:AIXfpi67eLPU9skLmb0b4fWSPKaJG8nAgejZMMhA2gX4WABl0uN1dwBCswSbr:FXD94fWlLZMM6YFHP+r
                                      MD5:D538BD34F509E98545C684629889E34D
                                      SHA1:432356CB70EE010A83D1F679B81051AC61E001CE
                                      SHA-256:F3EE534FC16C1C209D036D456CCC463CD63A98EEEF9F0BD33569DD4086040E77
                                      SHA-512:EF18C6795645DE8127354F9AFD1F7A5A09D161074BF8CE76C74AD5D00E9A421EFB4D55669147DD48F4B87B76983DB6637A63640E9DDBCC935DF657A61C0AD158
                                      Malicious:false
                                      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmb._.Z................................................................................................................................................................................................................................................................................................................................................?H4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.957508090629618
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:plTAoSCew2.exe
                                      File size:3'529'232 bytes
                                      MD5:ad7b4598918c9f75bcad2d3837abc47e
                                      SHA1:c216e887a2559bc45f4b75d8f97e8d2450f16213
                                      SHA256:d0e3c511f4c02b9dd4130462ac716024ad29581a072a9095f40ac7c348c7ede6
                                      SHA512:6de0d861f74e9710a3953ae2196a42dde9bee708ddaf40ee294abeeadab097b2e3fc9de1a21aa146f747c821af16d92c4cab94537833bf1bbd7396b315d9be66
                                      SSDEEP:49152:ustZbif3Y+7iIP/+luqThrrmOWEgersFUx3VDzjtwrbAzToGb+938BLgd4nOKUKj:3tkfH7Okq5yOjFF1iAz8M/OKmiGXq
                                      TLSH:4BF533E9C2910F00D3EF8BB332B7646A4A0EBB30079225B6070F47F5A95655C9FE6E54
                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                      File Icon

                                      Icon Hash:8596a1a0a1a1b171

                                      Static PE Info

                                      General

                                      Entrypoint:0x9b2058
                                      Entrypoint Section:.boot
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x664C6914 [Tue May 21 09:27:48 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                                      Entrypoint Preview

                                      Instruction
                                      call 00007FC1A8B9A7B0h
                                      push ebx
                                      mov ebx, esp
                                      push ebx
                                      mov esi, dword ptr [ebx+08h]
                                      mov edi, dword ptr [ebx+10h]
                                      cld
                                      mov dl, 80h
                                      mov al, byte ptr [esi]
                                      inc esi
                                      mov byte ptr [edi], al
                                      inc edi
                                      mov ebx, 00000002h
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      jnc 00007FC1A8B9A64Ch
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      jnc 00007FC1A8B9A6B3h
                                      xor eax, eax
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      jnc 00007FC1A8B9A747h
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      adc eax, eax
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      adc eax, eax
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      adc eax, eax
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      adc eax, eax
                                      je 00007FC1A8B9A66Ah
                                      push edi
                                      mov eax, eax
                                      sub edi, eax
                                      mov al, byte ptr [edi]
                                      pop edi
                                      mov byte ptr [edi], al
                                      inc edi
                                      mov ebx, 00000002h
                                      jmp 00007FC1A8B9A5FBh
                                      mov eax, 00000001h
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      adc eax, eax
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      jc 00007FC1A8B9A64Ch
                                      sub eax, ebx
                                      mov ebx, 00000001h
                                      jne 00007FC1A8B9A68Ah
                                      mov ecx, 00000001h
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      adc ecx, ecx
                                      add dl, dl
                                      jne 00007FC1A8B9A667h
                                      mov dl, byte ptr [esi]
                                      inc esi
                                      adc dl, dl
                                      jc 00007FC1A8B9A64Ch
                                      push esi
                                      mov esi, edi
                                      sub esi, ebp

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x19618b0x184.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000x1638.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8590000x10.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x1970180x18.tls
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x15bbc80x9d200dbc34f7bedc9221fe19b8650f74432bbFalse0.9988905877088305data7.9802115805595335IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      0x15d0000x27e320x10a00c36a6233a30cf4b9013141ed48c14c71False0.9935385338345865data7.946439870622599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      0x1850000x49300x8002b584a247624043576bf5bad28be1d64False0.99267578125data7.795052778789591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x18a0000x16380x1800fe6f3fdb9e7e97cba92d8ce4e4fcc95bFalse0.7220052083333334data6.54017046361188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      0x18c0000x98580x7200b72b12754fccacda92dcf03b73cf1547False0.9803316885964912data7.942464677064224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      .idata0x1960000x10000x4001b20e07443fa333ff9692026d1e6c6c2False0.3984375data3.42439969016873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .tls0x1970000x10000x20054a50a058e0f3b6aa2fe1b22e2033106False0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .themida0x1980000x41a0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .boot0x5b20000x2a62000x2a6200c6da66b441a2721584f2970c06fa81a3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .reloc0x8590000x10000x10f5bc99b71bad9e8a775cc32747e3ca58False1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x18a4400x1060PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.8838263358778626
                                      RT_GROUP_ICON0x18b4a00x14dataRussianRussia1.05
                                      RT_VERSION0x18a1300x310dataRussianRussia0.45408163265306123
                                      RT_MANIFEST0x18b4b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                      Imports

                                      DLLImport
                                      kernel32.dllGetModuleHandleA
                                      USER32.dllwsprintfA
                                      GDI32.dllCreateCompatibleBitmap
                                      ADVAPI32.dllRegQueryValueExA
                                      SHELL32.dllShellExecuteA
                                      ole32.dllCoInitialize
                                      WS2_32.dllWSAStartup
                                      CRYPT32.dllCryptUnprotectData
                                      SHLWAPI.dllPathFindExtensionA
                                      gdiplus.dllGdipGetImageEncoders
                                      SETUPAPI.dllSetupDiEnumDeviceInfo
                                      ntdll.dllRtlUnicodeStringToAnsiString
                                      RstrtMgr.DLLRmStartSession

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      RussianRussia
                                      EnglishUnited States

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      06/20/24-23:37:06.459517TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.477.91.77.66
                                      06/20/24-23:36:58.414569TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973158709192.168.2.477.91.77.66
                                      06/20/24-23:37:20.478810TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094975477.91.77.66192.168.2.4
                                      06/20/24-23:37:07.984285TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973458709192.168.2.477.91.77.66
                                      06/20/24-23:37:12.469216TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094974277.91.77.66192.168.2.4
                                      06/20/24-23:37:01.576649TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973477.91.77.66192.168.2.4
                                      06/20/24-23:37:23.984675TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4975458709192.168.2.477.91.77.66
                                      06/20/24-23:36:59.610617TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973177.91.77.66192.168.2.4
                                      06/20/24-23:37:01.475795TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973377.91.77.66192.168.2.4
                                      06/20/24-23:37:07.937383TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973358709192.168.2.477.91.77.66
                                      06/20/24-23:36:59.830397TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973177.91.77.66192.168.2.4
                                      06/20/24-23:37:01.695305TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973377.91.77.66192.168.2.4
                                      06/20/24-23:37:01.804652TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973477.91.77.66192.168.2.4

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jun 20, 2024 23:36:58.385592937 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:36:58.390779018 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:36:58.390880108 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:36:58.414568901 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:36:58.419641972 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:36:59.610616922 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:36:59.656024933 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:36:59.740719080 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:36:59.740883112 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:36:59.745825052 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:36:59.830396891 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:36:59.874785900 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:00.017927885 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:00.017982006 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:00.018074989 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:00.019625902 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:00.019640923 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:00.803045034 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:00.803179026 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:00.804889917 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:00.804903030 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:00.805254936 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:00.859117031 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:00.872497082 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:00.877897978 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:00.877998114 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:00.879534006 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:00.899147987 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:00.904170036 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:00.920552969 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:00.959105968 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:00.964206934 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:00.964294910 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:00.975054026 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:00.980062008 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.007133007 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:01.007317066 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:01.007395983 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:01.010277033 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:01.010293961 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:01.010308981 CEST49732443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:01.010315895 CEST4434973234.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:01.021680117 CEST49735443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:01.021707058 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.021781921 CEST49735443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:01.022077084 CEST49735443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:01.022088051 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.475795031 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.498948097 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.499430895 CEST49735443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:01.502213955 CEST49735443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:01.502230883 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.502615929 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.504348993 CEST49735443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:01.531004906 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:01.544537067 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.576648951 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.606535912 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.606791973 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:01.611610889 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.624788046 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:01.654922009 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.655061960 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.655118942 CEST49735443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:01.655657053 CEST49735443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:01.655673981 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.655698061 CEST49735443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:01.655704975 CEST44349735104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:01.656532049 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:01.661258936 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.695305109 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.707531929 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.707712889 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:01.712692976 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.749862909 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:01.804651976 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.812103987 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:01.812160015 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:01.812298059 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:01.813272953 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:01.813287020 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:01.859133005 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:01.870663881 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:01.870702982 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:01.870807886 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:01.872108936 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:01.872128010 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:01.922966957 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:01.968539953 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:01.985030890 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:01.989852905 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.215657949 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.265399933 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.278990030 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.279069901 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.281202078 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.281212091 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.281591892 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.327949047 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.329386950 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.334356070 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.342835903 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.342967987 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.345237970 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.345244884 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.345642090 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.351145983 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.390417099 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.396503925 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.409171104 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.456505060 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.487277031 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.487500906 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.487551928 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.487807989 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.487832069 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.487845898 CEST49736443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.487853050 CEST4434973634.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.489835024 CEST49738443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:02.489866972 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:02.489939928 CEST49738443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:02.490382910 CEST49738443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:02.490396976 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:02.538065910 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.538465023 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.538559914 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.538659096 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.538659096 CEST49737443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:02.538675070 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.538685083 CEST4434973734.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:02.545224905 CEST49739443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:02.545253992 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:02.545326948 CEST49739443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:02.545591116 CEST49739443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:02.545604944 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:02.555560112 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.555815935 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.555850983 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.555895090 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.556251049 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.556282043 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.556308985 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.556701899 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.556732893 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.556763887 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.557476044 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.557511091 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.557534933 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.557542086 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.557593107 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.557595968 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.558275938 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.558352947 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.558382988 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.558402061 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.558414936 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.558469057 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.560867071 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.560925007 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.561038971 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.561073065 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.561134100 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.673384905 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.673562050 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.673578978 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.673634052 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.674269915 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.674293995 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.674329042 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.729885101 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.765587091 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:02.771115065 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.988953114 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:02.989052057 CEST49738443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:02.989701986 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:02.991228104 CEST49738443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:02.991238117 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:02.991575956 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:02.993108034 CEST49738443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.014269114 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.014362097 CEST49739443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.020193100 CEST49739443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.020204067 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.020550966 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.022057056 CEST49739443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.031023979 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.040505886 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.068510056 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.093569994 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.098429918 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.157871008 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.157965899 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.158057928 CEST49738443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.158221006 CEST49738443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.158243895 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.158255100 CEST49738443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.158269882 CEST44349738104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.158663034 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.164633989 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.166456938 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.166702032 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.166764975 CEST49739443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.166980028 CEST49739443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.166997910 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.167012930 CEST49739443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:03.167020082 CEST44349739104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:03.167378902 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.172163963 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.316013098 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.359136105 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.420371056 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.440155029 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.468540907 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.484136105 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.484314919 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.489173889 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.502630949 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.507522106 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.708579063 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.735018015 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.749921083 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.780987978 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.812521935 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.817421913 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:03.843899012 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:03.848848104 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.058461905 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.058604002 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.058625937 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.058763027 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.059014082 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.059031010 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.059058905 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.059525013 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.059542894 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.059587955 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.060199022 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.060221910 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.060250998 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.060749054 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.060771942 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.060821056 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.061178923 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.061197042 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.061239004 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.062026024 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.062045097 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.062081099 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.063811064 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.063858032 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.080864906 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.080959082 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.080974102 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.081125975 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.081346989 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.081397057 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.081444979 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.081870079 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.081883907 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.081897974 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.081937075 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.081953049 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.082416058 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.082429886 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.082472086 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.083148003 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.083164930 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.083178997 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.083230972 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.083898067 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.083914995 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.083940983 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.086076975 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.086191893 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.086235046 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.140414000 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.177018881 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.177331924 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.177349091 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.177521944 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.178035975 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.178054094 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.178116083 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.207581997 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.207750082 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.207911968 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.207984924 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.208268881 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.208286047 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.208324909 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.209260941 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.209606886 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.271378040 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.276290894 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.298317909 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.303257942 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.505243063 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.531766891 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.546740055 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.577864885 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.593696117 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.598553896 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.624869108 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.629673958 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.818722963 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.860814095 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:04.874741077 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:04.905986071 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:05.545701027 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:05.545855999 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:05.551949024 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:05.551968098 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:05.551980972 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:05.552006960 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:05.552020073 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:05.552021027 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:05.552093983 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:05.556988955 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:06.459517002 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:06.464560986 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:06.685884953 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:06.734119892 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:07.937382936 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:07.943916082 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:07.984285116 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:07.991029978 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.159583092 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.211005926 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.249737978 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:08.359117985 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:08.362690926 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:08.362834930 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:08.367727041 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.367774010 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.367799044 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:08.367813110 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.367829084 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.368161917 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.378273010 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.462937117 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:08.463036060 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:08.467967987 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.467983961 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.467997074 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.468029976 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.468039989 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:08.468231916 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.468259096 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.473125935 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.827922106 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:08.836241961 CEST587094973177.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:08.836322069 CEST4973158709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:11.437526941 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:11.443562031 CEST587094973377.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:11.443633080 CEST4973358709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:11.546804905 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:11.554244041 CEST587094973477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:11.554328918 CEST4973458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:11.873778105 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:11.878916979 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:11.879014015 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:11.894536972 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:11.899708986 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:12.469216108 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:12.516504049 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:12.596687078 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:12.623735905 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:12.628747940 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:12.683515072 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:12.734096050 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:13.252763987 CEST49745443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:13.252814054 CEST4434974534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:13.252908945 CEST49745443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:13.254426003 CEST49745443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:13.254446030 CEST4434974534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:13.727013111 CEST4434974534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:13.727096081 CEST49745443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:13.730221987 CEST49745443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:13.730233908 CEST4434974534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:13.730995893 CEST4434974534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:13.788019896 CEST49745443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:13.828502893 CEST4434974534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:13.914485931 CEST4434974534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:13.914767027 CEST4434974534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:13.914838076 CEST49745443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:13.915435076 CEST49745443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:13.915461063 CEST4434974534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:13.918236971 CEST49747443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:13.918322086 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:13.918540001 CEST49747443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:13.918839931 CEST49747443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:13.918864012 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:14.383297920 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:14.383383989 CEST49747443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:14.384977102 CEST49747443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:14.384993076 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:14.385351896 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:14.391772032 CEST49747443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:14.432547092 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:14.543596983 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:14.543855906 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:14.544107914 CEST49747443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:14.545530081 CEST49747443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:14.545571089 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:14.545599937 CEST49747443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:14.545619965 CEST44349747104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:14.545962095 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:14.550928116 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:14.804399014 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:14.859077930 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:14.874917030 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:14.879796028 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:15.099287033 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:15.143830061 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:18.218543053 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:18.223828077 CEST587094974277.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:18.223892927 CEST4974258709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:19.846676111 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:19.851573944 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:19.851775885 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:19.867244005 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:19.872183084 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:20.478810072 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:20.530931950 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:20.616318941 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:20.616581917 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:20.621351957 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:20.706726074 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:20.749800920 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:20.979058981 CEST49755443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:20.979109049 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:20.979275942 CEST49755443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:20.980009079 CEST49755443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:20.980030060 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:21.435722113 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:21.435833931 CEST49755443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:21.436937094 CEST49755443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:21.436969995 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:21.437199116 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:21.478140116 CEST49755443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:21.520530939 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:21.604255915 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:21.604372978 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:21.604429007 CEST49755443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:21.625149965 CEST49755443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:21.625149965 CEST49755443192.168.2.434.117.186.192
                                      Jun 20, 2024 23:37:21.625240088 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:21.625272989 CEST4434975534.117.186.192192.168.2.4
                                      Jun 20, 2024 23:37:21.630808115 CEST49757443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:21.630871058 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:21.630958080 CEST49757443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:21.631248951 CEST49757443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:21.631283998 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:22.095213890 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:22.095312119 CEST49757443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:22.099332094 CEST49757443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:22.099381924 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:22.099756002 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:22.101114035 CEST49757443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:22.148499966 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:22.271986961 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:22.272108078 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:22.272173882 CEST49757443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:22.273937941 CEST49757443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:22.273966074 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:22.273988962 CEST49757443192.168.2.4104.26.5.15
                                      Jun 20, 2024 23:37:22.273997068 CEST44349757104.26.5.15192.168.2.4
                                      Jun 20, 2024 23:37:22.274313927 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:22.279220104 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:23.984674931 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:23.989554882 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:24.070168018 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:24.124692917 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:24.142621994 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:24.147519112 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:24.214642048 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:24.265320063 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:24.376527071 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:24.421566010 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:27.484143019 CEST4975458709192.168.2.477.91.77.66
                                      Jun 20, 2024 23:37:27.489718914 CEST587094975477.91.77.66192.168.2.4
                                      Jun 20, 2024 23:37:27.489780903 CEST4975458709192.168.2.477.91.77.66

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jun 20, 2024 23:37:00.005471945 CEST5408453192.168.2.41.1.1.1
                                      Jun 20, 2024 23:37:00.012722969 CEST53540841.1.1.1192.168.2.4
                                      Jun 20, 2024 23:37:01.013174057 CEST5181253192.168.2.41.1.1.1
                                      Jun 20, 2024 23:37:01.021081924 CEST53518121.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jun 20, 2024 23:37:00.005471945 CEST192.168.2.41.1.1.10x1c5fStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                      Jun 20, 2024 23:37:01.013174057 CEST192.168.2.41.1.1.10xd404Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jun 20, 2024 23:37:00.012722969 CEST1.1.1.1192.168.2.40x1c5fNo error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                      Jun 20, 2024 23:37:01.021081924 CEST1.1.1.1192.168.2.40xd404No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                      Jun 20, 2024 23:37:01.021081924 CEST1.1.1.1192.168.2.40xd404No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                      Jun 20, 2024 23:37:01.021081924 CEST1.1.1.1192.168.2.40xd404No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • ipinfo.io
                                      • https:
                                      • db-ip.com

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination Port
                                      0192.168.2.44973034.117.186.192443
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:36:50 UTC59OUTGET / HTTP/1.1
                                      Host: ipinfo.io
                                      Connection: Keep-Alive
                                      2024-06-20 21:36:50 UTC513INHTTP/1.1 200 OK
                                      server: nginx/1.24.0
                                      date: Thu, 20 Jun 2024 21:36:50 GMT
                                      content-type: application/json; charset=utf-8
                                      Content-Length: 319
                                      access-control-allow-origin: *
                                      x-frame-options: SAMEORIGIN
                                      x-xss-protection: 1; mode=block
                                      x-content-type-options: nosniff
                                      referrer-policy: strict-origin-when-cross-origin
                                      x-envoy-upstream-service-time: 2
                                      via: 1.1 google
                                      strict-transport-security: max-age=2592000; includeSubDomains
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close
                                      2024-06-20 21:36:50 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                                      Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.44973234.117.186.192443432C:\Users\user\Desktop\plTAoSCew2.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:00 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Referer: https://ipinfo.io/
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: ipinfo.io
                                      2024-06-20 21:37:01 UTC514INHTTP/1.1 200 OK
                                      server: nginx/1.24.0
                                      date: Thu, 20 Jun 2024 21:37:00 GMT
                                      content-type: application/json; charset=utf-8
                                      Content-Length: 1025
                                      access-control-allow-origin: *
                                      x-frame-options: SAMEORIGIN
                                      x-xss-protection: 1; mode=block
                                      x-content-type-options: nosniff
                                      referrer-policy: strict-origin-when-cross-origin
                                      x-envoy-upstream-service-time: 1
                                      via: 1.1 google
                                      strict-transport-security: max-age=2592000; includeSubDomains
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close
                                      2024-06-20 21:37:01 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                      Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                      2024-06-20 21:37:01 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                      Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.449735104.26.5.15443432C:\Users\user\Desktop\plTAoSCew2.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:01 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: db-ip.com
                                      2024-06-20 21:37:01 UTC657INHTTP/1.1 200 OK
                                      Date: Thu, 20 Jun 2024 21:37:01 GMT
                                      Content-Type: application/json
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      x-iplb-request-id: A29E9AFD:CDB2_93878F2E:0050_6674A0FD_14D26362:4F34
                                      x-iplb-instance: 59215
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fNaiHF853ZFH5GjB7%2BZY8zcnMt%2FgAigJ89MwDqQI%2Fc8Sr4ZUVaPG7DCUyYnA2K1JU0QSUasVrFzam%2BbVLf4sMxqnDPfcn2MwwrbApfVOdFS5gBkC3LoQahmYhw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 896ee5d0da17436a-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-06-20 21:37:01 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                      Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                      2024-06-20 21:37:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.44973634.117.186.1924431068C:\ProgramData\MPGPH131\MPGPH131.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:02 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Referer: https://ipinfo.io/
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: ipinfo.io
                                      2024-06-20 21:37:02 UTC514INHTTP/1.1 200 OK
                                      server: nginx/1.24.0
                                      date: Thu, 20 Jun 2024 21:37:02 GMT
                                      content-type: application/json; charset=utf-8
                                      Content-Length: 1025
                                      access-control-allow-origin: *
                                      x-frame-options: SAMEORIGIN
                                      x-xss-protection: 1; mode=block
                                      x-content-type-options: nosniff
                                      referrer-policy: strict-origin-when-cross-origin
                                      x-envoy-upstream-service-time: 2
                                      via: 1.1 google
                                      strict-transport-security: max-age=2592000; includeSubDomains
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close
                                      2024-06-20 21:37:02 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                      Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                      2024-06-20 21:37:02 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                      Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.44973734.117.186.1924436288C:\ProgramData\MPGPH131\MPGPH131.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:02 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Referer: https://ipinfo.io/
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: ipinfo.io
                                      2024-06-20 21:37:02 UTC514INHTTP/1.1 200 OK
                                      server: nginx/1.24.0
                                      date: Thu, 20 Jun 2024 21:37:02 GMT
                                      content-type: application/json; charset=utf-8
                                      Content-Length: 1025
                                      access-control-allow-origin: *
                                      x-frame-options: SAMEORIGIN
                                      x-xss-protection: 1; mode=block
                                      x-content-type-options: nosniff
                                      referrer-policy: strict-origin-when-cross-origin
                                      x-envoy-upstream-service-time: 2
                                      via: 1.1 google
                                      strict-transport-security: max-age=2592000; includeSubDomains
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close
                                      2024-06-20 21:37:02 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                      Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                      2024-06-20 21:37:02 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                      Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.449738104.26.5.154431068C:\ProgramData\MPGPH131\MPGPH131.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:02 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: db-ip.com
                                      2024-06-20 21:37:03 UTC665INHTTP/1.1 200 OK
                                      Date: Thu, 20 Jun 2024 21:37:03 GMT
                                      Content-Type: application/json
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      x-iplb-request-id: A29E9BB3:D068_93878F2E:0050_6674A0FF_14BE55CA:7B63
                                      x-iplb-instance: 59128
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1I%2B3J3rTb1zziFRFXeXVvyPnL5mbMeHQW30uzG2HjpEp7kHEkc2a6FJFtroYYrjKfC%2BON5VDKUmkdResR%2FwBwaSN9aY%2BeA9puxT5%2F%2BudNtlekQUEMSRZBM%2FY%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 896ee5da3ea643d9-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-06-20 21:37:03 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                      Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                      2024-06-20 21:37:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.449739104.26.5.154436288C:\ProgramData\MPGPH131\MPGPH131.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:03 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: db-ip.com
                                      2024-06-20 21:37:03 UTC661INHTTP/1.1 200 OK
                                      Date: Thu, 20 Jun 2024 21:37:03 GMT
                                      Content-Type: application/json
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      x-iplb-request-id: AC46E721:9A28_93878F2E:0050_6674A0FF_14BE55CB:7B63
                                      x-iplb-instance: 59128
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i75Ak%2FfGDfnLKdBm%2BJPAKeLCMmWTKw5RBDvrP7GKHpujIy124JQouIDPPJo6We%2B%2Bsysu4DBkp06a%2F0RVfZGsdNaofVLdnAI6pRE%2FxhfH1XwvypjIi9XoAJBePw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 896ee5da48b78c23-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-06-20 21:37:03 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                      Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                      2024-06-20 21:37:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.44974534.117.186.1924437396C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:13 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Referer: https://ipinfo.io/
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: ipinfo.io
                                      2024-06-20 21:37:13 UTC514INHTTP/1.1 200 OK
                                      server: nginx/1.24.0
                                      date: Thu, 20 Jun 2024 21:37:13 GMT
                                      content-type: application/json; charset=utf-8
                                      Content-Length: 1025
                                      access-control-allow-origin: *
                                      x-frame-options: SAMEORIGIN
                                      x-xss-protection: 1; mode=block
                                      x-content-type-options: nosniff
                                      referrer-policy: strict-origin-when-cross-origin
                                      x-envoy-upstream-service-time: 2
                                      via: 1.1 google
                                      strict-transport-security: max-age=2592000; includeSubDomains
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close
                                      2024-06-20 21:37:13 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                      Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                      2024-06-20 21:37:13 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                      Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.449747104.26.5.154437396C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:14 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: db-ip.com
                                      2024-06-20 21:37:14 UTC663INHTTP/1.1 200 OK
                                      Date: Thu, 20 Jun 2024 21:37:14 GMT
                                      Content-Type: application/json
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      x-iplb-request-id: AC466F09:DFB8_93878F2E:0050_6674A10A_14D2650C:4F34
                                      x-iplb-instance: 59215
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q6fQtLLToJz%2Brk3%2BA5EH%2Bz4bWElx2eH%2FBl7TmNRiViy9lQQsQDiJuIUBOfPp8b0RJOAuJ1dbSAGvD8wVnxUlsoXS6kox6%2FulBkSsRDplA%2BGMaYjKPuot%2BLeLyA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 896ee6216ae41855-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-06-20 21:37:14 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                      Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                      2024-06-20 21:37:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.44975534.117.186.1924437840C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:21 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Referer: https://ipinfo.io/
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: ipinfo.io
                                      2024-06-20 21:37:21 UTC514INHTTP/1.1 200 OK
                                      server: nginx/1.24.0
                                      date: Thu, 20 Jun 2024 21:37:21 GMT
                                      content-type: application/json; charset=utf-8
                                      Content-Length: 1025
                                      access-control-allow-origin: *
                                      x-frame-options: SAMEORIGIN
                                      x-xss-protection: 1; mode=block
                                      x-content-type-options: nosniff
                                      referrer-policy: strict-origin-when-cross-origin
                                      x-envoy-upstream-service-time: 2
                                      via: 1.1 google
                                      strict-transport-security: max-age=2592000; includeSubDomains
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close
                                      2024-06-20 21:37:21 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                      Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                      2024-06-20 21:37:21 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                      Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      10192.168.2.449757104.26.5.154437840C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-20 21:37:22 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                      Connection: Keep-Alive
                                      Content-Type: application/x-www-form-urlencoded
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                      Host: db-ip.com
                                      2024-06-20 21:37:22 UTC663INHTTP/1.1 200 OK
                                      Date: Thu, 20 Jun 2024 21:37:22 GMT
                                      Content-Type: application/json
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      x-iplb-request-id: AC46E74B:6644_93878F2E:0050_6674A112_14BE5845:7B63
                                      x-iplb-instance: 59128
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IhppOZkfJt%2BW4Ezq5%2B7EoShLFfWMBb6quyVI%2FPo%2Fw%2BSausljmWGBNuV2Y0c660PVbwZmCJOM9%2FBF6qu6%2FAJGCxg117E7hkLAp6PfQJTBaBcHGFVSlBHPqkMBKw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 896ee651ba447c9c-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-06-20 21:37:22 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                      Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                      2024-06-20 21:37:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:17:36:55
                                      Start date:20/06/2024
                                      Path:C:\Users\user\Desktop\plTAoSCew2.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\plTAoSCew2.exe"
                                      Imagebase:0x400000
                                      File size:3'529'232 bytes
                                      MD5 hash:AD7B4598918C9F75BCAD2D3837ABC47E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.1965027381.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.1966042254.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1791524447.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1965027381.0000000000F97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:17:36:57
                                      Start date:20/06/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                      Imagebase:0x8f0000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:17:36:57
                                      Start date:20/06/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:17:36:57
                                      Start date:20/06/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                      Imagebase:0x8f0000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:17:36:57
                                      Start date:20/06/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:17:36:58
                                      Start date:20/06/2024
                                      Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      Imagebase:0x400000
                                      File size:3'529'232 bytes
                                      MD5 hash:AD7B4598918C9F75BCAD2D3837ABC47E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1817420453.00000000056E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1786962093.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1786825043.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.1939291540.00000000056E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.1939291540.000000000568C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1786572125.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1938691666.0000000000E3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 51%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:17:36:58
                                      Start date:20/06/2024
                                      Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                      Imagebase:0x400000
                                      File size:3'529'232 bytes
                                      MD5 hash:AD7B4598918C9F75BCAD2D3837ABC47E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.1951132632.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:17:37:08
                                      Start date:20/06/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1920
                                      Imagebase:0x880000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:17:37:09
                                      Start date:20/06/2024
                                      Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                      Imagebase:0x400000
                                      File size:3'529'232 bytes
                                      MD5 hash:AD7B4598918C9F75BCAD2D3837ABC47E
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 51%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:17:37:10
                                      Start date:20/06/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1876
                                      Imagebase:0x880000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:17:37:10
                                      Start date:20/06/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 1744
                                      Imagebase:0x880000
                                      File size:483'680 bytes
                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:17:37:17
                                      Start date:20/06/2024
                                      Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                      Imagebase:0x400000
                                      File size:3'529'232 bytes
                                      MD5 hash:AD7B4598918C9F75BCAD2D3837ABC47E
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:23.5%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:51.7%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:44
                                        execution_graph 46759 45e140 46815 40b8e0 46759->46815 46761 45e1a1 46762 41ab20 41 API calls 46761->46762 46763 45e218 CreateDirectoryA 46762->46763 46769 45e8de 46763->46769 46790 45e24c 46763->46790 46764 45f16d 46765 402df0 std::_Throw_Cpp_error 41 API calls 46764->46765 46768 45f17c 46765->46768 46766 45e8a5 46767 4163b0 std::_Throw_Cpp_error 41 API calls 46766->46767 46770 45e8b9 46767->46770 46769->46764 46771 41ab20 41 API calls 46769->46771 47454 4df030 46770->47454 46773 45e962 CreateDirectoryA 46771->46773 46775 45f15b 46773->46775 46791 45e990 46773->46791 46776 402df0 std::_Throw_Cpp_error 41 API calls 46775->46776 46776->46764 46777 45f11f 46779 4163b0 std::_Throw_Cpp_error 41 API calls 46777->46779 46778 4e6770 93 API calls 46778->46769 46780 45f136 46779->46780 47559 4d7600 46780->47559 46784 4e6ca0 86 API calls 46784->46790 46785 41ad80 41 API calls 46785->46791 46786 45e3bf CreateDirectoryA 46786->46790 46787 41ab20 41 API calls 46787->46790 46788 402df0 41 API calls std::_Throw_Cpp_error 46788->46790 46789 45eb09 CreateDirectoryA 46789->46791 46790->46766 46790->46784 46790->46786 46790->46787 46790->46788 46794 45e4b2 CreateDirectoryA 46790->46794 46796 41ad80 41 API calls 46790->46796 46797 402cf0 std::_Throw_Cpp_error 41 API calls 46790->46797 46800 45e59f CreateDirectoryA 46790->46800 46803 4162c0 41 API calls 46790->46803 46809 45e7f4 CreateDirectoryA 46790->46809 46811 4163b0 41 API calls std::_Throw_Cpp_error 46790->46811 48418 416290 41 API calls 46790->48418 48419 41ae20 46790->48419 48422 4dff00 46790->48422 46791->46777 46791->46785 46791->46789 46792 402df0 41 API calls std::_Throw_Cpp_error 46791->46792 46795 45ebfc CreateDirectoryA 46791->46795 46798 41ab20 41 API calls 46791->46798 46801 402cf0 std::_Throw_Cpp_error 41 API calls 46791->46801 46804 45edd0 CreateDirectoryA 46791->46804 46805 4163b0 41 API calls std::_Throw_Cpp_error 46791->46805 46806 45ece9 CreateDirectoryA 46791->46806 46808 41ae20 41 API calls 46791->46808 46810 4e6ca0 86 API calls 46791->46810 46812 45f050 CreateDirectoryA 46791->46812 46814 4dff00 205 API calls 46791->46814 48657 4162c0 46791->48657 48661 416290 41 API calls 46791->48661 46792->46791 46794->46790 46795->46791 46796->46790 46797->46790 46798->46791 46800->46790 46801->46791 46803->46790 46804->46791 46805->46791 46806->46791 46808->46791 46809->46790 46810->46791 46811->46790 46812->46791 46814->46791 46816 40b916 46815->46816 46817 40c004 46816->46817 46819 41ab20 41 API calls 46816->46819 46818 40f393 46817->46818 46820 41ab20 41 API calls 46817->46820 46821 411da6 46818->46821 46824 41ab20 41 API calls 46818->46824 46822 40b9e7 CreateDirectoryA 46819->46822 46823 40c0ab CreateDirectoryA 46820->46823 46825 412294 46821->46825 46831 41ab20 41 API calls 46821->46831 46826 40bff2 46822->46826 46827 40ba12 46822->46827 46828 40f381 46823->46828 46829 40c0d6 46823->46829 46830 40f43a CreateDirectoryA 46824->46830 46825->46761 46832 402df0 std::_Throw_Cpp_error 41 API calls 46826->46832 46833 41ab20 41 API calls 46827->46833 46834 402df0 std::_Throw_Cpp_error 41 API calls 46828->46834 46835 41ab20 41 API calls 46829->46835 46836 411d94 46830->46836 46837 40f465 46830->46837 46838 411e4d CreateDirectoryA 46831->46838 46832->46817 46839 40bab4 CreateDirectoryA 46833->46839 46834->46818 46842 40c178 CreateDirectoryA 46835->46842 46843 402df0 std::_Throw_Cpp_error 41 API calls 46836->46843 46844 41ab20 41 API calls 46837->46844 46845 412282 46838->46845 46846 411e78 46838->46846 46840 40bae2 __fread_nolock 46839->46840 46841 40bc4c 46839->46841 46854 40baf5 SHGetFolderPathA 46840->46854 46850 41ab20 41 API calls 46841->46850 46847 40c1a0 46842->46847 46848 40c4b9 46842->46848 46843->46821 46849 40f507 CreateDirectoryA 46844->46849 46852 402df0 std::_Throw_Cpp_error 41 API calls 46845->46852 46851 41ab20 41 API calls 46846->46851 46855 402cf0 std::_Throw_Cpp_error 41 API calls 46847->46855 46853 41ab20 41 API calls 46848->46853 46856 40f877 46849->46856 46857 40f52f 46849->46857 46858 40bcea CreateDirectoryA 46850->46858 46859 411fa0 CreateDirectoryA 46851->46859 46852->46825 46860 40c557 CreateDirectoryA 46853->46860 46861 402cf0 std::_Throw_Cpp_error 41 API calls 46854->46861 46863 40c2be 46855->46863 46862 41ab20 41 API calls 46856->46862 46880 403040 std::_Throw_Cpp_error 41 API calls 46857->46880 46864 40bd12 __fread_nolock 46858->46864 46865 40bfbf 46858->46865 46866 411fc8 46859->46866 47106 41225e 46859->47106 46867 40d1de 46860->46867 46868 40c57f 46860->46868 46869 40bba1 46861->46869 46870 40f915 CreateDirectoryA 46862->46870 46889 41ace0 41 API calls 46863->46889 46882 40bd25 SHGetFolderPathA 46864->46882 46871 40bfd1 46865->46871 46877 4e6770 93 API calls 46865->46877 46884 403040 std::_Throw_Cpp_error 41 API calls 46866->46884 46881 41ab20 41 API calls 46867->46881 46873 402cf0 std::_Throw_Cpp_error 41 API calls 46868->46873 46874 41ace0 41 API calls 46869->46874 46875 40fb99 46870->46875 46876 40f93d 46870->46876 46878 402df0 std::_Throw_Cpp_error 41 API calls 46871->46878 46872 4e6770 93 API calls 46879 412270 46872->46879 46885 40c727 46873->46885 46886 40bbb7 46874->46886 46883 41ab20 41 API calls 46875->46883 46887 402cf0 std::_Throw_Cpp_error 41 API calls 46876->46887 46877->46871 46888 40bfe3 46878->46888 46899 402df0 std::_Throw_Cpp_error 41 API calls 46879->46899 46890 40f704 46880->46890 46891 40d27c CreateDirectoryA 46881->46891 46892 402cf0 std::_Throw_Cpp_error 41 API calls 46882->46892 46893 40fc37 CreateDirectoryA 46883->46893 46894 41211c 46884->46894 46911 41ace0 41 API calls 46885->46911 46895 402df0 std::_Throw_Cpp_error 41 API calls 46886->46895 46896 40fa5b 46887->46896 46897 402df0 std::_Throw_Cpp_error 41 API calls 46888->46897 46898 40c367 46889->46898 46916 41ace0 41 API calls 46890->46916 46900 40d2a4 46891->46900 46901 40d63c 46891->46901 46902 40be57 46892->46902 46904 40fe35 46893->46904 46905 40fc5f 46893->46905 46920 41ace0 41 API calls 46894->46920 46906 40bbc9 46895->46906 46924 41ace0 41 API calls 46896->46924 46897->46826 46908 402df0 std::_Throw_Cpp_error 41 API calls 46898->46908 46899->46845 46918 402cf0 std::_Throw_Cpp_error 41 API calls 46900->46918 46907 41ab20 41 API calls 46901->46907 46903 41ace0 41 API calls 46902->46903 46909 40be6d 46903->46909 46913 41ab20 41 API calls 46904->46913 46910 402cf0 std::_Throw_Cpp_error 41 API calls 46905->46910 46912 4e6ca0 86 API calls 46906->46912 46914 40d6da CreateDirectoryA 46907->46914 46915 40c379 46908->46915 46919 402df0 std::_Throw_Cpp_error 41 API calls 46909->46919 46942 40fcf7 46910->46942 46921 40c7d0 46911->46921 46922 40bbe2 46912->46922 46923 40fed3 CreateDirectoryA 46913->46923 46925 40d702 46914->46925 46926 40da1b 46914->46926 46927 402cf0 std::_Throw_Cpp_error 41 API calls 46915->46927 46917 40f7b1 46916->46917 46958 40f7d6 46917->46958 48712 402fe0 41 API calls 2 library calls 46917->48712 46939 40d3bb 46918->46939 46929 40be7f 46919->46929 46930 4121c9 46920->46930 46932 402df0 std::_Throw_Cpp_error 41 API calls 46921->46932 46950 4163b0 std::_Throw_Cpp_error 41 API calls 46922->46950 47014 40bc21 46922->47014 46933 410e56 46923->46933 46934 40fefb 46923->46934 46935 40fb04 46924->46935 46936 402cf0 std::_Throw_Cpp_error 41 API calls 46925->46936 46931 41ab20 41 API calls 46926->46931 46928 40c39b 46927->46928 46938 4e6d70 78 API calls 46928->46938 46946 402cf0 std::_Throw_Cpp_error 41 API calls 46929->46946 46943 402df0 std::_Throw_Cpp_error 41 API calls 46930->46943 46948 40dab9 CreateDirectoryA 46931->46948 46949 40c7e2 46932->46949 46941 41ab20 41 API calls 46933->46941 46951 402cf0 std::_Throw_Cpp_error 41 API calls 46934->46951 46944 402df0 std::_Throw_Cpp_error 41 API calls 46935->46944 46937 40d820 46936->46937 46980 41ace0 41 API calls 46937->46980 46952 40c3a8 46938->46952 46967 41ace0 41 API calls 46939->46967 46940 4e6770 93 API calls 46953 40bc28 46940->46953 46954 410ef4 CreateDirectoryA 46941->46954 46955 41ace0 41 API calls 46942->46955 46956 4121db 46943->46956 46957 40fb16 46944->46957 46959 40bea1 46946->46959 46947 4e6ca0 86 API calls 46960 40f80d 46947->46960 46961 40de80 46948->46961 46962 40dae1 46948->46962 46963 402cf0 std::_Throw_Cpp_error 41 API calls 46949->46963 46964 40bbfa 46950->46964 46965 40ff97 46951->46965 46966 40c49b 46952->46966 46981 41ab20 41 API calls 46952->46981 46983 402df0 std::_Throw_Cpp_error 41 API calls 46953->46983 46968 411842 46954->46968 46969 410f1c 46954->46969 46970 40fda0 46955->46970 46971 4e6ca0 86 API calls 46956->46971 46972 4e6ca0 86 API calls 46957->46972 46958->46947 48662 4e6d70 46959->48662 46975 40f84c 46960->46975 46991 4163b0 std::_Throw_Cpp_error 41 API calls 46960->46991 46974 41ab20 41 API calls 46961->46974 46976 402cf0 std::_Throw_Cpp_error 41 API calls 46962->46976 46977 40c804 46963->46977 46978 4163b0 std::_Throw_Cpp_error 41 API calls 46964->46978 46998 41ace0 41 API calls 46965->46998 46987 4e6770 93 API calls 46966->46987 46982 40d464 46967->46982 46992 41ab20 41 API calls 46968->46992 46984 402cf0 std::_Throw_Cpp_error 41 API calls 46969->46984 46985 402df0 std::_Throw_Cpp_error 41 API calls 46970->46985 46986 4121f4 46971->46986 46988 40fb2f 46972->46988 46990 40df1e CreateDirectoryA 46974->46990 46979 4e6770 93 API calls 46975->46979 46997 40f853 46975->46997 46993 40dc85 46976->46993 46994 4e6d70 78 API calls 46977->46994 46995 40bc12 46978->46995 46979->46997 46999 40d8c9 46980->46999 47000 40c451 46981->47000 47001 402df0 std::_Throw_Cpp_error 41 API calls 46982->47001 46983->46841 47002 410fb9 46984->47002 47003 40fdb2 46985->47003 47004 412233 46986->47004 47022 4163b0 std::_Throw_Cpp_error 41 API calls 46986->47022 47005 40c4a7 46987->47005 47006 40fb6e 46988->47006 47024 4163b0 std::_Throw_Cpp_error 41 API calls 46988->47024 47008 40df46 46990->47008 47009 40e638 46990->47009 47010 40f825 46991->47010 47011 4118e6 CreateDirectoryA 46992->47011 47032 41ace0 41 API calls 46993->47032 47012 40c811 46994->47012 46996 4dff00 205 API calls 46995->46996 46996->47014 47035 402df0 std::_Throw_Cpp_error 41 API calls 46997->47035 47016 410040 46998->47016 47017 402df0 std::_Throw_Cpp_error 41 API calls 46999->47017 47018 40c460 47000->47018 47019 40c462 CopyFileA 47000->47019 47020 40d476 47001->47020 47061 41ace0 41 API calls 47002->47061 47021 4e6ca0 86 API calls 47003->47021 47023 4e6770 93 API calls 47004->47023 47045 41223a 47004->47045 47044 402df0 std::_Throw_Cpp_error 41 API calls 47005->47044 47029 4e6770 93 API calls 47006->47029 47051 40fb75 47006->47051 47007 40bfa1 47015 4e6770 93 API calls 47007->47015 47026 402cf0 std::_Throw_Cpp_error 41 API calls 47008->47026 47027 41ab20 41 API calls 47009->47027 47028 4163b0 std::_Throw_Cpp_error 41 API calls 47010->47028 47030 411d25 47011->47030 47031 41190e 47011->47031 47013 40c98c 47012->47013 47033 41ab20 41 API calls 47012->47033 47040 402cf0 std::_Throw_Cpp_error 41 API calls 47013->47040 47014->46940 47014->46953 47034 40bfad 47015->47034 47036 402df0 std::_Throw_Cpp_error 41 API calls 47016->47036 47038 40d8db 47017->47038 47018->47019 47039 402df0 std::_Throw_Cpp_error 41 API calls 47019->47039 47041 402cf0 std::_Throw_Cpp_error 41 API calls 47020->47041 47042 40fdcb 47021->47042 47043 41220c 47022->47043 47023->47045 47046 40fb47 47024->47046 47025 41ab20 41 API calls 47047 40bf57 47025->47047 47048 40dfe3 47026->47048 47049 40e6dc CreateDirectoryA 47027->47049 47050 40f83d 47028->47050 47029->47051 47037 411d37 47030->47037 47055 4e6770 93 API calls 47030->47055 47070 403040 std::_Throw_Cpp_error 41 API calls 47031->47070 47052 40dd2e 47032->47052 47053 40c940 47033->47053 47035->46856 47054 410052 47036->47054 47057 402df0 std::_Throw_Cpp_error 41 API calls 47037->47057 47056 402cf0 std::_Throw_Cpp_error 41 API calls 47038->47056 47058 40c491 47039->47058 47059 40cb30 47040->47059 47060 40d498 47041->47060 47062 40fe0a 47042->47062 47081 4163b0 std::_Throw_Cpp_error 41 API calls 47042->47081 47063 4163b0 std::_Throw_Cpp_error 41 API calls 47043->47063 47044->46848 47085 402df0 std::_Throw_Cpp_error 41 API calls 47045->47085 47064 4163b0 std::_Throw_Cpp_error 41 API calls 47046->47064 47065 40bf66 47047->47065 47066 40bf68 CopyFileA 47047->47066 47099 41ace0 41 API calls 47048->47099 47067 40f2fd 47049->47067 47068 40e704 47049->47068 47069 4dff00 205 API calls 47050->47069 47089 402df0 std::_Throw_Cpp_error 41 API calls 47051->47089 47071 402df0 std::_Throw_Cpp_error 41 API calls 47052->47071 47072 40c951 CopyFileA 47053->47072 47073 40c94f 47053->47073 47075 4e6ca0 86 API calls 47054->47075 47055->47037 47076 40d8fd 47056->47076 47077 411d49 47057->47077 47058->46966 47078 40c495 47058->47078 47113 41ace0 41 API calls 47059->47113 47079 4e6d70 78 API calls 47060->47079 47080 411062 47061->47080 47084 4e6770 93 API calls 47062->47084 47105 40fe11 47062->47105 47082 412224 47063->47082 47086 40fb5f 47064->47086 47065->47066 47083 40f315 47067->47083 47096 4e6770 93 API calls 47067->47096 47088 402cf0 std::_Throw_Cpp_error 41 API calls 47068->47088 47069->46975 47101 4119dc 47070->47101 47090 40dd40 47071->47090 47091 402df0 std::_Throw_Cpp_error 41 API calls 47072->47091 47073->47072 47092 41006b 47075->47092 47102 4e6d70 78 API calls 47076->47102 47093 402df0 std::_Throw_Cpp_error 41 API calls 47077->47093 47078->47005 47094 40d4a5 47079->47094 47095 402df0 std::_Throw_Cpp_error 41 API calls 47080->47095 47103 40fde3 47081->47103 47104 4dff00 205 API calls 47082->47104 47097 402df0 std::_Throw_Cpp_error 41 API calls 47083->47097 47084->47105 47085->47106 47098 4dff00 205 API calls 47086->47098 47100 40e826 47088->47100 47089->46875 47108 402cf0 std::_Throw_Cpp_error 41 API calls 47090->47108 47109 40c980 47091->47109 47110 410e32 47092->47110 47122 41ab20 41 API calls 47092->47122 47114 40d61e 47094->47114 47125 41ab20 41 API calls 47094->47125 47115 411074 47095->47115 47096->47083 47098->47006 47118 40e08c 47099->47118 47139 41ace0 41 API calls 47101->47139 47111 40d90a 47102->47111 47116 4163b0 std::_Throw_Cpp_error 41 API calls 47103->47116 47104->47004 47133 402df0 std::_Throw_Cpp_error 41 API calls 47105->47133 47106->46872 47106->46879 47121 40dd62 47108->47121 47109->47013 47134 4e6770 93 API calls 47110->47134 47136 410e44 47110->47136 47131 40d9fd 47111->47131 47141 41ab20 41 API calls 47111->47141 47124 40cbd9 47113->47124 47128 4e6770 93 API calls 47114->47128 47126 4163b0 std::_Throw_Cpp_error 41 API calls 47115->47126 47132 40fdfb 47116->47132 47129 402df0 std::_Throw_Cpp_error 41 API calls 47118->47129 47140 410111 47122->47140 47143 402df0 std::_Throw_Cpp_error 41 API calls 47124->47143 47144 40d5d4 47125->47144 47149 40d62a 47128->47149 47146 4dff00 205 API calls 47132->47146 47133->46904 47134->47136 47160 411a89 47139->47160 47153 40cbeb 47143->47153 47154 40d5e3 47144->47154 47155 40d5e5 CopyFileA 47144->47155 47146->47062 47177 402df0 std::_Throw_Cpp_error 41 API calls 47149->47177 47154->47155 47175 402df0 std::_Throw_Cpp_error 41 API calls 47155->47175 47177->46901 47455 4359b0 __fread_nolock 47454->47455 47456 4df088 SHGetFolderPathA 47455->47456 47457 4df150 47456->47457 47457->47457 47458 403040 std::_Throw_Cpp_error 41 API calls 47457->47458 47459 4df16c 47458->47459 47460 41fbf0 41 API calls 47459->47460 47461 4df19d 47460->47461 47464 4dfed9 47461->47464 47466 4df210 std::ios_base::_Ios_base_dtor 47461->47466 47462 4e6ca0 86 API calls 47463 4df245 47462->47463 47467 41ab20 41 API calls 47463->47467 47468 4dfe6b 47463->47468 47465 438c70 std::_Throw_Cpp_error 41 API calls 47464->47465 47475 4dfede 47465->47475 47466->47462 47471 4df2e8 47467->47471 47469 4dfe9b std::ios_base::_Ios_base_dtor 47468->47469 47468->47475 47470 402df0 std::_Throw_Cpp_error 41 API calls 47469->47470 47472 45e8c9 47470->47472 47473 4e6ca0 86 API calls 47471->47473 47472->46769 47472->46778 47474 4df308 47473->47474 47477 4df312 CreateDirectoryA 47474->47477 47481 4df333 47474->47481 47476 438c70 std::_Throw_Cpp_error 41 API calls 47475->47476 47478 4dfef2 47476->47478 47477->47481 47481->47475 47560 4d7636 __fread_nolock 47559->47560 47561 4d7654 SHGetFolderPathA 47560->47561 47562 4359b0 __fread_nolock 47561->47562 47563 4d7681 SHGetFolderPathA 47562->47563 47564 4d77c8 47563->47564 47564->47564 47565 403040 std::_Throw_Cpp_error 41 API calls 47564->47565 47566 4d77e4 47565->47566 47567 41ace0 41 API calls 47566->47567 47571 4d7800 std::ios_base::_Ios_base_dtor 47567->47571 47568 4e6ca0 86 API calls 47569 4d7875 47568->47569 47572 4d79fb 47569->47572 47574 41ab20 41 API calls 47569->47574 47570 4de427 47573 438c70 std::_Throw_Cpp_error 41 API calls 47570->47573 47571->47568 47571->47570 47575 4de42c 47573->47575 48418->46790 48977 41e710 48419->48977 48421 41ae54 48421->46790 48423 41ab20 41 API calls 48422->48423 48425 4e005f 48423->48425 48424 402df0 std::_Throw_Cpp_error 41 API calls 48426 4e00f2 FindFirstFileA 48424->48426 48427 4e06bc 48425->48427 48428 4e009f std::ios_base::_Ios_base_dtor 48425->48428 48434 4e058f std::ios_base::_Ios_base_dtor 48426->48434 48499 4e011f std::_Locinfo::_Locinfo_ctor 48426->48499 48429 438c70 std::_Throw_Cpp_error 41 API calls 48427->48429 48428->48424 48430 4e06c1 48429->48430 48433 438c70 std::_Throw_Cpp_error 41 API calls 48430->48433 48431 4e0564 FindNextFileA 48432 4e057b FindClose GetLastError 48431->48432 48431->48499 48432->48434 48435 4e06cb 48433->48435 48434->48430 48436 4e0670 std::ios_base::_Ios_base_dtor 48434->48436 48440 41ab20 41 API calls 48435->48440 48437 402df0 std::_Throw_Cpp_error 41 API calls 48436->48437 48438 4e0698 48437->48438 48439 402df0 std::_Throw_Cpp_error 41 API calls 48438->48439 48441 4e06a7 48439->48441 48442 4e083a 48440->48442 48441->46790 48443 439820 43 API calls 48442->48443 48444 4e08e8 48443->48444 48445 4e4585 48444->48445 48982 4e71e0 GetCurrentProcess IsWow64Process 48444->48982 48446 4163b0 std::_Throw_Cpp_error 41 API calls 48445->48446 48449 4e45a8 48446->48449 48448 41e8a0 41 API calls 48448->48499 49055 4e7640 48449->49055 48452 403350 78 API calls 48453 4e09c4 48452->48453 48455 403350 78 API calls 48453->48455 48457 4e0a6e 48455->48457 48984 44196b GetSystemTimeAsFileTime 48457->48984 48458 418f00 41 API calls std::_Throw_Cpp_error 48458->48499 48469 402df0 41 API calls std::_Throw_Cpp_error 48469->48499 48473 4e053f CopyFileA 48477 4e05a0 GetLastError 48473->48477 48473->48499 48477->48434 48478 4e6ca0 86 API calls 48478->48499 48481 4e03cd CreateDirectoryA 48481->48477 48481->48499 48495 4032d0 41 API calls std::_Throw_Cpp_error 48495->48499 48499->48430 48499->48431 48499->48434 48499->48448 48499->48458 48499->48469 48499->48473 48499->48478 48499->48481 48499->48495 48501 4dff00 155 API calls 48499->48501 48501->48499 48658 4162d3 48657->48658 48659 4162ce 48657->48659 48658->46791 48660 402df0 std::_Throw_Cpp_error 41 API calls 48659->48660 48660->48658 48661->46791 48663 439820 43 API calls 48662->48663 48664 4e6e2f 48663->48664 48665 4e6e3c 48664->48665 48666 43d0a8 78 API calls 48664->48666 48667 402df0 std::_Throw_Cpp_error 41 API calls 48665->48667 48666->48665 48668 40beae 48667->48668 48668->47007 48668->47025 48712->46958 48978 41e753 48977->48978 48979 41e758 std::_Locinfo::_Locinfo_ctor 48978->48979 48980 4032d0 std::_Throw_Cpp_error 41 API calls 48978->48980 48979->48421 48981 41e843 std::_Locinfo::_Locinfo_ctor 48980->48981 48981->48421 48983 4e0900 48982->48983 48983->48452 49056 439820 43 API calls 49055->49056 49057 4e7740 49056->49057 49071 4e77b9 49057->49071 49145 43d5f6 49057->49145 49392 45f740 49393 45f794 49392->49393 49394 4602fc 49392->49394 49395 41ab20 41 API calls 49393->49395 49396 41ab20 41 API calls 49394->49396 49397 45f876 49395->49397 49398 4603de 49396->49398 49399 4e6ca0 86 API calls 49397->49399 49400 4e6ca0 86 API calls 49398->49400 49402 45f89c 49399->49402 49401 460404 49400->49401 49410 460427 49401->49410 49539 4e6c10 49401->49539 49404 4e6c10 85 API calls 49402->49404 49407 45f8bf 49402->49407 49404->49407 49405 4602ea 49412 402df0 std::_Throw_Cpp_error 41 API calls 49405->49412 49406 4602cf 49406->49405 49415 4e6770 93 API calls 49406->49415 49407->49405 49407->49406 49411 41b260 41 API calls 49407->49411 49408 461b1b 49413 402df0 std::_Throw_Cpp_error 41 API calls 49408->49413 49409 461b00 49409->49408 49416 4e6770 93 API calls 49409->49416 49410->49408 49410->49409 49551 41b260 49410->49551 49452 45f8ef 49411->49452 49412->49394 49417 461b2d 49413->49417 49415->49405 49416->49408 49418 4602c0 49587 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49418->49587 49419 461af1 49590 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49419->49590 49422 4130f0 41 API calls 49454 460457 std::ios_base::_Ios_base_dtor 49422->49454 49423 413200 41 API calls 49423->49452 49424 413200 41 API calls 49424->49454 49425 41b260 41 API calls 49425->49452 49426 41b260 41 API calls 49426->49454 49429 4163b0 41 API calls std::_Throw_Cpp_error 49429->49452 49430 4163b0 41 API calls std::_Throw_Cpp_error 49430->49454 49431 416240 41 API calls 49431->49452 49432 41ac50 41 API calls 49432->49454 49435 416240 41 API calls 49435->49454 49436 4e6ca0 86 API calls 49436->49454 49437 4e6c10 85 API calls 49437->49452 49438 41ac50 41 API calls 49438->49452 49439 4e6c10 85 API calls 49439->49454 49440 4e6ca0 86 API calls 49440->49452 49441 439820 43 API calls 49441->49452 49442 439820 43 API calls 49442->49454 49443 41ae20 41 API calls 49443->49452 49444 41ae20 41 API calls 49444->49454 49445 41abb0 41 API calls 49445->49452 49446 41abb0 41 API calls 49446->49454 49447 4130f0 41 API calls 49447->49452 49448 402df0 41 API calls std::_Throw_Cpp_error 49448->49454 49449 43d0a8 78 API calls 49449->49454 49450 43d0a8 78 API calls 49450->49452 49451 402cf0 41 API calls std::_Throw_Cpp_error 49451->49452 49452->49418 49452->49423 49452->49425 49452->49429 49452->49431 49452->49437 49452->49438 49452->49440 49452->49441 49452->49443 49452->49445 49452->49447 49452->49450 49452->49451 49453 402df0 41 API calls std::_Throw_Cpp_error 49452->49453 49456 41af80 41 API calls 49452->49456 49458 403350 78 API calls 49452->49458 49583 416210 41 API calls std::_Throw_Cpp_error 49452->49583 49584 41b400 41 API calls 49452->49584 49585 41bae0 41 API calls 2 library calls 49452->49585 49586 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49452->49586 49453->49452 49454->49419 49454->49422 49454->49424 49454->49426 49454->49430 49454->49432 49454->49435 49454->49436 49454->49439 49454->49442 49454->49444 49454->49446 49454->49448 49454->49449 49455 402cf0 41 API calls std::_Throw_Cpp_error 49454->49455 49460 41af80 41 API calls 49454->49460 49461 41b400 41 API calls 49454->49461 49463 403040 std::_Throw_Cpp_error 41 API calls 49454->49463 49464 41ace0 41 API calls 49454->49464 49465 4162c0 41 API calls 49454->49465 49466 461e04 49454->49466 49474 416260 41 API calls 49454->49474 49475 403350 78 API calls 49454->49475 49572 4219a0 49454->49572 49588 416210 41 API calls std::_Throw_Cpp_error 49454->49588 49589 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49454->49589 49455->49454 49456->49452 49458->49452 49460->49454 49461->49454 49463->49454 49464->49454 49465->49454 49467 438c70 std::_Throw_Cpp_error 41 API calls 49466->49467 49468 461e09 49467->49468 49469 41ab20 41 API calls 49468->49469 49470 461f34 49469->49470 49471 4e6ca0 86 API calls 49470->49471 49472 461f5a 49471->49472 49473 4e6c10 85 API calls 49472->49473 49477 461f7d 49472->49477 49473->49477 49474->49454 49475->49454 49476 46299f 49477->49476 49478 41b260 41 API calls 49477->49478 49540 432b99 12 API calls 49539->49540 49541 4e6c3d 49540->49541 49542 4e6c44 49541->49542 49543 4e6c82 49541->49543 49545 4e6c89 49542->49545 49546 4e6c50 CreateDirectoryA 49542->49546 49544 432534 std::_Throw_Cpp_error 76 API calls 49543->49544 49544->49545 49548 432534 std::_Throw_Cpp_error 76 API calls 49545->49548 49547 432baa RtlReleaseSRWLockExclusive 49546->49547 49549 4e6c6e 49547->49549 49550 4e6c9a 49548->49550 49549->49410 49552 433672 std::_Facet_Register 3 API calls 49551->49552 49553 41b2b8 49552->49553 49554 41b2e2 49553->49554 49555 41b3b4 49553->49555 49556 433672 std::_Facet_Register 3 API calls 49554->49556 49558 402cf0 std::_Throw_Cpp_error 41 API calls 49555->49558 49557 41b2f7 49556->49557 49597 42e7e0 49557->49597 49559 41b3c4 49558->49559 49560 41ace0 41 API calls 49559->49560 49562 41b3d9 49560->49562 49564 407cf0 41 API calls 49562->49564 49563 41b33b 49565 41b352 49563->49565 49566 41d1d0 41 API calls 49563->49566 49568 41b3ee 49564->49568 49609 41d1d0 49565->49609 49566->49565 49569 4351fb Concurrency::cancel_current_task RaiseException 49568->49569 49570 41b3ff 49569->49570 49571 41b390 std::ios_base::_Ios_base_dtor 49571->49454 49573 4219d0 49572->49573 49574 4219f5 49572->49574 49573->49454 49575 402cf0 std::_Throw_Cpp_error 41 API calls 49574->49575 49576 421a03 49575->49576 49577 41ace0 41 API calls 49576->49577 49578 421a18 49577->49578 49579 407cf0 41 API calls 49578->49579 49580 421a2d 49579->49580 49583->49452 49584->49452 49585->49452 49586->49452 49587->49406 49588->49454 49589->49454 49590->49409 49603 42e82a 49597->49603 49608 42e9ff 49597->49608 49599 42ea1a 49647 407260 RaiseException 49599->49647 49600 433672 std::_Facet_Register 3 API calls 49600->49603 49602 42ea1f 49604 42ea3d 49602->49604 49648 42d6a0 41 API calls std::_Throw_Cpp_error 49602->49648 49603->49599 49603->49600 49605 4163b0 41 API calls std::_Throw_Cpp_error 49603->49605 49606 402df0 std::_Throw_Cpp_error 41 API calls 49603->49606 49603->49608 49614 413d50 49603->49614 49604->49563 49605->49603 49606->49603 49608->49563 49610 41d24d 49609->49610 49612 41d1f8 std::ios_base::_Ios_base_dtor 49609->49612 49610->49571 49611 41d1d0 41 API calls 49611->49612 49612->49610 49612->49611 49613 402df0 std::_Throw_Cpp_error 41 API calls 49612->49613 49613->49612 49615 413d8f 49614->49615 49640 413df7 std::_Locinfo::_Locinfo_ctor 49614->49640 49616 413d96 49615->49616 49617 413e69 49615->49617 49618 413f7d 49615->49618 49619 413f1e 49615->49619 49615->49640 49622 433672 std::_Facet_Register 3 API calls 49616->49622 49621 433672 std::_Facet_Register 3 API calls 49617->49621 49623 433672 std::_Facet_Register 3 API calls 49618->49623 49651 417e80 41 API calls 2 library calls 49619->49651 49624 413e73 49621->49624 49625 413da0 49622->49625 49626 413f8a 49623->49626 49624->49640 49650 42bf30 41 API calls 3 library calls 49624->49650 49627 433672 std::_Facet_Register 3 API calls 49625->49627 49630 413fd3 49626->49630 49631 41408e 49626->49631 49626->49640 49629 413dd2 49627->49629 49649 42f460 41 API calls 2 library calls 49629->49649 49635 414004 49630->49635 49636 413fdb 49630->49636 49652 403330 RaiseException 49631->49652 49632 413eb1 49632->49640 49643 413d50 41 API calls 49632->49643 49637 433672 std::_Facet_Register 3 API calls 49635->49637 49638 414093 49636->49638 49639 413fe6 49636->49639 49637->49640 49653 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 49638->49653 49642 433672 std::_Facet_Register 3 API calls 49639->49642 49640->49603 49644 413fec 49642->49644 49643->49632 49644->49640 49645 438c70 std::_Throw_Cpp_error 41 API calls 49644->49645 49646 41409d 49645->49646 49647->49602 49648->49602 49649->49640 49650->49632 49651->49640 49653->49644 49810 46aa80 50037 46aaba 49810->50037 49811 478b27 49812 46aae1 49813 4163b0 std::_Throw_Cpp_error 41 API calls 49812->49813 49814 4163b0 std::_Throw_Cpp_error 41 API calls 49812->49814 49813->49812 49815 46ab3c 49814->49815 49816 46abc4 49815->49816 49818 46abde 49816->49818 49817 403040 std::_Throw_Cpp_error 41 API calls 49817->49818 49818->49817 49819 403040 std::_Throw_Cpp_error 41 API calls 49818->49819 49820 46ad59 49819->49820 49822 46ad84 49820->49822 51157 47721c 49820->51157 51158 4aa200 49820->51158 49824 46ad96 49822->49824 49823 47722a 49825 47724c 49823->49825 49826 46adb8 49824->49826 49828 4163b0 std::_Throw_Cpp_error 41 API calls 49825->49828 49827 4163b0 std::_Throw_Cpp_error 41 API calls 49826->49827 49830 46adc0 49827->49830 49829 47725b 49828->49829 49838 477278 49829->49838 49831 46adda 49830->49831 49832 46ade1 49831->49832 49834 4163b0 std::_Throw_Cpp_error 41 API calls 49832->49834 49833 4163b0 std::_Throw_Cpp_error 41 API calls 49833->49838 49835 46ade9 49834->49835 49837 402cf0 std::_Throw_Cpp_error 41 API calls 49835->49837 49836 402cf0 std::_Throw_Cpp_error 41 API calls 49836->49838 49839 46ae63 49837->49839 49838->49833 49838->49836 49845 47747b 49838->49845 49840 402cf0 std::_Throw_Cpp_error 41 API calls 49839->49840 49842 46af8d 49840->49842 49841 402cf0 std::_Throw_Cpp_error 41 API calls 49841->49845 49843 4aa200 222 API calls 49842->49843 49846 46afa8 49843->49846 49844 4aa200 222 API calls 49844->49845 49845->49841 49845->49844 49847 4774af 49845->49847 49849 46afbd 49846->49849 49848 4774d1 49847->49848 49851 4163b0 std::_Throw_Cpp_error 41 API calls 49848->49851 49850 46afdf 49849->49850 49852 4163b0 std::_Throw_Cpp_error 41 API calls 49850->49852 49853 4774e0 49851->49853 49854 46afe7 49852->49854 49862 4774fd 49853->49862 49855 46b001 49854->49855 49856 46b008 49855->49856 49858 4163b0 std::_Throw_Cpp_error 41 API calls 49858->49862 49860 402cf0 std::_Throw_Cpp_error 41 API calls 49860->49862 49862->49858 49862->49860 49869 477700 49862->49869 49864 402cf0 std::_Throw_Cpp_error 41 API calls 49864->49869 49867 4aa200 222 API calls 49867->49869 49869->49864 49869->49867 49871 477734 49869->49871 49872 477756 49871->49872 49875 4163b0 std::_Throw_Cpp_error 41 API calls 49872->49875 49877 477765 49875->49877 49887 477782 49877->49887 49881 4163b0 std::_Throw_Cpp_error 41 API calls 49881->49887 49885 402cf0 std::_Throw_Cpp_error 41 API calls 49885->49887 49887->49881 49887->49885 49893 477985 49887->49893 49888 402cf0 std::_Throw_Cpp_error 41 API calls 49888->49893 49891 4aa200 222 API calls 49891->49893 49893->49888 49893->49891 49895 4779b9 49893->49895 49896 4779db 49895->49896 50033 402cf0 std::_Throw_Cpp_error 41 API calls 50033->50037 50036 4aa200 222 API calls 50036->50037 50037->49811 50037->49812 50037->50033 50037->50036 51157->49823 51159 4359b0 __fread_nolock 51158->51159 51160 4aa25b SHGetFolderPathA 51159->51160 52119 41ac50 51160->52119 51162 4aa28f 51163 4aa2ad 51162->51163 51164 4ab3c5 51162->51164 51166 4163b0 std::_Throw_Cpp_error 41 API calls 51163->51166 51165 4152b0 41 API calls 51164->51165 51168 4ab411 51165->51168 51167 4aa2be 51166->51167 51169 4c6000 45 API calls 51167->51169 51170 402df0 std::_Throw_Cpp_error 41 API calls 51168->51170 51171 4aa2d1 51169->51171 51172 4ab3c3 51170->51172 51173 4aa2eb 51171->51173 51428 4aa355 std::_Locinfo::_Locinfo_ctor 51171->51428 51179 4242a0 41 API calls 51172->51179 51180 4ab46b 51172->51180 51429 4ab490 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 51172->51429 51175 4185d0 76 API calls 51173->51175 51174 4ab3b4 51177 4185d0 76 API calls 51174->51177 51176 4aa2f7 51175->51176 51178 4185d0 76 API calls 51176->51178 51177->51172 51181 4aa303 51178->51181 51179->51180 51182 402df0 std::_Throw_Cpp_error 41 API calls 51180->51182 51183 402df0 std::_Throw_Cpp_error 41 API calls 51181->51183 51182->51429 51186 4aa30f 51183->51186 51184 4adb0c 51189 417ef0 41 API calls 51184->51189 51185 41ab20 41 API calls 51185->51429 51187 402df0 std::_Throw_Cpp_error 41 API calls 51186->51187 51191 4adb7a 51189->51191 51193 4140c0 41 API calls 51191->51193 51195 4adba4 51193->51195 52127 41af80 51195->52127 51198 41ad80 41 API calls 51198->51429 51207 4adb07 51211 438c70 std::_Throw_Cpp_error 41 API calls 51207->51211 51211->51184 51219 41e8a0 41 API calls 51219->51429 51227 402df0 41 API calls std::_Throw_Cpp_error 51227->51428 51251 41e8a0 41 API calls 51251->51428 51273 41e710 41 API calls 51273->51429 51276 418f00 std::_Throw_Cpp_error 41 API calls 51276->51429 51284 41abb0 41 API calls 51284->51429 51295 41abb0 41 API calls 51295->51428 51323 4e6d70 78 API calls 51323->51429 51342 403040 41 API calls std::_Throw_Cpp_error 51342->51429 51349 4032d0 41 API calls std::_Throw_Cpp_error 51349->51429 51356 4235f0 41 API calls 51356->51429 51365 402df0 41 API calls std::_Throw_Cpp_error 51365->51429 51368 418f00 41 API calls std::_Throw_Cpp_error 51368->51428 51384 402fe0 41 API calls std::_Throw_Cpp_error 51384->51429 51400 4163b0 41 API calls std::_Throw_Cpp_error 51400->51429 51405 4e6d70 78 API calls 51405->51428 51407 4032d0 std::_Throw_Cpp_error 41 API calls 51407->51428 51412 4163b0 41 API calls std::_Throw_Cpp_error 51412->51428 51428->51174 51428->51184 51428->51227 51428->51251 51428->51295 51428->51368 51428->51405 51428->51407 51428->51412 52294 424400 44 API calls 4 library calls 51428->52294 51429->51176 51429->51184 51429->51185 51429->51198 51429->51207 51429->51219 51429->51273 51429->51276 51429->51284 51429->51323 51429->51342 51429->51349 51429->51356 51429->51365 51429->51384 51429->51400 51430 4098e0 41 API calls 51429->51430 51430->51429 52120 41ac81 52119->52120 52120->52120 52121 41acd3 52120->52121 52122 41ac9b 52120->52122 52125 41fbf0 41 API calls 52121->52125 52123 41e8a0 41 API calls 52122->52123 52124 41acb2 52123->52124 52124->51162 52126 41ad24 52125->52126 52126->51162 52294->51428 52976 46a140 52987 46a17b 52976->52987 52977 46aa60 52978 4163b0 41 API calls std::_Throw_Cpp_error 52978->52987 52982 41af80 41 API calls 52982->52987 52983 413d50 41 API calls 52983->52987 52984 4138b0 41 API calls 52984->52987 52987->52977 52987->52978 52987->52982 52987->52983 52987->52984 52988 49f0d0 52987->52988 53080 49d3a0 52987->53080 53160 49af60 52987->53160 53241 4986b0 52987->53241 53318 4963b0 52987->53318 52989 49f106 52988->52989 52990 417ef0 41 API calls 52989->52990 52991 49f12f 52990->52991 52992 4140c0 41 API calls 52991->52992 52993 49f159 52992->52993 52994 41af80 41 API calls 52993->52994 52995 49f1f4 __fread_nolock 52994->52995 52996 49f212 SHGetFolderPathA 52995->52996 52997 41ac50 41 API calls 52996->52997 52998 49f23f 52997->52998 52999 41ab20 41 API calls 52998->52999 53000 49f2e4 __fread_nolock 52999->53000 53001 49f2fe GetPrivateProfileSectionNamesA 53000->53001 53054 49f331 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53001->53054 53003 4a348d lstrlen 53004 4a34a3 53003->53004 53003->53054 53005 402df0 std::_Throw_Cpp_error 41 API calls 53004->53005 53007 4a34b2 53005->53007 53006 49f422 GetPrivateProfileStringA 53006->53054 53008 402df0 std::_Throw_Cpp_error 41 API calls 53007->53008 53009 4a34c1 53008->53009 53010 402df0 std::_Throw_Cpp_error 41 API calls 53009->53010 53011 4a34cd 53010->53011 53014 402df0 std::_Throw_Cpp_error 41 API calls 53011->53014 53012 4a34fb 53016 402cf0 std::_Throw_Cpp_error 41 API calls 53012->53016 53013 41abb0 41 API calls 53013->53054 53015 4a34d9 53014->53015 53017 402df0 std::_Throw_Cpp_error 41 API calls 53015->53017 53018 4a3514 53016->53018 53019 4a34e5 53017->53019 53020 41ace0 41 API calls 53018->53020 53019->52987 53021 4a3529 53020->53021 53022 407cf0 41 API calls 53021->53022 53023 4a3541 53022->53023 53024 4351fb Concurrency::cancel_current_task RaiseException 53023->53024 53025 4a3555 53024->53025 53026 438c70 std::_Throw_Cpp_error 41 API calls 53025->53026 53027 4a355a 53026->53027 53029 402cf0 std::_Throw_Cpp_error 41 API calls 53027->53029 53028 41e8a0 41 API calls 53028->53054 53032 4a356d 53029->53032 53030 4d6790 148 API calls 53030->53054 53031 4e7640 87 API calls 53031->53054 53035 41ace0 41 API calls 53032->53035 53033 4032d0 std::_Throw_Cpp_error 41 API calls 53033->53054 53034 41b430 53 API calls 53034->53054 53036 4a3582 53035->53036 53037 407cf0 41 API calls 53036->53037 53038 4a359a 53037->53038 53039 4351fb Concurrency::cancel_current_task RaiseException 53038->53039 53041 4a35ae 53039->53041 53040 4d65f0 87 API calls 53040->53054 53042 402cf0 std::_Throw_Cpp_error 41 API calls 53041->53042 53043 4a35c2 53042->53043 53044 41ace0 41 API calls 53043->53044 53045 4a35d7 53044->53045 53046 407cf0 41 API calls 53045->53046 53047 4a35ef 53046->53047 53048 4351fb Concurrency::cancel_current_task RaiseException 53047->53048 53049 4a3603 53048->53049 53050 417ef0 41 API calls 53050->53054 53051 4130f0 41 API calls 53051->53054 53053 4e6ca0 86 API calls 53053->53054 53054->53003 53054->53006 53054->53012 53054->53013 53054->53025 53054->53027 53054->53028 53054->53030 53054->53031 53054->53033 53054->53034 53054->53040 53054->53041 53054->53050 53054->53051 53054->53053 53055 4a1c5f CreateDirectoryA 53054->53055 53057 426db0 41 API calls 53054->53057 53058 41af80 41 API calls 53054->53058 53059 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53054->53059 53060 41ad80 41 API calls 53054->53060 53061 403040 41 API calls std::_Throw_Cpp_error 53054->53061 53062 413d50 41 API calls 53054->53062 53063 41b0e0 41 API calls 53054->53063 53064 4a1f46 CreateDirectoryA 53054->53064 53065 41ab20 41 API calls 53054->53065 53066 402fe0 41 API calls std::_Throw_Cpp_error 53054->53066 53067 402cf0 std::_Throw_Cpp_error 41 API calls 53054->53067 53069 41ace0 41 API calls 53054->53069 53070 41b7b0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection 53054->53070 53071 4e6d70 78 API calls 53054->53071 53072 439820 43 API calls 53054->53072 53074 413980 41 API calls 53054->53074 53075 402df0 41 API calls std::_Throw_Cpp_error 53054->53075 53076 4a3610 154 API calls 53054->53076 53077 441628 75 API calls 53054->53077 53078 43d0a8 78 API calls 53054->53078 53397 440fae 53054->53397 53411 42c080 41 API calls 2 library calls 53054->53411 53412 424900 41 API calls 53054->53412 53413 413200 53054->53413 53428 41b9d0 41 API calls 2 library calls 53054->53428 53429 4136c0 41 API calls 2 library calls 53054->53429 53055->53054 53057->53054 53058->53054 53059->53054 53060->53054 53061->53054 53062->53054 53063->53054 53064->53054 53065->53054 53066->53054 53067->53054 53069->53054 53070->53054 53071->53054 53072->53054 53074->53054 53075->53054 53076->53054 53077->53054 53078->53054 53081 49d3d6 53080->53081 53082 417ef0 41 API calls 53081->53082 53083 49d3ff 53082->53083 53084 4140c0 41 API calls 53083->53084 53085 49d429 53084->53085 53086 41af80 41 API calls 53085->53086 53087 49d4c4 __fread_nolock 53086->53087 53088 49d4e2 SHGetFolderPathA 53087->53088 53089 41ac50 41 API calls 53088->53089 53090 49d50f 53089->53090 53091 41ab20 41 API calls 53090->53091 53092 49d5b4 __fread_nolock 53091->53092 53093 49d5ce GetPrivateProfileSectionNamesA 53092->53093 53154 49d601 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53093->53154 53094 440fae 50 API calls 53094->53154 53095 49ef31 lstrlen 53096 49ef47 53095->53096 53095->53154 53097 402df0 std::_Throw_Cpp_error 41 API calls 53096->53097 53099 49ef56 53097->53099 53098 49d6f2 GetPrivateProfileStringA 53098->53154 53100 402df0 std::_Throw_Cpp_error 41 API calls 53099->53100 53102 49ef65 53100->53102 53101 49f068 53107 438c70 std::_Throw_Cpp_error 41 API calls 53101->53107 53104 402df0 std::_Throw_Cpp_error 41 API calls 53102->53104 53103 41e8a0 41 API calls 53103->53154 53105 49ef71 53104->53105 53105->52987 53106 41abb0 41 API calls 53106->53154 53108 49f072 53107->53108 53110 402cf0 std::_Throw_Cpp_error 41 API calls 53108->53110 53109 402df0 41 API calls std::_Throw_Cpp_error 53109->53154 53111 49f089 53110->53111 53112 41ace0 41 API calls 53111->53112 53113 49f09e 53112->53113 53114 407cf0 41 API calls 53113->53114 53115 49f0b6 53114->53115 53116 4351fb Concurrency::cancel_current_task RaiseException 53115->53116 53118 49f0ca 53116->53118 53117 41ab20 41 API calls 53117->53154 53119 439820 43 API calls 53119->53154 53120 43d0a8 78 API calls 53120->53154 53121 4140c0 41 API calls 53121->53154 53122 4e64d0 44 API calls 53122->53154 53124 49efc0 53128 402cf0 std::_Throw_Cpp_error 41 API calls 53124->53128 53125 4032d0 41 API calls std::_Throw_Cpp_error 53125->53154 53126 4185d0 76 API calls 53126->53154 53127 4180a0 41 API calls 53127->53154 53130 49efd7 53128->53130 53129 416130 41 API calls 53129->53154 53131 41ace0 41 API calls 53130->53131 53132 49efec 53131->53132 53134 407cf0 41 API calls 53132->53134 53133 4d6790 148 API calls 53133->53154 53135 49f004 53134->53135 53136 4351fb Concurrency::cancel_current_task RaiseException 53135->53136 53136->53101 53137 49ef86 53139 402cf0 std::_Throw_Cpp_error 41 API calls 53137->53139 53138 4d65f0 87 API calls 53138->53154 53140 49ef99 53139->53140 53141 41ace0 41 API calls 53140->53141 53147 49ee87 53141->53147 53142 407cf0 41 API calls 53142->53135 53143 49ee5e 53144 402cf0 std::_Throw_Cpp_error 41 API calls 53143->53144 53145 49ee72 53144->53145 53146 41ace0 41 API calls 53145->53146 53146->53147 53147->53142 53148 417ef0 41 API calls 53148->53154 53150 426db0 41 API calls 53150->53154 53151 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53151->53154 53152 403040 41 API calls std::_Throw_Cpp_error 53152->53154 53153 49f014 53157 402cf0 std::_Throw_Cpp_error 41 API calls 53153->53157 53154->53094 53154->53095 53154->53098 53154->53101 53154->53103 53154->53106 53154->53108 53154->53109 53154->53117 53154->53119 53154->53120 53154->53121 53154->53122 53154->53124 53154->53125 53154->53126 53154->53127 53154->53129 53154->53133 53154->53137 53154->53138 53154->53143 53154->53148 53154->53150 53154->53151 53154->53152 53154->53153 53155 413d50 41 API calls 53154->53155 53156 424900 41 API calls 53154->53156 53437 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53154->53437 53438 423f40 102 API calls 4 library calls 53154->53438 53155->53154 53156->53154 53158 49f027 53157->53158 53159 41ace0 41 API calls 53158->53159 53159->53147 53161 49af96 53160->53161 53162 417ef0 41 API calls 53161->53162 53163 49afbf 53162->53163 53164 4140c0 41 API calls 53163->53164 53165 49afe9 53164->53165 53166 41af80 41 API calls 53165->53166 53167 49b128 __fread_nolock 53166->53167 53168 49b146 SHGetFolderPathA 53167->53168 53169 41ac50 41 API calls 53168->53169 53170 49b173 53169->53170 53171 41ab20 41 API calls 53170->53171 53172 49b227 __fread_nolock 53171->53172 53173 49b241 GetPrivateProfileSectionNamesA 53172->53173 53232 49b274 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53173->53232 53174 440fae 50 API calls 53174->53232 53175 49d22c lstrlen 53176 49d242 53175->53176 53175->53232 53178 402df0 std::_Throw_Cpp_error 41 API calls 53176->53178 53177 49b365 GetPrivateProfileStringA 53177->53232 53179 49d251 53178->53179 53180 402df0 std::_Throw_Cpp_error 41 API calls 53179->53180 53182 49d260 53180->53182 53181 49d329 53187 438c70 std::_Throw_Cpp_error 41 API calls 53181->53187 53184 402df0 std::_Throw_Cpp_error 41 API calls 53182->53184 53183 41e8a0 41 API calls 53183->53232 53185 49d26c 53184->53185 53185->52987 53186 41abb0 41 API calls 53186->53232 53188 49d333 53187->53188 53440 419e60 RaiseException 53188->53440 53190 49d338 53191 402cf0 std::_Throw_Cpp_error 41 API calls 53190->53191 53192 49d34f 53191->53192 53193 41ace0 41 API calls 53192->53193 53194 49d364 53193->53194 53195 407cf0 41 API calls 53194->53195 53197 49d37c 53195->53197 53196 41ab20 41 API calls 53196->53232 53198 4351fb Concurrency::cancel_current_task RaiseException 53197->53198 53200 49d390 53198->53200 53199 439820 43 API calls 53199->53232 53201 43d0a8 78 API calls 53201->53232 53202 4140c0 41 API calls 53202->53232 53203 4e64d0 44 API calls 53203->53232 53205 49d281 53209 402cf0 std::_Throw_Cpp_error 41 API calls 53205->53209 53206 4032d0 41 API calls std::_Throw_Cpp_error 53206->53232 53207 4185d0 76 API calls 53207->53232 53208 4180a0 41 API calls 53208->53232 53210 49d298 53209->53210 53212 41ace0 41 API calls 53210->53212 53211 416130 41 API calls 53211->53232 53214 49d2ad 53212->53214 53213 4d6790 148 API calls 53213->53232 53215 407cf0 41 API calls 53214->53215 53216 49d2c5 53215->53216 53218 4351fb Concurrency::cancel_current_task RaiseException 53216->53218 53217 41af80 41 API calls 53217->53232 53218->53181 53219 49d0d3 53223 402cf0 std::_Throw_Cpp_error 41 API calls 53219->53223 53220 4d65f0 87 API calls 53220->53232 53221 413d50 41 API calls 53221->53232 53222 424900 41 API calls 53222->53232 53224 49d0e6 53223->53224 53225 41ace0 41 API calls 53224->53225 53240 49d0fb 53225->53240 53226 407cf0 41 API calls 53226->53216 53227 41fbf0 41 API calls 53227->53232 53228 418f00 std::_Throw_Cpp_error 41 API calls 53228->53232 53229 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53229->53232 53230 402df0 41 API calls std::_Throw_Cpp_error 53230->53232 53231 426db0 41 API calls 53231->53232 53232->53174 53232->53175 53232->53177 53232->53181 53232->53183 53232->53186 53232->53188 53232->53190 53232->53196 53232->53199 53232->53201 53232->53202 53232->53203 53232->53205 53232->53206 53232->53207 53232->53208 53232->53211 53232->53213 53232->53217 53232->53219 53232->53220 53232->53221 53232->53222 53232->53227 53232->53228 53232->53229 53232->53230 53232->53231 53233 4163b0 std::_Throw_Cpp_error 41 API calls 53232->53233 53234 403040 41 API calls std::_Throw_Cpp_error 53232->53234 53235 49d2d5 53232->53235 53236 417ef0 41 API calls 53232->53236 53439 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53232->53439 53233->53232 53234->53232 53237 402cf0 std::_Throw_Cpp_error 41 API calls 53235->53237 53236->53232 53238 49d2e8 53237->53238 53239 41ace0 41 API calls 53238->53239 53239->53240 53240->53226 53242 4986e6 53241->53242 53243 417ef0 41 API calls 53242->53243 53244 49870f 53243->53244 53245 4140c0 41 API calls 53244->53245 53246 498739 53245->53246 53247 41af80 41 API calls 53246->53247 53248 4987d4 __fread_nolock 53247->53248 53249 4987f2 SHGetFolderPathA 53248->53249 53250 41ac50 41 API calls 53249->53250 53251 49881f 53250->53251 53252 41ab20 41 API calls 53251->53252 53253 4988c4 __fread_nolock 53252->53253 53254 4988de GetPrivateProfileSectionNamesA 53253->53254 53307 498914 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53254->53307 53255 440fae 50 API calls 53255->53307 53256 49ae10 lstrlen 53257 49ae29 53256->53257 53256->53307 53259 402df0 std::_Throw_Cpp_error 41 API calls 53257->53259 53258 498a05 GetPrivateProfileStringA 53258->53307 53260 49ae38 53259->53260 53261 402df0 std::_Throw_Cpp_error 41 API calls 53260->53261 53262 49ae47 53261->53262 53264 402df0 std::_Throw_Cpp_error 41 API calls 53262->53264 53263 49aef7 53268 438c70 std::_Throw_Cpp_error 41 API calls 53263->53268 53266 49ae53 53264->53266 53265 41e8a0 41 API calls 53265->53307 53266->52987 53267 41abb0 41 API calls 53267->53307 53269 49af01 53268->53269 53270 402cf0 std::_Throw_Cpp_error 41 API calls 53269->53270 53271 49af15 53270->53271 53272 41ace0 41 API calls 53271->53272 53273 49af2a 53272->53273 53274 407cf0 41 API calls 53273->53274 53275 49af42 53274->53275 53276 4351fb Concurrency::cancel_current_task RaiseException 53275->53276 53278 49af56 53276->53278 53277 41ab20 41 API calls 53277->53307 53279 439820 43 API calls 53279->53307 53280 43d0a8 78 API calls 53280->53307 53281 402df0 41 API calls std::_Throw_Cpp_error 53281->53307 53282 4140c0 41 API calls 53282->53307 53283 4e64d0 44 API calls 53283->53307 53284 4032d0 41 API calls std::_Throw_Cpp_error 53284->53307 53286 49ae68 53288 402cf0 std::_Throw_Cpp_error 41 API calls 53286->53288 53287 4185d0 76 API calls 53287->53307 53290 49ae7f 53288->53290 53289 416130 41 API calls 53289->53307 53291 41ace0 41 API calls 53290->53291 53293 49ad42 53291->53293 53292 4d6790 148 API calls 53292->53307 53294 407cf0 41 API calls 53293->53294 53295 49aee3 53294->53295 53297 4351fb Concurrency::cancel_current_task RaiseException 53295->53297 53296 41af80 41 API calls 53296->53307 53297->53263 53298 4d65f0 87 API calls 53298->53307 53299 49ad1a 53302 402cf0 std::_Throw_Cpp_error 41 API calls 53299->53302 53300 413d50 41 API calls 53300->53307 53301 424900 41 API calls 53301->53307 53303 49ad2d 53302->53303 53304 41ace0 41 API calls 53303->53304 53304->53293 53305 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53305->53307 53306 417ef0 41 API calls 53306->53307 53307->53255 53307->53256 53307->53258 53307->53263 53307->53265 53307->53267 53307->53269 53307->53277 53307->53279 53307->53280 53307->53281 53307->53282 53307->53283 53307->53284 53307->53286 53307->53287 53307->53289 53307->53292 53307->53296 53307->53298 53307->53299 53307->53300 53307->53301 53307->53305 53307->53306 53308 403040 41 API calls std::_Throw_Cpp_error 53307->53308 53309 4412f6 50 API calls 53307->53309 53310 426db0 41 API calls 53307->53310 53311 402fe0 41 API calls std::_Throw_Cpp_error 53307->53311 53313 4180a0 41 API calls 53307->53313 53314 49aea3 53307->53314 53441 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53307->53441 53442 42c080 41 API calls 2 library calls 53307->53442 53308->53307 53309->53307 53310->53307 53311->53307 53313->53307 53315 402cf0 std::_Throw_Cpp_error 41 API calls 53314->53315 53316 49aeb6 53315->53316 53317 41ace0 41 API calls 53316->53317 53317->53293 53319 4963e6 53318->53319 53320 417ef0 41 API calls 53319->53320 53321 49640f 53320->53321 53322 4140c0 41 API calls 53321->53322 53323 496439 53322->53323 53324 41af80 41 API calls 53323->53324 53325 4964d4 __fread_nolock 53324->53325 53326 4964f2 SHGetFolderPathA 53325->53326 53327 41ac50 41 API calls 53326->53327 53328 49651f 53327->53328 53329 41ab20 41 API calls 53328->53329 53330 4965c4 __fread_nolock 53329->53330 53331 4965de GetPrivateProfileSectionNamesA 53330->53331 53334 496611 std::ios_base::_Ios_base_dtor __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::_Locinfo::_Locinfo_ctor 53331->53334 53332 440fae 50 API calls 53332->53334 53333 49854e lstrlen 53333->53334 53335 498564 53333->53335 53334->53332 53334->53333 53336 496702 GetPrivateProfileStringA 53334->53336 53340 49864b 53334->53340 53342 41e8a0 41 API calls 53334->53342 53346 41abb0 41 API calls 53334->53346 53347 498655 53334->53347 53348 402df0 41 API calls std::_Throw_Cpp_error 53334->53348 53355 41ab20 41 API calls 53334->53355 53358 439820 43 API calls 53334->53358 53359 43d0a8 78 API calls 53334->53359 53360 4140c0 41 API calls 53334->53360 53361 4e64d0 44 API calls 53334->53361 53363 4985a3 53334->53363 53364 4032d0 41 API calls std::_Throw_Cpp_error 53334->53364 53365 4185d0 76 API calls 53334->53365 53368 416130 41 API calls 53334->53368 53370 4d6790 148 API calls 53334->53370 53374 41af80 41 API calls 53334->53374 53376 4983f5 53334->53376 53377 4d65f0 87 API calls 53334->53377 53383 41fbf0 41 API calls 53334->53383 53384 418f00 std::_Throw_Cpp_error 41 API calls 53334->53384 53385 417ef0 41 API calls 53334->53385 53386 433672 std::_Facet_Register 3 API calls 53334->53386 53387 403040 41 API calls std::_Throw_Cpp_error 53334->53387 53388 426db0 41 API calls 53334->53388 53389 4412f6 50 API calls 53334->53389 53390 4180a0 41 API calls 53334->53390 53391 4985f7 53334->53391 53393 413d50 41 API calls 53334->53393 53394 424900 41 API calls 53334->53394 53443 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53334->53443 53337 402df0 std::_Throw_Cpp_error 41 API calls 53335->53337 53336->53334 53338 498573 53337->53338 53339 402df0 std::_Throw_Cpp_error 41 API calls 53338->53339 53341 498582 53339->53341 53345 438c70 std::_Throw_Cpp_error 41 API calls 53340->53345 53343 402df0 std::_Throw_Cpp_error 41 API calls 53341->53343 53342->53334 53344 49858e 53343->53344 53344->52987 53345->53347 53346->53334 53349 402cf0 std::_Throw_Cpp_error 41 API calls 53347->53349 53348->53334 53350 49866c 53349->53350 53351 41ace0 41 API calls 53350->53351 53352 498681 53351->53352 53353 407cf0 41 API calls 53352->53353 53354 498699 53353->53354 53356 4351fb Concurrency::cancel_current_task RaiseException 53354->53356 53355->53334 53357 4986ad 53356->53357 53358->53334 53359->53334 53360->53334 53361->53334 53366 402cf0 std::_Throw_Cpp_error 41 API calls 53363->53366 53364->53334 53365->53334 53367 4985ba 53366->53367 53369 41ace0 41 API calls 53367->53369 53368->53334 53371 4985cf 53369->53371 53370->53334 53372 407cf0 41 API calls 53371->53372 53373 4985e7 53372->53373 53375 4351fb Concurrency::cancel_current_task RaiseException 53373->53375 53374->53334 53375->53340 53378 402cf0 std::_Throw_Cpp_error 41 API calls 53376->53378 53377->53334 53379 498408 53378->53379 53380 41ace0 41 API calls 53379->53380 53381 49841d 53380->53381 53382 407cf0 41 API calls 53381->53382 53382->53373 53383->53334 53384->53334 53385->53334 53386->53334 53387->53334 53388->53334 53389->53334 53390->53334 53392 402cf0 std::_Throw_Cpp_error 41 API calls 53391->53392 53395 49860a 53392->53395 53393->53334 53394->53334 53396 41ace0 41 API calls 53395->53396 53396->53381 53398 441005 53397->53398 53399 440fbd 53397->53399 53434 44101b 50 API calls 3 library calls 53398->53434 53401 440fc3 53399->53401 53403 440fe0 53399->53403 53430 4416ff 14 API calls __dosmaperr 53401->53430 53410 440ffe 53403->53410 53432 4416ff 14 API calls __dosmaperr 53403->53432 53404 440fd3 53404->53054 53405 440fc8 53431 438c60 41 API calls __fread_nolock 53405->53431 53408 440fef 53433 438c60 41 API calls __fread_nolock 53408->53433 53410->53054 53411->53054 53412->53054 53414 41325c 53413->53414 53417 413225 53413->53417 53415 402cf0 std::_Throw_Cpp_error 41 API calls 53414->53415 53416 413269 53415->53416 53435 407b10 41 API calls 3 library calls 53416->53435 53418 413235 53417->53418 53421 402cf0 std::_Throw_Cpp_error 41 API calls 53417->53421 53418->53054 53420 413281 53422 4351fb Concurrency::cancel_current_task RaiseException 53420->53422 53423 41329f 53421->53423 53422->53417 53436 407b10 41 API calls 3 library calls 53423->53436 53425 4132b7 53426 4351fb Concurrency::cancel_current_task RaiseException 53425->53426 53427 4132c8 53426->53427 53428->53054 53429->53054 53430->53405 53431->53404 53432->53408 53433->53404 53434->53404 53435->53420 53436->53425 53437->53154 53438->53154 53439->53232 53441->53307 53442->53307 53443->53334 53629 4c7b00 53630 4c7ecc 53629->53630 53633 4c7b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 53629->53633 53631 4c7b87 setsockopt recv WSAGetLastError 53631->53630 53631->53633 53633->53631 53634 4c7eb7 Sleep 53633->53634 53635 4c7e15 recv 53633->53635 53637 4c7eaf Sleep 53633->53637 53638 418dc0 41 API calls 53633->53638 53641 4163b0 std::_Throw_Cpp_error 41 API calls 53633->53641 53642 409280 44 API calls 53633->53642 53643 4c7ee1 53633->53643 53645 4c7cd6 setsockopt recv 53633->53645 53646 418dc0 41 API calls 53633->53646 53649 4c8590 WSAStartup 53633->53649 53662 4c7ef0 53633->53662 53734 433069 53633->53734 53634->53630 53634->53633 53635->53637 53637->53634 53639 4c7c2d recv 53638->53639 53639->53633 53640 4c7c4e recv 53639->53640 53640->53633 53641->53633 53642->53633 53644 438c70 std::_Throw_Cpp_error 41 API calls 53643->53644 53647 4c7ee6 53644->53647 53645->53633 53646->53645 53650 4c8696 53649->53650 53651 4c85c8 53649->53651 53650->53633 53651->53650 53652 4c85fe getaddrinfo 53651->53652 53653 4c8646 53652->53653 53654 4c8690 WSACleanup 53652->53654 53655 4c86a4 FreeAddrInfoW 53653->53655 53656 4c8654 socket 53653->53656 53654->53650 53655->53654 53657 4c86b0 53655->53657 53656->53654 53658 4c866a connect 53656->53658 53657->53633 53659 4c867c closesocket 53658->53659 53660 4c86a0 53658->53660 53659->53656 53661 4c8686 FreeAddrInfoW 53659->53661 53660->53655 53661->53654 53663 4c7f6c 53662->53663 53664 4c7f3e 53662->53664 53666 4c7f8e 53663->53666 53667 4c7f74 53663->53667 53665 402cf0 std::_Throw_Cpp_error 41 API calls 53664->53665 53670 4c7f50 53665->53670 53668 4c7f96 53666->53668 53669 4c7fb0 53666->53669 53737 416290 41 API calls 53667->53737 53738 416290 41 API calls 53668->53738 53673 4c7fb8 53669->53673 53674 4c7fd5 53669->53674 53675 409280 44 API calls 53670->53675 53704 4c7f64 53673->53704 53739 416290 41 API calls 53673->53739 53676 4c7fdd 53674->53676 53677 4c7ffb 53674->53677 53675->53704 53740 4412b7 50 API calls __fread_nolock 53676->53740 53682 4c801b 53677->53682 53683 4c82c0 53677->53683 53677->53704 53680 402df0 std::_Throw_Cpp_error 41 API calls 53681 4c84f1 53680->53681 53681->53633 53741 405400 85 API calls std::_Throw_Cpp_error 53682->53741 53685 4c82c8 53683->53685 53686 4c831b 53683->53686 53687 41b430 53 API calls 53685->53687 53688 4c8376 53686->53688 53689 4c8323 53686->53689 53687->53704 53690 4c837e 53688->53690 53691 4c83d1 53688->53691 53692 41b430 53 API calls 53689->53692 53693 41b430 53 API calls 53690->53693 53695 4c842c 53691->53695 53696 4c83d9 53691->53696 53692->53704 53693->53704 53694 4c82a5 53697 432baa RtlReleaseSRWLockExclusive 53694->53697 53700 4c8484 53695->53700 53701 4c8434 53695->53701 53699 41b430 53 API calls 53696->53699 53697->53704 53698 402cf0 std::_Throw_Cpp_error 41 API calls 53711 4c8040 53698->53711 53699->53704 53700->53704 53746 458b00 50 API calls 2 library calls 53700->53746 53702 41b430 53 API calls 53701->53702 53702->53704 53704->53680 53705 4c849a 53706 4162c0 41 API calls 53705->53706 53708 4c84a9 53706->53708 53707 41ace0 41 API calls 53707->53711 53709 402df0 std::_Throw_Cpp_error 41 API calls 53708->53709 53709->53704 53710 402df0 41 API calls std::_Throw_Cpp_error 53710->53711 53711->53694 53711->53698 53711->53707 53711->53710 53712 4c810b 53711->53712 53742 402d30 41 API calls std::_Throw_Cpp_error 53712->53742 53714 4c812f 53743 4d62c0 43 API calls 5 library calls 53714->53743 53716 4c8140 53717 402df0 std::_Throw_Cpp_error 41 API calls 53716->53717 53718 4c814f 53717->53718 53719 4c81b2 GetCurrentProcess 53718->53719 53722 4c81e5 53718->53722 53720 4163b0 std::_Throw_Cpp_error 41 API calls 53719->53720 53721 4c81ce 53720->53721 53744 4cf280 61 API calls 3 library calls 53721->53744 53724 439820 43 API calls 53722->53724 53727 4c8247 53724->53727 53725 4c81dd 53726 4c8279 53725->53726 53745 415230 41 API calls std::_Throw_Cpp_error 53726->53745 53727->53726 53729 441628 75 API calls 53727->53729 53731 4c8273 53729->53731 53730 4c8296 53732 402df0 std::_Throw_Cpp_error 41 API calls 53730->53732 53733 43d0a8 78 API calls 53731->53733 53732->53694 53733->53726 53747 43361d 53734->53747 53737->53704 53738->53704 53739->53704 53740->53704 53741->53711 53742->53714 53743->53716 53744->53725 53745->53730 53746->53705 53748 433659 GetSystemTimeAsFileTime 53747->53748 53749 43364d GetSystemTimePreciseAsFileTime 53747->53749 53750 433077 53748->53750 53749->53750 53750->53633 45650 419950 45651 419968 45650->45651 45652 419978 std::ios_base::_Ios_base_dtor 45650->45652 45651->45652 45662 438c70 45651->45662 45667 438bac 41 API calls __fread_nolock 45662->45667 45664 438c7f 45668 438c8d 11 API calls std::locale::_Setgloballocale 45664->45668 45666 438c8c 45667->45664 45668->45666 45669 420ad0 45674 4214a0 45669->45674 45671 420b2a 45672 420ae0 45672->45671 45679 429e20 45672->45679 45675 4214cb 45674->45675 45676 4214ee 45675->45676 45677 429e20 41 API calls 45675->45677 45676->45672 45678 42150b 45677->45678 45678->45672 45680 429e62 45679->45680 45681 429f76 45679->45681 45682 429e7c 45680->45682 45684 429eca 45680->45684 45685 429eba 45680->45685 45706 403330 RaiseException 45681->45706 45697 433672 45682->45697 45690 433672 std::_Facet_Register 3 API calls 45684->45690 45694 429e9a std::_Locinfo::_Locinfo_ctor 45684->45694 45685->45682 45686 429f7b 45685->45686 45707 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 45686->45707 45689 429e8f 45691 429f80 45689->45691 45689->45694 45690->45694 45692 438c70 std::_Throw_Cpp_error 41 API calls 45691->45692 45693 429f85 45692->45693 45705 4277d0 41 API calls 2 library calls 45694->45705 45696 429f47 45696->45671 45699 433677 45697->45699 45698 433691 45698->45689 45699->45698 45702 402b50 Concurrency::cancel_current_task 45699->45702 45711 445a89 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45699->45711 45701 43369d 45701->45701 45702->45701 45708 4351fb 45702->45708 45704 402b6c ___std_exception_copy 45704->45689 45705->45696 45707->45691 45709 435242 RaiseException 45708->45709 45710 435215 45708->45710 45709->45704 45710->45709 45711->45699 46514 45dcd0 46515 45de11 46514->46515 46516 45dd1d 46514->46516 46517 41ab20 41 API calls 46515->46517 46518 41ab20 41 API calls 46516->46518 46519 45de6d 46517->46519 46520 45dd79 46518->46520 46521 4163b0 std::_Throw_Cpp_error 41 API calls 46519->46521 46601 41b980 41 API calls 46520->46601 46523 45de88 46521->46523 46534 481c10 46523->46534 46524 45ddd0 46602 4e5ff0 11 API calls 46524->46602 46528 402df0 std::_Throw_Cpp_error 41 API calls 46530 45dea7 46528->46530 46529 45ddf0 46603 4188d0 46529->46603 46532 45de02 46533 402df0 std::_Throw_Cpp_error 41 API calls 46532->46533 46533->46515 46535 4e6ca0 86 API calls 46534->46535 46552 481c6c __fread_nolock std::_Locinfo::_Locinfo_ctor 46535->46552 46536 48443c 46537 402df0 std::_Throw_Cpp_error 41 API calls 46536->46537 46538 45de95 46537->46538 46538->46528 46539 48449d 46540 402cf0 std::_Throw_Cpp_error 41 API calls 46539->46540 46541 4844ad 46540->46541 46690 407b10 41 API calls 3 library calls 46541->46690 46543 4844c8 46546 4351fb Concurrency::cancel_current_task RaiseException 46543->46546 46544 484598 46545 402cf0 std::_Throw_Cpp_error 41 API calls 46544->46545 46547 4845a8 46545->46547 46548 4844dc 46546->46548 46693 407b10 41 API calls 3 library calls 46547->46693 46550 438c70 std::_Throw_Cpp_error 41 API calls 46548->46550 46554 4844e1 46550->46554 46551 48445e 46555 402cf0 std::_Throw_Cpp_error 41 API calls 46551->46555 46552->46536 46552->46539 46552->46544 46552->46548 46552->46551 46552->46554 46556 41b0e0 41 API calls 46552->46556 46561 4844e6 46552->46561 46566 4844eb 46552->46566 46572 484544 46552->46572 46579 41af80 41 API calls 46552->46579 46585 4e64d0 44 API calls 46552->46585 46586 482793 SHGetFolderPathA 46552->46586 46587 482a95 SHGetFolderPathA 46552->46587 46588 482d93 SHGetFolderPathA 46552->46588 46589 403040 41 API calls std::_Throw_Cpp_error 46552->46589 46590 4830f3 SHGetFolderPathA 46552->46590 46591 48341b SHGetFolderPathA 46552->46591 46592 483725 SHGetFolderPathA 46552->46592 46593 4032d0 41 API calls std::_Throw_Cpp_error 46552->46593 46595 4185d0 76 API calls 46552->46595 46596 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46552->46596 46597 4163b0 41 API calls std::_Throw_Cpp_error 46552->46597 46598 402fe0 41 API calls std::_Throw_Cpp_error 46552->46598 46599 418b00 41 API calls 46552->46599 46600 402df0 41 API calls std::_Throw_Cpp_error 46552->46600 46608 4412b7 50 API calls __fread_nolock 46552->46608 46609 4845e0 46552->46609 46688 416130 41 API calls 2 library calls 46552->46688 46553 4845c3 46557 4351fb Concurrency::cancel_current_task RaiseException 46553->46557 46691 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 46554->46691 46559 48446e 46555->46559 46556->46552 46560 4845d7 46557->46560 46689 407b10 41 API calls 3 library calls 46559->46689 46692 403330 RaiseException 46561->46692 46563 484489 46565 4351fb Concurrency::cancel_current_task RaiseException 46563->46565 46565->46539 46567 402cf0 std::_Throw_Cpp_error 41 API calls 46566->46567 46568 484503 46567->46568 46569 41ace0 41 API calls 46568->46569 46570 484518 46569->46570 46571 407cf0 41 API calls 46570->46571 46573 484530 46571->46573 46577 402cf0 std::_Throw_Cpp_error 41 API calls 46572->46577 46575 4351fb Concurrency::cancel_current_task RaiseException 46573->46575 46575->46572 46578 484557 46577->46578 46580 41ace0 41 API calls 46578->46580 46579->46552 46581 48456c 46580->46581 46582 407cf0 41 API calls 46581->46582 46583 484584 46582->46583 46584 4351fb Concurrency::cancel_current_task RaiseException 46583->46584 46584->46544 46585->46552 46586->46552 46587->46552 46588->46552 46589->46552 46590->46552 46591->46552 46592->46552 46593->46552 46595->46552 46596->46552 46597->46552 46598->46552 46599->46552 46600->46552 46601->46524 46602->46529 46604 4188f3 46603->46604 46605 418914 std::ios_base::_Ios_base_dtor 46603->46605 46604->46605 46606 438c70 std::_Throw_Cpp_error 41 API calls 46604->46606 46605->46532 46607 418947 46606->46607 46608->46552 46610 484641 46609->46610 46611 485d64 46609->46611 46612 4e6ca0 86 API calls 46610->46612 46614 485dda 46610->46614 46746 4339b3 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive SleepConditionVariableSRW 46611->46746 46617 484651 46612->46617 46747 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 46614->46747 46616 485ddf 46748 403330 RaiseException 46616->46748 46619 484a38 46617->46619 46622 4163b0 std::_Throw_Cpp_error 41 API calls 46617->46622 46627 485c79 46617->46627 46623 4163b0 std::_Throw_Cpp_error 41 API calls 46619->46623 46619->46627 46620 485de4 46628 438c70 std::_Throw_Cpp_error 41 API calls 46620->46628 46621 485ce9 46631 485d0c 46621->46631 46632 485d15 46621->46632 46625 4846b0 46622->46625 46624 484a58 46623->46624 46626 4c6000 45 API calls 46624->46626 46694 4c6000 46625->46694 46684 484a6f std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 46626->46684 46627->46621 46627->46627 46635 403040 std::_Throw_Cpp_error 41 API calls 46627->46635 46630 485dee 46628->46630 46744 413340 41 API calls 2 library calls 46631->46744 46745 413340 41 API calls 2 library calls 46632->46745 46634 485c67 46638 4185d0 76 API calls 46634->46638 46640 485cc7 46635->46640 46636 484a26 46641 4185d0 76 API calls 46636->46641 46638->46627 46639 485d11 46644 402df0 std::_Throw_Cpp_error 41 API calls 46639->46644 46642 4e6770 93 API calls 46640->46642 46641->46619 46645 485cd7 46642->46645 46643 4163b0 std::_Throw_Cpp_error 41 API calls 46650 4846c7 46643->46650 46646 485d28 46644->46646 46647 402df0 std::_Throw_Cpp_error 41 API calls 46645->46647 46649 402df0 std::_Throw_Cpp_error 41 API calls 46646->46649 46647->46621 46651 485d34 46649->46651 46650->46636 46650->46643 46660 48474a 46650->46660 46717 415350 46650->46717 46740 485fa0 76 API calls std::_Throw_Cpp_error 46650->46740 46653 4185d0 76 API calls 46651->46653 46655 485d40 46653->46655 46656 4185d0 76 API calls 46655->46656 46657 485d4f 46656->46657 46657->46552 46658 41ab20 41 API calls 46658->46660 46659 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46659->46684 46660->46658 46661 41ad80 41 API calls 46660->46661 46663 402df0 std::_Throw_Cpp_error 41 API calls 46660->46663 46661->46660 46662 41e8a0 41 API calls 46662->46684 46664 484870 CreateDirectoryA 46663->46664 46665 41ab20 41 API calls 46664->46665 46672 484961 46665->46672 46668 4163b0 41 API calls std::_Throw_Cpp_error 46668->46684 46670 415350 41 API calls 46670->46684 46673 41ad80 41 API calls 46673->46684 46675 4e7220 79 API calls 46675->46684 46676 4032d0 41 API calls std::_Throw_Cpp_error 46676->46684 46677 485032 CreateDirectoryA 46677->46684 46678 485bbc CopyFileA 46679 485bdf 46678->46679 46678->46684 46679->46684 46681 4852f2 CoInitialize 46681->46684 46682 4188d0 41 API calls 46682->46684 46683 4854fe PathFindExtensionA 46683->46684 46684->46614 46684->46616 46684->46620 46684->46634 46684->46659 46684->46662 46684->46668 46684->46670 46684->46673 46684->46675 46684->46676 46684->46677 46684->46678 46684->46681 46684->46682 46684->46683 46685 403040 41 API calls std::_Throw_Cpp_error 46684->46685 46686 402df0 41 API calls std::_Throw_Cpp_error 46684->46686 46687 418b00 41 API calls 46684->46687 46741 485fa0 76 API calls std::_Throw_Cpp_error 46684->46741 46742 485df0 104 API calls std::_Throw_Cpp_error 46684->46742 46743 4d3320 43 API calls 46684->46743 46685->46684 46686->46684 46687->46684 46688->46552 46689->46563 46690->46543 46691->46561 46693->46553 46695 4c6082 46694->46695 46696 4c6072 46694->46696 46697 41ab20 41 API calls 46695->46697 46696->46695 46698 402df0 std::_Throw_Cpp_error 41 API calls 46696->46698 46699 4c6125 FindFirstFileA 46697->46699 46698->46696 46701 402df0 std::_Throw_Cpp_error 41 API calls 46699->46701 46712 4c6159 std::ios_base::_Ios_base_dtor 46701->46712 46702 4c6463 46703 402df0 std::_Throw_Cpp_error 41 API calls 46702->46703 46705 4c6479 46703->46705 46704 4c6437 FindNextFileA 46706 4c644d GetLastError 46704->46706 46704->46712 46705->46650 46707 4c645c FindClose 46706->46707 46706->46712 46707->46702 46708 41ab20 41 API calls 46708->46712 46709 403040 std::_Throw_Cpp_error 41 API calls 46709->46712 46710 418f00 std::_Throw_Cpp_error 41 API calls 46710->46712 46711 4c648e 46713 438c70 std::_Throw_Cpp_error 41 API calls 46711->46713 46712->46702 46712->46704 46712->46708 46712->46709 46712->46710 46712->46711 46714 4242a0 41 API calls 46712->46714 46716 402df0 std::_Throw_Cpp_error 41 API calls 46712->46716 46715 4c6493 46713->46715 46714->46712 46716->46712 46718 4153a0 46717->46718 46732 415439 46717->46732 46719 415469 46718->46719 46720 4153ab 46718->46720 46756 403330 RaiseException 46719->46756 46721 4153e2 46720->46721 46722 4153b9 46720->46722 46728 433672 std::_Facet_Register 3 API calls 46721->46728 46731 4153d7 46721->46731 46724 4153c4 46722->46724 46725 41546e 46722->46725 46728->46731 46731->46732 46732->46650 46740->46650 46741->46684 46742->46684 46743->46684 46744->46639 46745->46639 46746->46610 46747->46616 49654 461e10 49655 461e60 49654->49655 49656 41ab20 41 API calls 49655->49656 49657 461f34 49656->49657 49658 4e6ca0 86 API calls 49657->49658 49659 461f5a 49658->49659 49660 4e6c10 85 API calls 49659->49660 49662 461f7d 49659->49662 49660->49662 49661 46299f 49664 4e6770 93 API calls 49661->49664 49665 4629be 49661->49665 49662->49661 49663 41b260 41 API calls 49662->49663 49662->49665 49699 461fad 49663->49699 49664->49665 49666 41ab20 41 API calls 49665->49666 49668 462aa3 49666->49668 49667 462990 49726 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49667->49726 49670 4e6ca0 86 API calls 49668->49670 49671 462ac9 49670->49671 49672 4e6c10 85 API calls 49671->49672 49675 462aec 49671->49675 49672->49675 49673 463529 49676 402df0 std::_Throw_Cpp_error 41 API calls 49673->49676 49674 46350e 49674->49673 49679 4e6770 93 API calls 49674->49679 49675->49673 49675->49674 49677 41b260 41 API calls 49675->49677 49678 46353b 49676->49678 49706 462b1c 49677->49706 49680 402df0 std::_Throw_Cpp_error 41 API calls 49678->49680 49679->49673 49682 46354a 49680->49682 49681 4634ff 49729 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49681->49729 49684 41b260 41 API calls 49684->49699 49686 413200 41 API calls 49686->49706 49687 41b260 41 API calls 49687->49706 49688 41ac50 41 API calls 49688->49699 49689 4163b0 41 API calls std::_Throw_Cpp_error 49689->49699 49691 4163b0 41 API calls std::_Throw_Cpp_error 49691->49706 49693 4e6ca0 86 API calls 49693->49699 49694 439820 43 API calls 49694->49699 49695 4e6c10 85 API calls 49695->49699 49696 416240 41 API calls 49696->49706 49697 41ae20 41 API calls 49697->49699 49698 41ac50 41 API calls 49698->49706 49699->49667 49699->49684 49699->49688 49699->49689 49699->49693 49699->49694 49699->49695 49699->49697 49700 41abb0 41 API calls 49699->49700 49703 416240 41 API calls 49699->49703 49705 4130f0 41 API calls 49699->49705 49708 43d0a8 78 API calls 49699->49708 49709 413200 41 API calls 49699->49709 49712 402cf0 41 API calls std::_Throw_Cpp_error 49699->49712 49714 402df0 41 API calls std::_Throw_Cpp_error 49699->49714 49718 41af80 41 API calls 49699->49718 49719 41b400 41 API calls 49699->49719 49720 403350 78 API calls 49699->49720 49724 416210 41 API calls std::_Throw_Cpp_error 49699->49724 49725 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49699->49725 49700->49699 49701 4e6ca0 86 API calls 49701->49706 49703->49699 49704 402cf0 41 API calls std::_Throw_Cpp_error 49704->49706 49705->49699 49706->49681 49706->49686 49706->49687 49706->49691 49706->49696 49706->49698 49706->49701 49706->49704 49707 4e6c10 85 API calls 49706->49707 49710 439820 43 API calls 49706->49710 49711 41ae20 41 API calls 49706->49711 49713 41abb0 41 API calls 49706->49713 49715 4130f0 41 API calls 49706->49715 49716 402df0 41 API calls std::_Throw_Cpp_error 49706->49716 49717 43d0a8 78 API calls 49706->49717 49721 41b400 41 API calls 49706->49721 49722 41af80 41 API calls 49706->49722 49723 403350 78 API calls 49706->49723 49727 416210 41 API calls std::_Throw_Cpp_error 49706->49727 49728 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49706->49728 49707->49706 49708->49699 49709->49699 49710->49706 49711->49706 49712->49699 49713->49706 49714->49699 49715->49706 49716->49706 49717->49706 49718->49699 49719->49699 49720->49699 49721->49706 49722->49706 49723->49706 49724->49699 49725->49699 49726->49661 49727->49706 49728->49706 49729->49674 45712 45f460 45713 45f4ad 45712->45713 45717 45f4cc 45712->45717 45718 4163b0 45713->45718 45715 45f4bf 45723 493f40 45715->45723 45720 4163d8 45718->45720 45719 4163e7 45719->45715 45720->45719 45860 4032d0 45720->45860 45722 41642a std::_Locinfo::_Locinfo_ctor 45722->45715 45875 4359b0 45723->45875 45726 494100 45726->45726 45877 403040 45726->45877 45728 49411c 45883 41fbf0 45728->45883 45731 495779 45733 438c70 std::_Throw_Cpp_error 41 API calls 45731->45733 45732 49414d std::ios_base::_Ios_base_dtor 45732->45731 45892 4e6ca0 45732->45892 45735 49577e 45733->45735 45907 417ef0 45735->45907 45743 4957dd 45926 4140c0 45743->45926 45750 4958bc 45753 417ef0 41 API calls 45753->45750 45861 4032e2 45860->45861 45865 403306 45860->45865 45862 4032e9 45861->45862 45863 40331f 45861->45863 45867 433672 std::_Facet_Register 3 API calls 45862->45867 45874 402b50 RaiseException Concurrency::cancel_current_task ___std_exception_copy 45863->45874 45864 403318 45864->45722 45865->45864 45868 433672 std::_Facet_Register 3 API calls 45865->45868 45869 4032ef 45867->45869 45870 403310 45868->45870 45871 438c70 std::_Throw_Cpp_error 41 API calls 45869->45871 45872 4032f8 45869->45872 45870->45722 45873 403329 45871->45873 45872->45722 45874->45869 45876 4359c7 SHGetFolderPathA 45875->45876 45876->45726 45878 4030c8 45877->45878 45880 403052 45877->45880 45879 403057 std::_Locinfo::_Locinfo_ctor 45879->45728 45880->45879 45881 4032d0 std::_Throw_Cpp_error 41 API calls 45880->45881 45882 4030a3 std::_Locinfo::_Locinfo_ctor 45881->45882 45882->45728 45885 41fc8d 45883->45885 45889 41fc12 std::_Locinfo::_Locinfo_ctor 45883->45889 45884 41fd5e 45885->45884 45886 4032d0 std::_Throw_Cpp_error 41 API calls 45885->45886 45887 41fce1 std::_Locinfo::_Locinfo_ctor 45886->45887 45888 41fd3a std::_Locinfo::_Locinfo_ctor 45887->45888 46092 402fe0 41 API calls 2 library calls 45887->46092 45888->45732 45889->45732 45891 41fd27 45891->45732 46093 432b99 45892->46093 45895 4e6d4d 46099 432534 45895->46099 45896 4e6cd7 45898 4e6d54 45896->45898 45901 4e6ce3 45896->45901 45899 432534 std::_Throw_Cpp_error 76 API calls 45898->45899 45900 4e6d65 45899->45900 45901->45901 45904 4e6cfb GetFileAttributesA 45901->45904 45906 4e6d12 45901->45906 45905 4e6d07 GetLastError 45904->45905 45904->45906 45905->45906 46096 432baa 45906->46096 45908 418034 45907->45908 45909 417f1d 45907->45909 45918 402cf0 std::_Throw_Cpp_error 41 API calls 45908->45918 45920 417f29 45908->45920 45910 417fcb 45909->45910 45911 417f83 45909->45911 45912 417f24 45909->45912 45913 417f2b 45909->45913 45914 417f7c 45909->45914 45910->45743 45915 433672 std::_Facet_Register 3 API calls 45911->45915 46231 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45912->46231 45917 433672 std::_Facet_Register 3 API calls 45913->45917 46232 41cf80 41 API calls 2 library calls 45914->46232 45915->45920 45917->45920 45921 41804f 45918->45921 45920->45743 46233 407f90 41 API calls 2 library calls 45921->46233 45923 418062 45924 4351fb Concurrency::cancel_current_task RaiseException 45923->45924 45925 418073 45924->45925 45928 4140ff 45926->45928 45927 433672 std::_Facet_Register 3 API calls 45929 41412e 45927->45929 45928->45927 45930 4141ac 45929->45930 46234 42bf30 41 API calls 3 library calls 45929->46234 45930->45750 45930->45753 45932 414171 45932->45930 46092->45891 46107 432bc8 GetCurrentThreadId 46093->46107 46097 432bb6 RtlReleaseSRWLockExclusive 46096->46097 46098 432bc4 46096->46098 46097->46098 46098->45735 46100 43254a std::_Throw_Cpp_error 46099->46100 46131 4324e7 46100->46131 46108 432bf2 46107->46108 46109 432c11 46107->46109 46110 432bf7 RtlAcquireSRWLockExclusive 46108->46110 46119 432c07 46108->46119 46111 432c31 46109->46111 46112 432c1a 46109->46112 46110->46119 46114 432c90 46111->46114 46118 432c49 46111->46118 46113 432c25 RtlAcquireSRWLockExclusive 46112->46113 46112->46119 46113->46119 46116 432c97 RtlTryAcquireSRWLockExclusive 46114->46116 46114->46119 46116->46119 46117 432ba6 46117->45895 46117->45896 46118->46119 46121 432c80 RtlTryAcquireSRWLockExclusive 46118->46121 46129 43302b GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 46118->46129 46122 433d77 46119->46122 46121->46118 46121->46119 46123 433d80 IsProcessorFeaturePresent 46122->46123 46124 433d7f 46122->46124 46126 43455a 46123->46126 46124->46117 46130 43451d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46126->46130 46128 43463d 46128->46117 46129->46118 46130->46128 46132 4324f3 __EH_prolog3_GS 46131->46132 46231->45920 46232->45920 46233->45923 46234->45932 53444 466d20 53445 466d6a 53444->53445 53447 468712 53445->53447 53448 41ab20 41 API calls 53445->53448 53451 46974b 53445->53451 53446 469b34 53561 492440 53446->53561 53452 41ab20 41 API calls 53447->53452 53450 466e01 53448->53450 53453 4e6ca0 86 API calls 53450->53453 53451->53446 53458 41ab20 41 API calls 53451->53458 53454 4687eb 53452->53454 53456 466e27 53453->53456 53460 439820 43 API calls 53454->53460 53455 469e50 53604 412c30 41 API calls 2 library calls 53455->53604 53462 4e6c10 85 API calls 53456->53462 53467 466e4a 53456->53467 53463 469838 53458->53463 53459 469e62 53464 468813 53460->53464 53461 469b42 53461->53455 53470 41ab20 41 API calls 53461->53470 53462->53467 53469 439820 43 API calls 53463->53469 53465 402df0 std::_Throw_Cpp_error 41 API calls 53464->53465 53479 46882a 53465->53479 53466 468700 53471 402df0 std::_Throw_Cpp_error 41 API calls 53466->53471 53467->53466 53468 41b260 41 API calls 53467->53468 53476 467b0b 53467->53476 53557 466e79 53468->53557 53472 469860 53469->53472 53473 469c31 53470->53473 53471->53447 53474 402df0 std::_Throw_Cpp_error 41 API calls 53472->53474 53477 439820 43 API calls 53473->53477 53486 46987a 53474->53486 53475 4686e5 53475->53466 53485 4e6770 93 API calls 53475->53485 53476->53475 53480 41b260 41 API calls 53476->53480 53482 469c59 53477->53482 53478 467afc 53599 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53478->53599 53479->53451 53481 403350 78 API calls 53479->53481 53559 467b2e 53480->53559 53490 4688bd 53481->53490 53484 402df0 std::_Throw_Cpp_error 41 API calls 53482->53484 53493 469c73 53484->53493 53485->53466 53486->53446 53488 403350 78 API calls 53486->53488 53487 4686d6 53601 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53487->53601 53511 469911 53488->53511 53492 41b260 41 API calls 53490->53492 53496 469003 53490->53496 53541 4688e3 53492->53541 53493->53455 53495 403350 78 API calls 53493->53495 53494 469b2e 53498 43d0a8 78 API calls 53494->53498 53512 469d0a 53495->53512 53497 469743 53496->53497 53501 41b260 41 API calls 53496->53501 53503 43d0a8 78 API calls 53497->53503 53498->53446 53499 4130f0 41 API calls 53499->53559 53500 413200 41 API calls 53500->53557 53543 469026 53501->53543 53502 468ff4 53602 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53502->53602 53503->53451 53504 469e4a 53506 43d0a8 78 API calls 53504->53506 53506->53455 53507 413200 41 API calls 53507->53559 53508 469734 53603 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53508->53603 53509 402cf0 41 API calls std::_Throw_Cpp_error 53509->53557 53511->53494 53513 403350 78 API calls 53511->53513 53512->53504 53514 403350 78 API calls 53512->53514 53513->53511 53514->53512 53515 4130f0 41 API calls 53515->53541 53516 402cf0 41 API calls std::_Throw_Cpp_error 53516->53559 53517 413200 41 API calls 53517->53541 53518 4130f0 41 API calls 53518->53543 53519 413200 41 API calls 53519->53543 53520 402cf0 41 API calls std::_Throw_Cpp_error 53520->53541 53521 41af80 41 API calls 53521->53557 53522 402cf0 41 API calls std::_Throw_Cpp_error 53522->53543 53523 41af80 41 API calls 53523->53543 53524 41af80 41 API calls 53524->53559 53525 41b400 41 API calls 53525->53559 53526 41b400 41 API calls 53526->53557 53527 41b400 41 API calls 53527->53541 53528 41ac50 41 API calls 53528->53557 53529 41ac50 41 API calls 53529->53559 53530 416240 41 API calls 53530->53559 53531 4e6ca0 86 API calls 53531->53557 53532 402df0 41 API calls std::_Throw_Cpp_error 53532->53541 53533 41af80 41 API calls 53533->53541 53534 4e6c10 85 API calls 53534->53557 53535 4e6ca0 86 API calls 53535->53559 53536 403350 78 API calls 53536->53541 53537 402df0 41 API calls std::_Throw_Cpp_error 53537->53543 53538 4163b0 41 API calls std::_Throw_Cpp_error 53538->53559 53539 4163b0 41 API calls std::_Throw_Cpp_error 53539->53557 53540 41b400 41 API calls 53540->53543 53541->53502 53541->53515 53541->53517 53541->53520 53541->53527 53541->53532 53541->53533 53541->53536 53542 403350 78 API calls 53542->53543 53543->53508 53543->53518 53543->53519 53543->53522 53543->53523 53543->53537 53543->53540 53543->53542 53546 4e6d70 78 API calls 53546->53557 53548 4e6d70 78 API calls 53548->53559 53549 402df0 41 API calls std::_Throw_Cpp_error 53549->53557 53550 439820 43 API calls 53550->53557 53551 4e6c10 85 API calls 53551->53559 53552 439820 43 API calls 53552->53559 53553 416240 41 API calls 53553->53557 53554 403350 78 API calls 53554->53557 53555 403350 78 API calls 53555->53559 53556 402df0 41 API calls std::_Throw_Cpp_error 53556->53559 53557->53478 53557->53500 53557->53509 53557->53521 53557->53526 53557->53528 53557->53531 53557->53534 53557->53539 53557->53546 53557->53549 53557->53550 53557->53553 53557->53554 53558 43d0a8 78 API calls 53557->53558 53588 4130f0 53557->53588 53597 4e6470 41 API calls 53557->53597 53598 416210 41 API calls std::_Throw_Cpp_error 53557->53598 53558->53557 53559->53487 53559->53499 53559->53507 53559->53516 53559->53524 53559->53525 53559->53529 53559->53530 53559->53535 53559->53538 53559->53548 53559->53551 53559->53552 53559->53555 53559->53556 53560 43d0a8 78 API calls 53559->53560 53600 416210 41 API calls std::_Throw_Cpp_error 53559->53600 53560->53559 53605 493b60 53561->53605 53563 4924ad 53563->53461 53564 4924a7 53564->53563 53565 403040 std::_Throw_Cpp_error 41 API calls 53564->53565 53566 4924ee 53565->53566 53568 418f00 std::_Throw_Cpp_error 41 API calls 53566->53568 53569 4925a0 53568->53569 53623 4938d0 45 API calls 2 library calls 53569->53623 53571 492a33 53572 4185d0 76 API calls 53571->53572 53573 492a49 53572->53573 53575 402df0 std::_Throw_Cpp_error 41 API calls 53573->53575 53574 492a74 53577 438c70 std::_Throw_Cpp_error 41 API calls 53574->53577 53575->53563 53576 41e8a0 41 API calls 53587 4925c7 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 53576->53587 53579 492a7e 53577->53579 53578 41ad80 41 API calls 53578->53587 53580 41ab20 41 API calls 53580->53587 53583 4032d0 std::_Throw_Cpp_error 41 API calls 53583->53587 53584 4163b0 41 API calls std::_Throw_Cpp_error 53584->53587 53586 402df0 41 API calls std::_Throw_Cpp_error 53586->53587 53587->53571 53587->53574 53587->53576 53587->53578 53587->53580 53587->53583 53587->53584 53587->53586 53624 493080 46 API calls 4 library calls 53587->53624 53625 492a80 50 API calls 5 library calls 53587->53625 53626 422ac0 41 API calls 4 library calls 53587->53626 53589 413114 53588->53589 53590 41316c 53588->53590 53589->53557 53591 402cf0 std::_Throw_Cpp_error 41 API calls 53590->53591 53592 413179 53591->53592 53628 407b10 41 API calls 3 library calls 53592->53628 53594 413191 53595 4351fb Concurrency::cancel_current_task RaiseException 53594->53595 53596 4131a2 53595->53596 53597->53557 53598->53557 53599->53476 53600->53559 53601->53475 53602->53496 53603->53497 53604->53459 53606 493ba5 __fread_nolock 53605->53606 53607 493bd7 RegOpenKeyExA 53606->53607 53608 493f1b 53607->53608 53609 493d97 RegQueryValueExA RegCloseKey 53607->53609 53608->53564 53609->53608 53610 493dc5 53609->53610 53611 403040 std::_Throw_Cpp_error 41 API calls 53610->53611 53612 493dea 53611->53612 53613 493e19 53612->53613 53614 493f30 53612->53614 53615 403040 std::_Throw_Cpp_error 41 API calls 53613->53615 53627 419e60 RaiseException 53614->53627 53617 493e35 std::_Locinfo::_Locinfo_ctor 53615->53617 53618 438c70 std::_Throw_Cpp_error 41 API calls 53617->53618 53620 493e97 std::ios_base::_Ios_base_dtor 53617->53620 53618->53620 53619 438c70 std::_Throw_Cpp_error 41 API calls 53621 493f3f 53619->53621 53620->53619 53622 493ee9 std::ios_base::_Ios_base_dtor 53620->53622 53622->53564 53623->53587 53624->53587 53625->53587 53626->53587 53628->53594 49730 463830 49805 463879 49730->49805 49731 463891 49732 465b82 49731->49732 49733 402df0 std::_Throw_Cpp_error 41 API calls 49731->49733 49735 41ab20 41 API calls 49732->49735 49733->49731 49734 41ab20 41 API calls 49734->49805 49736 465c69 49735->49736 49738 4e6ca0 86 API calls 49736->49738 49737 4e6ca0 86 API calls 49737->49805 49739 465c8f 49738->49739 49740 465c93 CreateDirectoryA 49739->49740 49742 465cbe 49739->49742 49740->49742 49745 4667d7 49740->49745 49741 402df0 std::_Throw_Cpp_error 41 API calls 49744 466a3b 49741->49744 49743 4667bc 49742->49743 49746 41b260 41 API calls 49742->49746 49743->49745 49748 4e6770 93 API calls 49743->49748 49747 4185d0 76 API calls 49744->49747 49751 41ab20 41 API calls 49745->49751 49762 466a29 49745->49762 49797 465ce6 49746->49797 49749 466a47 49747->49749 49748->49745 49750 4667ad 49809 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49750->49809 49754 466922 49751->49754 49753 4e6770 93 API calls 49753->49805 49755 439820 43 API calls 49754->49755 49756 46694a 49755->49756 49758 402df0 std::_Throw_Cpp_error 41 API calls 49756->49758 49757 408ab0 41 API calls 49757->49805 49763 466964 49758->49763 49759 466a23 49761 43d0a8 78 API calls 49759->49761 49760 4130f0 41 API calls 49760->49805 49761->49762 49762->49741 49763->49759 49763->49762 49765 403350 78 API calls 49763->49765 49764 413200 41 API calls 49764->49797 49765->49763 49766 41b260 41 API calls 49766->49797 49767 41b260 41 API calls 49767->49805 49769 4163b0 41 API calls std::_Throw_Cpp_error 49769->49797 49770 4163b0 41 API calls std::_Throw_Cpp_error 49770->49805 49771 41ac50 41 API calls 49771->49805 49772 4e6ca0 86 API calls 49772->49797 49773 416240 41 API calls 49773->49805 49775 416240 41 API calls 49775->49797 49776 402cf0 41 API calls std::_Throw_Cpp_error 49776->49797 49777 465ea9 CreateDirectoryA 49777->49797 49778 416210 41 API calls 49778->49805 49779 439820 43 API calls 49779->49797 49780 465fb8 CreateDirectoryA 49780->49797 49781 439820 43 API calls 49781->49805 49782 41ac50 41 API calls 49782->49797 49783 4e6c10 85 API calls 49783->49805 49784 41ae20 41 API calls 49784->49797 49785 41ae20 41 API calls 49785->49805 49786 41abb0 41 API calls 49786->49797 49787 402df0 41 API calls std::_Throw_Cpp_error 49787->49805 49788 4130f0 41 API calls 49788->49797 49789 41abb0 41 API calls 49789->49805 49790 43d0a8 78 API calls 49790->49797 49791 413200 41 API calls 49791->49805 49792 43d0a8 78 API calls 49792->49805 49793 402cf0 41 API calls std::_Throw_Cpp_error 49793->49805 49794 402df0 41 API calls std::_Throw_Cpp_error 49794->49797 49795 41af80 41 API calls 49795->49797 49796 41b400 41 API calls 49796->49797 49797->49750 49797->49764 49797->49766 49797->49769 49797->49772 49797->49775 49797->49776 49797->49777 49797->49779 49797->49780 49797->49782 49797->49784 49797->49786 49797->49788 49797->49790 49797->49794 49797->49795 49797->49796 49798 403350 78 API calls 49797->49798 49806 416210 41 API calls std::_Throw_Cpp_error 49797->49806 49807 415310 44 API calls std::_Throw_Cpp_error 49797->49807 49808 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49797->49808 49798->49797 49800 41af80 41 API calls 49800->49805 49801 41bae0 41 API calls 49801->49805 49802 41b400 41 API calls 49802->49805 49803 41b1e0 41 API calls 49803->49805 49804 403350 78 API calls 49804->49805 49805->49731 49805->49734 49805->49737 49805->49753 49805->49757 49805->49760 49805->49767 49805->49770 49805->49771 49805->49773 49805->49778 49805->49781 49805->49783 49805->49785 49805->49787 49805->49789 49805->49791 49805->49792 49805->49793 49805->49800 49805->49801 49805->49802 49805->49803 49805->49804 49806->49797 49807->49797 49808->49797 49809->49743

                                        Executed Functions

                                        Function 004DFF00 Relevance: 98.4, APIs: 50, Strings: 4, Instructions: 3939registrytimefileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                        • CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                        • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004E0556
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 004E056C
                                        • FindClose.KERNEL32(00000000), ref: 004E057C
                                        • GetLastError.KERNEL32 ref: 004E0582
                                        • GetLastError.KERNEL32 ref: 004E05A0
                                          • Part of subcall function 004E71E0: GetCurrentProcess.KERNEL32(004E0900), ref: 004E71EF
                                          • Part of subcall function 004E71E0: IsWow64Process.KERNEL32(00000000), ref: 004E71F6
                                          • Part of subcall function 0044196B: GetSystemTimeAsFileTime.KERNEL32(004E0A78,00000000,00000000,?,?,?,004E0A78,00000000), ref: 00441980
                                          • Part of subcall function 0044196B: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044199F
                                        • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?,?,?), ref: 004E0D31
                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 004E0DFD
                                        • RegCloseKey.ADVAPI32(?), ref: 004E0E32
                                        • GetCurrentHwProfileA.ADVAPI32(?), ref: 004E0FCA
                                        • GetModuleHandleExA.KERNEL32(00000004,004E5FC0,?,?,?,?,?,?,?,?,00000000), ref: 004E14CB
                                        • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,00000000), ref: 004E14E3
                                        • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 004E1E96
                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 004E1F62
                                        • RegCloseKey.ADVAPI32(?), ref: 004E21E1
                                        • GetComputerNameA.KERNEL32(?,?), ref: 004E2215
                                        • GetUserNameA.ADVAPI32(?,?), ref: 004E23B3
                                        • GetDesktopWindow.USER32 ref: 004E2456
                                        • GetWindowRect.USER32(00000000,?), ref: 004E2464
                                        • GetUserDefaultLocaleName.KERNEL32(?,00000200), ref: 004E25CF
                                        • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 004E2A95
                                        • LocalAlloc.KERNEL32(00000040), ref: 004E2AA7
                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 004E2AC2
                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004E2AED
                                        • LocalFree.KERNEL32(?), ref: 004E2CB0
                                        • GetLocalTime.KERNEL32(?), ref: 004E2CC7
                                        • GetSystemTime.KERNEL32(?), ref: 004E2EDD
                                        • GetTimeZoneInformation.KERNELBASE(?), ref: 004E2F00
                                        • TzSpecificLocalTimeToSystemTime.KERNELBASE(?,?,?), ref: 004E2F25
                                        • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 004E333F
                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 004E3491
                                        • RegCloseKey.ADVAPI32(?), ref: 004E3542
                                        • GetSystemInfo.KERNELBASE(?), ref: 004E356A
                                        • GlobalMemoryStatusEx.KERNELBASE(?), ref: 004E361D
                                        • EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004E3731
                                        • EnumDisplayDevicesA.USER32(00000000,00000001,?,00000001), ref: 004E3B14
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004E3C53
                                        • Process32First.KERNEL32(00000000,?), ref: 004E3C6B
                                        • Process32Next.KERNEL32(00000000,?), ref: 004E3C81
                                        • Process32Next.KERNEL32(00000000,?), ref: 004E3D53
                                        • CloseHandle.KERNEL32(00000000), ref: 004E3D62
                                        • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 004E40D6
                                        • RegEnumKeyExA.KERNELBASE(?,00000000,?,?), ref: 004E410D
                                        • wsprintfA.USER32 ref: 004E41F0
                                        • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 004E4213
                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 004E4312
                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 004E4409
                                        • RegCloseKey.ADVAPI32(?), ref: 004E44E5
                                        • RegCloseKey.ADVAPI32(?), ref: 004E4500
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: CloseTime$FileOpenQueryValue$LocalNameSystem$EnumFindNextProcess32$CreateCurrentDevicesDisplayErrorFirstHandleInfoKeyboardLastLayoutListLocaleModuleProcessUserWindow$AllocComputerCopyDefaultDesktopDirectoryFreeGlobalInformationMemoryProfileRectSnapshotSpecificStatusToolhelp32Unothrow_t@std@@@Wow64Zone__ehfuncinfo$??2@wsprintf
                                        • String ID: 2.0$3"A$;Yb.$gemot
                                        • API String ID: 3185416054-425793048
                                        • Opcode ID: 8a4499befa84087c96734190f2dbd5b16cc983e1812e10724d9651c8621e90b5
                                        • Instruction ID: 762722eee12899a3fad9018c2ab51fc1fd94b4ba954c9d0aaa9e31c72487c533
                                        • Opcode Fuzzy Hash: 8a4499befa84087c96734190f2dbd5b16cc983e1812e10724d9651c8621e90b5
                                        • Instruction Fuzzy Hash: BFB3EFB4D0426D8BDB25CF99C981AEEBBB1FF48300F1041AAD949B7351DB345A81CFA5
                                        Function 0040B8E0 Relevance: 65.9, APIs: 40, Instructions: 5855fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BAD2
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040BF80
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C47A
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C575
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C969
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040CD72
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D17B
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D29A
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D6F8
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D9DC
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DAD7
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040DE41
                                        • CopyFileA.KERNEL32(?,?,00000000), ref: 0040E55A
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040ECF6
                                        • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040EEEA
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F45B
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F525
                                        • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 004101ED
                                        • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410580
                                        • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0041088D
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00410DC4
                                        • CopyFileA.KERNEL32(?,?,00000000), ref: 0041173C
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411904
                                        • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00411CD7
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411E6E
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411FBE
                                        • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410B14
                                          • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00410F12
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FEF1
                                          • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FC55
                                          • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F933
                                          • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                          • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                          • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                          • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                          • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040E6FA
                                          • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                          • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 0042910D
                                          • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00429155
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DF3C
                                          • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                          • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                                          • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                                          • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D5FD
                                          • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BB07
                                          • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                          • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BD08
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BD37
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C0CC
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C196
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Directory$Create$File$Copy$Find$Cpp_errorThrow_std::_$AttributesErrorFirstLast$FolderPath___std_fs_convert_narrow_to_wide@20$CloseDeleteNextRemove
                                        • String ID:
                                        • API String ID: 1172780710-0
                                        • Opcode ID: a5ab48d61c2b3dff66acd5580ca9f5a7979e211ebeafd6bfe51893aa718087df
                                        • Instruction ID: 57087eddf2f8576e704702d152c9cc5b4e2b87ff67a8e07952ed474be97f1841
                                        • Opcode Fuzzy Hash: a5ab48d61c2b3dff66acd5580ca9f5a7979e211ebeafd6bfe51893aa718087df
                                        • Instruction Fuzzy Hash: 56F3E2B4D0425D8BDF25CF99C981AEEBBB1BF18304F1041AAD849B7341DB385A85CF69
                                        Function 004AA200 Relevance: 56.8, APIs: 10, Strings: 11, Instructions: 20001COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 004AA277
                                          • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: FileFindFirstFolderPath
                                        • String ID: ;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$Jzv"$WUa5$X<b.$cannot use operator[] with a string argument with $cannot use push_back() with
                                        • API String ID: 2195519125-383699475
                                        • Opcode ID: 00cd188d2fa64ad8964c3ab9e7967e547fc4f3fae0fcfb37dc21949e65736659
                                        • Instruction ID: d5c29c46e18a526762dbfc7c8aed9f945ae13eab665394adbd88e65e82b678fb
                                        • Opcode Fuzzy Hash: 00cd188d2fa64ad8964c3ab9e7967e547fc4f3fae0fcfb37dc21949e65736659
                                        • Instruction Fuzzy Hash: 29B433B0D052698BDB25CF68C984BEEBBB1BF49304F1081DAD449A7281DB746F84CF95
                                        Function 004D7600 Relevance: 52.8, APIs: 31, Instructions: 6337fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,0055B192,000000FF), ref: 004D766C
                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004D7693
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7959
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7CBB
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004D8DF7
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D9992
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA31E
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DA3EF
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA712
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAA7D
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DAB4E
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAE39
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 004DB0C9
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB27C
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB556
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB93C
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 004DBCF1
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DBEA4
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC17E
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC564
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9FB3
                                          • Part of subcall function 004DFF00: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004E0556
                                          • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E05A0
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC99C
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DCAF3
                                          • Part of subcall function 004DE430: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9C53
                                          • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                          • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                          • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                          • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                          • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                          • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 004D9648
                                          • Part of subcall function 004DFF00: FindNextFileA.KERNEL32(00000000,?), ref: 004E056C
                                          • Part of subcall function 004DFF00: FindClose.KERNEL32(00000000), ref: 004E057C
                                          • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E0582
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004D91DD
                                          • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                          • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                                          • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                                          • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 004D896A
                                          • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D8B1D
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004D8362
                                          • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 004D8623
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D801B
                                          • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                          • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                          • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Directory$Create$File$Find$ErrorLast$CopyCpp_errorThrow_std::_$AttributesFolderPath$CloseFirstNext$DeleteRemove
                                        • String ID:
                                        • API String ID: 1140557632-0
                                        • Opcode ID: e82f1e92f549f30e97cc6cc2b299e4ee6cad0568081bbef442e5b3f1a2ecc56a
                                        • Instruction ID: 6b404ecdfd53acb60f6cf5d734e717c5294ca690171ae70fa85b8f1a38f34a58
                                        • Opcode Fuzzy Hash: e82f1e92f549f30e97cc6cc2b299e4ee6cad0568081bbef442e5b3f1a2ecc56a
                                        • Instruction Fuzzy Hash: 76F3F2B4D0525A8BCF15CFA9C9916EEBBB0BF18304F20419AD549B7341DB346B84CFA6
                                        Function 00490440 Relevance: 28.0, APIs: 13, Strings: 2, Instructions: 1749registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?), ref: 0049083B
                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0049086F
                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00490895
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490A2C
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490CB3
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490DA0
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490EE1
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490FCB
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 004910B5
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 0049119F
                                        • RegCloseKey.ADVAPI32(?), ref: 0049229B
                                        • RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 004922D1
                                        • RegCloseKey.ADVAPI32(?), ref: 004922E5
                                        Strings
                                        • cannot use operator[] with a string argument with , xrefs: 0049239E, 004923F3
                                        • cannot use push_back() with , xrefs: 00492345
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: QueryValue$CloseEnumOpen
                                        • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                        • API String ID: 2041898428-3306948993
                                        • Opcode ID: 23dad9be7e4742c3290de62e3e37c39c0e0c4f67347f3be3533d008ac6b135ff
                                        • Instruction ID: 6d5f253b48c5edfa20594e0b0a8a78ae050bf84d77acb07cc1b8e3b44561805a
                                        • Opcode Fuzzy Hash: 23dad9be7e4742c3290de62e3e37c39c0e0c4f67347f3be3533d008ac6b135ff
                                        • Instruction Fuzzy Hash: 511322B0C042698BDB25CF68CD84BEEBBB4BF49304F1042EAD549A7241EB756B85CF54
                                        Function 00493F40 Relevance: 26.5, APIs: 12, Strings: 2, Instructions: 1966fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00493FA7
                                          • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                          • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • FindFirstFileA.KERNEL32(?,?), ref: 0049455F
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0049496C
                                        • FindClose.KERNEL32(00000000), ref: 0049497C
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494A53
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494B19
                                        • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00494C9D
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494E44
                                        • CopyFileA.KERNEL32(00000000,?,00000000), ref: 004950F8
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00495638
                                        • CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000004), ref: 004959FD
                                        • LocalFree.KERNELBASE(00000000,?,?,?,00000004), ref: 004962D7
                                          • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,0041ABA8,?,?,?,00431D09,0041ABA8,005799D8,00000000,0041ABA8), ref: 0043525B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: File$CopyCreateDirectoryFind$Cpp_errorThrow_std::_$AttributesCloseCredEnumerateErrorExceptionFirstFolderFreeLastLocalNextPathRaise
                                        • String ID: cannot use operator[] with a string argument with $tmX
                                        • API String ID: 3528249430-2011928656
                                        • Opcode ID: 1a02a1b8cea7a3604c6deac95239a3494b5f8674a35ba7ef5cc4d9f5089fb20c
                                        • Instruction ID: 1c5c2bc117abc336d538eb0f3ab0e4b698252c7f2e821ac10c87ad1798346723
                                        • Opcode Fuzzy Hash: 1a02a1b8cea7a3604c6deac95239a3494b5f8674a35ba7ef5cc4d9f5089fb20c
                                        • Instruction Fuzzy Hash: 0E3310B4C042698BDB25CFA8C994BEDBBB0BF18304F1041EAD849A7351EB346B85CF55
                                        Function 00481C10 Relevance: 21.5, APIs: 7, Strings: 4, Instructions: 2202COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                          • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 004827AB
                                        • SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00482AA7
                                        • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00482DA5
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00483105
                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00483433
                                        • SHGetFolderPathA.SHELL32(00000000,00000008,00000000,00000000,?), ref: 00483737
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 004844E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: FolderPath$AttributesConcurrency::cancel_current_taskErrorFileLast
                                        • String ID: cannot compare iterators of different containers$cannot get value$type must be boolean, but is $type must be string, but is
                                        • API String ID: 1974481932-2698695959
                                        • Opcode ID: 37688a3e03e452b8910011e895e6a8eb4bd289d6ed3cd8873769e4b0518a04a2
                                        • Instruction ID: 7d592af2553ac1c7978d8671279e796c0dcb22ab630186640302ddbce1f3b4fb
                                        • Opcode Fuzzy Hash: 37688a3e03e452b8910011e895e6a8eb4bd289d6ed3cd8873769e4b0518a04a2
                                        • Instruction Fuzzy Hash: D74334B0C042698BDB25DF28C994BEEBBB5BF48304F1082DAD449A7281DB756F84CF55
                                        Function 004E6770 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 334fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7670 4e6770-4e67c3 call 432b99 7673 4e67c9-4e67d3 7670->7673 7674 4e6be5-4e6be7 call 432534 7670->7674 7675 4e6bec-4e6bf8 call 432534 7673->7675 7676 4e67d9-4e6822 7673->7676 7674->7675 7678 4e6bfd call 402c60 7675->7678 7676->7678 7679 4e6828-4e682e 7676->7679 7684 4e6c02 call 438c70 7678->7684 7682 4e6832-4e6854 call 41e8a0 7679->7682 7683 4e6830 7679->7683 7689 4e6856-4e6862 7682->7689 7690 4e6882-4e68f1 call 402df0 FindFirstFileA 7682->7690 7683->7682 7688 4e6c07-4e6c0f call 438c70 7684->7688 7692 4e6878-4e687f call 4338f3 7689->7692 7693 4e6864-4e6872 7689->7693 7699 4e6b2a 7690->7699 7700 4e68f7 7690->7700 7692->7690 7693->7684 7693->7692 7702 4e6b2c-4e6b36 7699->7702 7701 4e6900-4e6909 7700->7701 7703 4e6910-4e6915 7701->7703 7704 4e6b38-4e6b44 7702->7704 7705 4e6b64-4e6b80 7702->7705 7703->7703 7706 4e6917-4e6922 7703->7706 7709 4e6b5a-4e6b61 call 4338f3 7704->7709 7710 4e6b46-4e6b54 7704->7710 7707 4e6baa-4e6be4 call 432baa 7705->7707 7708 4e6b82-4e6b8e 7705->7708 7712 4e692d-4e6930 7706->7712 7713 4e6924-4e6927 7706->7713 7714 4e6ba0-4e6ba7 call 4338f3 7708->7714 7715 4e6b90-4e6b9e 7708->7715 7709->7705 7710->7688 7710->7709 7719 4e6932-4e6935 7712->7719 7720 4e6943-4e6969 7712->7720 7713->7712 7718 4e6aae-4e6ac1 FindNextFileA 7713->7718 7714->7707 7715->7688 7715->7714 7718->7701 7726 4e6ac7-4e6adb FindClose GetLastError 7718->7726 7719->7720 7723 4e6937-4e693d 7719->7723 7720->7678 7724 4e696f-4e6975 7720->7724 7723->7718 7723->7720 7727 4e6979-4e69a1 call 41e8a0 7724->7727 7728 4e6977 7724->7728 7726->7702 7729 4e6add-4e6ae3 7726->7729 7738 4e69a4-4e69a9 7727->7738 7728->7727 7730 4e6ae7-4e6af5 SetFileAttributesA 7729->7730 7731 4e6ae5 7729->7731 7733 4e6af7-4e6b00 7730->7733 7734 4e6b02-4e6b06 7730->7734 7731->7730 7733->7702 7736 4e6b0a-4e6b13 RemoveDirectoryA 7734->7736 7737 4e6b08 7734->7737 7736->7699 7740 4e6b15-4e6b1e 7736->7740 7737->7736 7738->7738 7741 4e69ab-4e6a59 call 418f00 call 402df0 * 3 7738->7741 7740->7702 7751 4e6a5b-4e6a6e call 4e6770 7741->7751 7752 4e6a79-4e6a92 SetFileAttributesA 7741->7752 7751->7702 7757 4e6a74-4e6a77 7751->7757 7754 4e6a98-4e6aac DeleteFileA 7752->7754 7755 4e6b20-4e6b28 GetLastError 7752->7755 7754->7718 7754->7755 7755->7702 7757->7718
                                        APIs
                                        • FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                        • DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                        • FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                        • FindClose.KERNEL32(?), ref: 004E6ACA
                                        • GetLastError.KERNEL32 ref: 004E6AD0
                                        • SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                        • RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                        • GetLastError.KERNEL32 ref: 004E6B20
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: File$Find$AttributesCpp_errorErrorLastThrow_std::_$CloseDeleteDirectoryFirstNextRemove
                                        • String ID: \*.*
                                        • API String ID: 460640838-1173974218
                                        • Opcode ID: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                                        • Instruction ID: d809dff945c313677263d2cc5f51936a643c350294cf92fd29307912c56e1fe7
                                        • Opcode Fuzzy Hash: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                                        • Instruction Fuzzy Hash: EDD11670C00288CFDB10DFA9C9487EEBBB1FF65305F20425AE454BB292D7786A89DB55
                                        Function 0049F0D0 Relevance: 20.7, APIs: 6, Strings: 4, Instructions: 3171stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049F224
                                        • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049F322
                                        • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049F515
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1C76
                                          • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                          • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1F5D
                                        • lstrlen.KERNEL32(?), ref: 004A348E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
                                        • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with $~]d
                                        • API String ID: 2833034228-1763774129
                                        • Opcode ID: d0cf4de64ad193f4b233d2aae08a9caf55de1bab59726ceb330fbb40ab1f1306
                                        • Instruction ID: 3f98b5ef17dcfaa8f689e4fcb5a5d7fbbd5e2711f2842c60bb6495c93d0a2e70
                                        • Opcode Fuzzy Hash: d0cf4de64ad193f4b233d2aae08a9caf55de1bab59726ceb330fbb40ab1f1306
                                        • Instruction Fuzzy Hash: 2793DCB4D052A98ADB65CF29C990BEDBBB1BF59304F0081EAD84DA7241DB742BC4CF45
                                        Function 004963B0 Relevance: 17.5, APIs: 5, Strings: 4, Instructions: 1775stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00496504
                                        • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00496602
                                        • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 004967F5
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498078
                                        • lstrlen.KERNEL32(?), ref: 0049854F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$FolderNamesPathSectionStringUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                        • String ID: ;Yb.$Tz}9$cannot use operator[] with a string argument with $cannot use push_back() with
                                        • API String ID: 3203477177-4100205650
                                        • Opcode ID: 074035d77b8065e1cc33da42ef3056239dd45ed018233a5fea3ded85fa9596c7
                                        • Instruction ID: 6b3be8cf9a559e92d133cc3b6572ed682d4dab2050fd03768d9c929fe5be15d2
                                        • Opcode Fuzzy Hash: 074035d77b8065e1cc33da42ef3056239dd45ed018233a5fea3ded85fa9596c7
                                        • Instruction Fuzzy Hash: 352300B0D052688BDB25CF28C9947EDBBB5BF49304F1082EAE449A7281DB746BC4CF55
                                        Function 004986B0 Relevance: 16.1, APIs: 4, Strings: 4, Instructions: 2129stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00498804
                                        • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00498902
                                        • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00498AF8
                                        • lstrlen.KERNEL32(?), ref: 0049AE11
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                        • String ID: ;Yb.$AN|5$cannot use operator[] with a string argument with $cannot use push_back() with
                                        • API String ID: 1311570089-1903585501
                                        • Opcode ID: edf929626061cb72280f4c683da62a59200cb04b193349d1a63bce15248aeab5
                                        • Instruction ID: e112265f5291f7fbed9e5ebb381307dd27655726dfd0f1f0b2bb5fda635101ca
                                        • Opcode Fuzzy Hash: edf929626061cb72280f4c683da62a59200cb04b193349d1a63bce15248aeab5
                                        • Instruction Fuzzy Hash: D44322B0D052688BDB25CF28C8947EEBBB5BF49304F1082EAD449A7242DB756BC4CF55
                                        Function 0049AF60 Relevance: 14.1, APIs: 4, Strings: 3, Instructions: 1876stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049B158
                                        • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049B265
                                        • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049B458
                                        • lstrlen.KERNEL32(?), ref: 0049D22D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                        • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with
                                        • API String ID: 1311570089-747751661
                                        • Opcode ID: 93517ee6eb711d4bd509933be439051feb22b0957d1c900c794dee307da9bfb8
                                        • Instruction ID: b2dbe3f5757ef5304a2bca7f4d9e3a7c922558eb406562d1b13ccbd165419304
                                        • Opcode Fuzzy Hash: 93517ee6eb711d4bd509933be439051feb22b0957d1c900c794dee307da9bfb8
                                        • Instruction Fuzzy Hash: BF2321B0D042688BDB25CF28C9947EDBBB1BF59304F1082EAE449A7281DB746BC4CF55
                                        Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 9717 4c8590-4c85c2 WSAStartup 9718 4c85c8-4c85f2 call 4ea420 * 2 9717->9718 9719 4c8696-4c869f 9717->9719 9724 4c85fe-4c8644 getaddrinfo 9718->9724 9725 4c85f4-4c85f8 9718->9725 9726 4c8646-4c864c 9724->9726 9727 4c8690 WSACleanup 9724->9727 9725->9719 9725->9724 9728 4c864e 9726->9728 9729 4c86a4-4c86ae FreeAddrInfoW 9726->9729 9727->9719 9730 4c8654-4c8668 socket 9728->9730 9729->9727 9731 4c86b0-4c86b8 9729->9731 9730->9727 9732 4c866a-4c867a connect 9730->9732 9733 4c867c-4c8684 closesocket 9732->9733 9734 4c86a0 9732->9734 9733->9730 9735 4c8686-4c868a FreeAddrInfoW 9733->9735 9734->9729 9735->9727
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                        • String ID:
                                        • API String ID: 448659506-0
                                        • Opcode ID: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                        • Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
                                        • Opcode Fuzzy Hash: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                        • Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7
                                        Function 0049D3A0 Relevance: 12.1, APIs: 4, Strings: 2, Instructions: 1570stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049D4F4
                                        • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049D5F2
                                        • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049D7E5
                                        • lstrlen.KERNEL32(?), ref: 0049EF32
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                        • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                        • API String ID: 1311570089-3306948993
                                        • Opcode ID: b5ec6e46c9fa93774a4e05dd67c8e5c6bb6882a872f3dbbac4ebd9fb545e5b7d
                                        • Instruction ID: d38aed82ee4788d52106214de1412b854dd9129e0c255bb6c7140376d04d8967
                                        • Opcode Fuzzy Hash: b5ec6e46c9fa93774a4e05dd67c8e5c6bb6882a872f3dbbac4ebd9fb545e5b7d
                                        • Instruction Fuzzy Hash: 570334B0D042688BDB25CF28C9947EEBBB4BF59304F1042EED449A7281EB746B84CF55
                                        Function 004C6D80 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 535fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 12753 4c6d80-4c6ddc 12754 4c7004-4c7018 call 4339b3 12753->12754 12755 4c6de2-4c6df1 call 432b99 12753->12755 12754->12755 12760 4c701e-4c704a call 408710 call 4338de call 433962 12754->12760 12761 4c704f-4c7051 call 432534 12755->12761 12762 4c6df7-4c6e01 12755->12762 12760->12755 12763 4c7056-4c71ad call 432534 call 41ae80 call 4163b0 call 4e74c0 DeleteFileA call 4359b0 call 435270 call 4359b0 call 435270 call 4359b0 call 435270 12761->12763 12762->12763 12764 4c6e07-4c6eff call 4ea420 call 41ab20 call 41ad80 call 409280 call 402df0 12762->12764 12823 4c71af-4c71b6 12763->12823 12824 4c71c0-4c71c5 call 418dc0 12763->12824 12793 4c6fb5-4c7003 call 4163b0 call 432baa call 402df0 * 2 12764->12793 12794 4c6f05-4c6f0c 12764->12794 12794->12793 12797 4c6f12-4c6f1e GetPEB 12794->12797 12800 4c6f20-4c6f34 12797->12800 12803 4c6f36-4c6f3b 12800->12803 12804 4c6f87-4c6f89 12800->12804 12803->12804 12807 4c6f3d-4c6f43 12803->12807 12804->12800 12808 4c6f45-4c6f5a 12807->12808 12811 4c6f5c 12808->12811 12812 4c6f7d-4c6f85 12808->12812 12817 4c6f60-4c6f73 12811->12817 12812->12804 12812->12808 12817->12817 12820 4c6f75-4c6f7b 12817->12820 12820->12812 12822 4c6f8b-4c6faf 12820->12822 12822->12793 12822->12797 12825 4c71b8 12823->12825 12826 4c71ba-4c71be 12823->12826 12829 4c71ca-4c71d1 12824->12829 12825->12826 12826->12829 12830 4c71d5-4c71e9 12829->12830 12831 4c71d3 12829->12831 12832 4c71ed-4c7204 12830->12832 12833 4c71eb 12830->12833 12831->12830 12834 4c7208-4c7224 12832->12834 12835 4c7206 12832->12835 12833->12832 12836 4c7228-4c722f 12834->12836 12837 4c7226 12834->12837 12835->12834 12838 4c7231 12836->12838 12839 4c7233-4c72ef call 435270 call 4ea420 12836->12839 12837->12836 12838->12839 12844 4c72f2-4c72f7 12839->12844 12844->12844 12845 4c72f9-4c7347 call 403040 call 409280 call 4ea420 12844->12845 12852 4c734d-4c7413 call 408f20 call 4ea420 12845->12852 12853 4c7349 12845->12853 12858 4c7416-4c741b 12852->12858 12853->12852 12858->12858 12859 4c741d-4c7438 call 403040 call 409280 12858->12859 12863 4c743d-4c744c 12859->12863 12864 4c746d-4c7476 12863->12864 12865 4c744e-4c7455 12863->12865 12866 4c7478-4c747f 12864->12866 12867 4c7496-4c74c3 call 402df0 * 2 12864->12867 12865->12864 12868 4c7457-4c7464 12865->12868 12866->12867 12869 4c7481-4c748d 12866->12869 12868->12864 12875 4c7466-4c7468 12868->12875 12869->12867 12876 4c748f-4c7491 12869->12876 12875->12864 12876->12867
                                        APIs
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004C7051
                                          • Part of subcall function 00432534: __EH_prolog3.LIBCMT ref: 00432570
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004C7062
                                          • Part of subcall function 004E74C0: __fread_nolock.LIBCMT ref: 004E7609
                                        • DeleteFileA.KERNELBASE(?), ref: 004C70EB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Cpp_errorThrow_std::_$DeleteFileH_prolog3__fread_nolock
                                        • String ID: 131$gemot
                                        • API String ID: 3880692912-2495630133
                                        • Opcode ID: ed82176a8a559ef53b8c12fb7edaf71171fa2efdd5e6f73f41023a368e686b71
                                        • Instruction ID: 7966019704e3fd473910eda9b3190c6326d4c2da0caac65bea49cbac806563d6
                                        • Opcode Fuzzy Hash: ed82176a8a559ef53b8c12fb7edaf71171fa2efdd5e6f73f41023a368e686b71
                                        • Instruction Fuzzy Hash: 1E32ACB4D04248CFCB04DFA8C985BAEBBB1BF58304F14419EE8056B392D779AA45CF95
                                        Function 004FAD00 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 12878 4fad00-4fad1e call 4fbf00 12881 4fb35e-4fb364 12878->12881 12882 4fad24-4fad2d 12878->12882 12883 4fad2f-4fad31 12882->12883 12884 4fad33-4fad39 12882->12884 12885 4fad53-4fad59 12883->12885 12886 4fad3f-4fad50 12884->12886 12887 4fad3b-4fad3d 12884->12887 12888 4fad5b-4fad61 12885->12888 12889 4fad63-4fad6a 12885->12889 12886->12885 12887->12885 12890 4fad72-4fad8f call 54a0f0 12888->12890 12889->12890 12891 4fad6c 12889->12891 12894 4fb348 12890->12894 12895 4fad95-4fada7 call 4359b0 12890->12895 12891->12890 12897 4fb34a 12894->12897 12901 4fadeb-4fadf0 12895->12901 12902 4fada9-4fadb0 12895->12902 12899 4fb34f-4fb354 call 54b110 12897->12899 12908 4fb356-4fb35b 12899->12908 12904 4fadfc-4faeb4 call 54a8c0 12901->12904 12905 4fadf2-4fadf9 12901->12905 12906 4fadc9-4fadd9 12902->12906 12907 4fadb2-4fadc4 call 549d90 12902->12907 12915 4faf19-4faf88 call 4fb370 * 4 12904->12915 12916 4faeb6-4faec4 call 5475d0 12904->12916 12905->12904 12906->12901 12917 4faddb-4fade6 call 549d90 12906->12917 12907->12897 12908->12881 12927 4faec9-4faece 12915->12927 12942 4faf8e 12915->12942 12925 4faec7 12916->12925 12917->12897 12925->12927 12929 4faeda-4faee2 12927->12929 12930 4faed0-4faed7 12927->12930 12931 4fb31b-4fb321 12929->12931 12932 4faee8-4faeed 12929->12932 12930->12929 12931->12897 12935 4fb323-4fb32c 12931->12935 12932->12931 12934 4faef3-4faef8 12932->12934 12934->12931 12938 4faefe-4faf18 12934->12938 12935->12899 12939 4fb32e-4fb330 12935->12939 12939->12908 12941 4fb332-4fb347 12939->12941 12943 4faf93-4faf97 12942->12943 12943->12943 12944 4faf99-4fafaf 12943->12944 12945 4fafb1-4fafbd 12944->12945 12946 4fb000 12944->12946 12947 4fafbf-4fafc1 12945->12947 12948 4faff0-4faffe 12945->12948 12949 4fb002-4fb015 call 5461b0 12946->12949 12950 4fafc3-4fafe2 12947->12950 12948->12949 12954 4fb01c 12949->12954 12955 4fb017-4fb01a 12949->12955 12950->12950 12952 4fafe4-4fafed 12950->12952 12952->12948 12956 4fb01e-4fb063 call 4fb370 call 4fb5d0 12954->12956 12955->12956 12961 4fb065-4fb07e call 5475d0 12956->12961 12962 4fb083-4fb0d1 call 51ba20 * 2 12956->12962 12961->12925 12962->12925 12969 4fb0d7-4fb102 call 5475d0 call 4fb710 12962->12969 12974 4fb108-4fb10d 12969->12974 12975 4fb1a4-4fb1b2 12969->12975 12978 4fb110-4fb114 12974->12978 12976 4fb1b8-4fb1bd 12975->12976 12977 4fb2c1-4fb2cb 12975->12977 12981 4fb1c0-4fb1c7 12976->12981 12979 4fb2df-4fb2e3 12977->12979 12980 4fb2cd-4fb2d2 12977->12980 12978->12978 12982 4fb116-4fb127 12978->12982 12979->12927 12984 4fb2e9-4fb2ef 12979->12984 12980->12979 12983 4fb2d4-4fb2d9 12980->12983 12985 4fb1cd-4fb1dc 12981->12985 12986 4fb1c9-4fb1cb 12981->12986 12987 4fb129-4fb130 12982->12987 12988 4fb133-4fb14b call 51bbd0 12982->12988 12983->12927 12983->12979 12984->12927 12990 4fb2f5-4fb30e call 5475d0 call 4fbbd0 12984->12990 12991 4fb1e8-4fb1ee 12985->12991 13001 4fb1de-4fb1e5 12985->13001 12986->12991 12987->12988 12998 4fb14d-4fb166 call 4fb710 12988->12998 12999 4fb169-4fb16e 12988->12999 13012 4fb313-4fb316 12990->13012 12996 4fb1f7-4fb1fc 12991->12996 12997 4fb1f0-4fb1f5 12991->12997 13002 4fb1ff-4fb201 12996->13002 12997->13002 12998->12999 13007 4fb185-4fb18f 12999->13007 13008 4fb170-4fb180 call 5475d0 12999->13008 13001->12991 13003 4fb20d-4fb214 13002->13003 13004 4fb203-4fb20a 13002->13004 13009 4fb216-4fb227 13003->13009 13010 4fb242-4fb244 13003->13010 13004->13003 13015 4fb19b-4fb19e 13007->13015 13016 4fb191-4fb198 13007->13016 13008->13007 13026 4fb23f 13009->13026 13027 4fb229-4fb23c call 5475d0 13009->13027 13020 4fb246-4fb24d 13010->13020 13021 4fb2b0-4fb2bb 13010->13021 13012->12927 13015->12975 13017 4fb1a0 13015->13017 13016->13015 13017->12975 13023 4fb24f-4fb256 13020->13023 13024 4fb2a6 13020->13024 13021->12977 13021->12981 13028 4fb258-4fb25f 13023->13028 13029 4fb262-4fb282 13023->13029 13031 4fb2ad 13024->13031 13026->13010 13027->13026 13028->13029 13035 4fb28a-4fb29b 13029->13035 13036 4fb284 13029->13036 13031->13021 13035->13021 13038 4fb29d-4fb2a4 13035->13038 13036->13035 13038->13031
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
                                        • API String ID: 0-1885142750
                                        • Opcode ID: 709491dc051ea1e70093cc478a2a2d0c63acaf5bae6c4c00e9975ec16f4ae69b
                                        • Instruction ID: 5912c9be0b5fe0253428befa1510005b8e6d21b15bd6994098c8da1f87b2af15
                                        • Opcode Fuzzy Hash: 709491dc051ea1e70093cc478a2a2d0c63acaf5bae6c4c00e9975ec16f4ae69b
                                        • Instruction Fuzzy Hash: 510258B0A007089BEB209F15DC4577B7BE4EF51304F14442EEA4A9B391EBB9E944CBC6
                                        Function 004DF030 Relevance: 8.4, APIs: 5, Instructions: 876COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 13710 4df030-4df14d call 4359b0 SHGetFolderPathA 13713 4df150-4df155 13710->13713 13713->13713 13714 4df157-4df179 call 403040 13713->13714 13717 4df180-4df185 13714->13717 13717->13717 13718 4df187-4df1e9 call 41fbf0 13717->13718 13721 4df1eb-4df1fa 13718->13721 13722 4df21a-4df247 call 4e6ca0 13718->13722 13724 4df1fc-4df20a 13721->13724 13725 4df210-4df217 call 4338f3 13721->13725 13729 4df24d-4df310 call 41ab20 call 4e6ca0 13722->13729 13730 4dfe6b-4dfe7b 13722->13730 13724->13725 13727 4dfed9 call 438c70 13724->13727 13725->13722 13734 4dfede call 402c60 13727->13734 13751 4df333-4df3c3 13729->13751 13752 4df312-4df32d CreateDirectoryA 13729->13752 13735 4dfe7d-4dfe89 13730->13735 13736 4dfea5-4dfed8 call 402df0 13730->13736 13745 4dfee3 call 402c60 13734->13745 13740 4dfe9b-4dfea2 call 4338f3 13735->13740 13741 4dfe8b-4dfe99 13735->13741 13740->13736 13741->13740 13746 4dfeed-4dfef2 call 438c70 13741->13746 13753 4dfee8 call 402c60 13745->13753 13756 4df3c6-4df3cb 13751->13756 13752->13751 13755 4dfe59 13752->13755 13753->13746 13758 4dfe5c-4dfe66 call 402df0 13755->13758 13756->13756 13759 4df3cd-4df3dd 13756->13759 13758->13730 13759->13734 13761 4df3e3-4df44b call 41e8a0 call 4e6ca0 call 402df0 13759->13761 13768 4df65e-4df6ee 13761->13768 13769 4df451-4df511 call 41ab20 call 4e6ca0 13761->13769 13771 4df6f1-4df6f6 13768->13771 13778 4df534-4df603 call 4163b0 call 41ab20 call 4dff00 13769->13778 13779 4df513-4df52e CreateDirectoryA 13769->13779 13771->13771 13773 4df6f8-4df703 13771->13773 13773->13745 13775 4df709-4df76b call 41e8a0 call 4e6ca0 call 402df0 13773->13775 13791 4df771-4df831 call 41ab20 call 4e6ca0 13775->13791 13792 4df982-4dfa9b 13775->13792 13797 4df60d-4df64a call 402cf0 call 4e6770 call 402df0 13778->13797 13798 4df605-4df60b 13778->13798 13779->13778 13781 4df64f-4df659 call 402df0 13779->13781 13781->13768 13808 4df858-4df927 call 4163b0 call 41ab20 call 4dff00 13791->13808 13809 4df833-4df852 CreateDirectoryA 13791->13809 13795 4dfaa0-4dfaa5 13792->13795 13795->13795 13800 4dfaa7-4dfab0 13795->13800 13797->13781 13798->13781 13800->13753 13803 4dfab6-4dfb18 call 41e8a0 call 4e6ca0 call 402df0 13800->13803 13803->13758 13823 4dfb1e-4dfc64 call 41ab20 call 4e6ca0 13803->13823 13827 4df929-4df92f 13808->13827 13828 4df931-4df96e call 402cf0 call 4e6770 call 402df0 13808->13828 13809->13808 13812 4df973-4df97d call 402df0 13809->13812 13812->13792 13835 4dfc8b-4dfdfe call 4163b0 call 41ab20 call 4dff00 13823->13835 13836 4dfc66-4dfc85 CreateDirectoryA 13823->13836 13827->13812 13828->13812 13847 4dfe08-4dfe45 call 402cf0 call 4e6770 call 402df0 13835->13847 13848 4dfe00-4dfe06 13835->13848 13836->13835 13838 4dfe4a-4dfe54 call 402df0 13836->13838 13838->13755 13847->13838 13848->13838
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DF09A
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF329
                                          • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                          • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF52A
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF84A
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DFC7D
                                          • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesErrorFindFirstFolderLastPath
                                        • String ID:
                                        • API String ID: 2127212259-0
                                        • Opcode ID: 0a9d66dacc852727762dd02661486b9ec628ab0a78a4986b9bfafa3a96ef7e23
                                        • Instruction ID: 8e27dc709fe3b7ff7b62f4d1f71842afe3ac2492894b6e8ccfd466f18f63ab33
                                        • Opcode Fuzzy Hash: 0a9d66dacc852727762dd02661486b9ec628ab0a78a4986b9bfafa3a96ef7e23
                                        • Instruction Fuzzy Hash: DBA202B4D0425D8BDF25CFA8C995AEEBBB0BF18304F2041AAD949B7351D7341A84CFA5
                                        Function 004DE430 Relevance: 8.2, APIs: 5, Instructions: 731fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 13854 4de430-4de53b call 4359b0 SHGetFolderPathA 13857 4de540-4de545 13854->13857 13857->13857 13858 4de547-4de563 call 403040 13857->13858 13861 4de566-4de56b 13858->13861 13861->13861 13862 4de56d-4de64d call 41fbf0 call 418f00 13861->13862 13867 4de64f-4de65e 13862->13867 13868 4de67e-4de6a6 13862->13868 13869 4de674-4de67b call 4338f3 13867->13869 13870 4de660-4de66e 13867->13870 13871 4de6a8-4de6b7 13868->13871 13872 4de6d7-4de70a call 4e6ca0 13868->13872 13869->13868 13870->13869 13874 4df016 call 438c70 13870->13874 13876 4de6cd-4de6d4 call 4338f3 13871->13876 13877 4de6b9-4de6c7 13871->13877 13882 4def96-4defa6 13872->13882 13883 4de710-4de7ca call 41ab20 call 4e6d70 13872->13883 13884 4df01b call 402c60 13874->13884 13876->13872 13877->13874 13877->13876 13888 4defa8-4defb7 13882->13888 13889 4defd3-4df015 call 402df0 * 2 13882->13889 13907 4deb14-4deba4 13883->13907 13908 4de7d0-4de8b0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 13883->13908 13892 4df020 call 402c60 13884->13892 13893 4defc9-4defd0 call 4338f3 13888->13893 13894 4defb9-4defc7 13888->13894 13903 4df025 call 402c60 13892->13903 13893->13889 13894->13893 13898 4df02a-4df02f call 438c70 13894->13898 13903->13898 13911 4deba7-4debac 13907->13911 13926 4de8d7-4de982 call 41ab20 13908->13926 13927 4de8b2-4de8d1 CreateDirectoryA 13908->13927 13911->13911 13913 4debae-4debb9 13911->13913 13913->13892 13915 4debbf-4dec27 call 41e8a0 call 4e6ca0 call 402df0 13913->13915 13915->13882 13931 4dec2d-4ded01 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 13915->13931 13935 4de984 13926->13935 13936 4de986-4dea19 13926->13936 13927->13926 13929 4deb05-4deb0f call 402df0 13927->13929 13929->13907 13951 4ded1f-4dedaf 13931->13951 13952 4ded03-4ded19 CreateDirectoryA 13931->13952 13935->13936 13938 4dea20-4dea25 13936->13938 13938->13938 13940 4dea27-4dea32 13938->13940 13940->13884 13942 4dea38-4deab1 call 41e8a0 CopyFileA call 402df0 * 2 13940->13942 13961 4deabe-4deafb call 402cf0 call 4e6770 call 402df0 13942->13961 13962 4deab3-4deabc 13942->13962 13955 4dedb2-4dedb7 13951->13955 13952->13951 13954 4def87 13952->13954 13956 4def8a-4def91 call 402df0 13954->13956 13955->13955 13958 4dedb9-4dedc2 13955->13958 13956->13882 13958->13903 13959 4dedc8-4dee57 call 41e8a0 call 402df0 * 2 call 4e6ca0 13958->13959 13977 4dee59-4dee6f CreateDirectoryA 13959->13977 13978 4dee75-4def41 call 4163b0 call 41ab20 call 4dff00 13959->13978 13963 4deb00 13961->13963 13962->13963 13963->13929 13977->13956 13977->13978 13985 4def4e-4def82 call 402cf0 call 4e6770 call 402df0 13978->13985 13986 4def43-4def4c 13978->13986 13985->13954 13986->13954
                                        APIs
                                        • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                                          • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                          • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DE8C9
                                        • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DEA83
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DED11
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DEE67
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesCopyErrorFolderLastPath
                                        • String ID:
                                        • API String ID: 1001086254-0
                                        • Opcode ID: 421e36309c22111a033c8f9f38f840648b1e0bb665710f0a707a7c163fba85ac
                                        • Instruction ID: 4de69712ac24b7a09e9bc2c7d11d42553b755471a164b72fa8c1d2b7ead1c118
                                        • Opcode Fuzzy Hash: 421e36309c22111a033c8f9f38f840648b1e0bb665710f0a707a7c163fba85ac
                                        • Instruction Fuzzy Hash: 298225B0C042598BCB15CFA9C995BEEBBB0BF18304F10419ED549BB382DB745A85CFA5
                                        Function 004C6000 Relevance: 6.3, APIs: 4, Instructions: 310fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 14881 4c6000-4c6070 14882 4c608a-4c6133 call 41ab20 14881->14882 14883 4c6072 14881->14883 14889 4c6135 14882->14889 14890 4c6137-4c615c FindFirstFileA call 402df0 14882->14890 14885 4c6074-4c6080 call 402df0 14883->14885 14891 4c6082-4c6087 14885->14891 14889->14890 14894 4c6162-4c6166 14890->14894 14895 4c6463-4c648d call 402df0 14890->14895 14891->14882 14896 4c6168-4c616f 14894->14896 14897 4c6177-4c617e 14894->14897 14899 4c6175 14896->14899 14900 4c6437-4c6447 FindNextFileA 14896->14900 14897->14900 14902 4c6184-4c618d 14897->14902 14899->14902 14900->14894 14903 4c644d-4c6456 GetLastError 14900->14903 14904 4c6190-4c6195 14902->14904 14903->14894 14906 4c645c-4c645d FindClose 14903->14906 14904->14904 14905 4c6197-4c61a2 14904->14905 14907 4c61ad-4c61b0 14905->14907 14908 4c61a4-4c61a7 14905->14908 14906->14895 14909 4c61b2-4c61b5 14907->14909 14910 4c61c3-4c61c7 14907->14910 14908->14900 14908->14907 14909->14910 14911 4c61b7-4c61bd 14909->14911 14912 4c61cd-4c6295 call 41ab20 14910->14912 14913 4c6385-4c63b7 call 403040 14910->14913 14911->14900 14911->14910 14918 4c6298-4c629d 14912->14918 14919 4c63b9-4c63e1 14913->14919 14920 4c63e3-4c63ea call 4242a0 14913->14920 14918->14918 14921 4c629f-4c62ef call 418f00 14918->14921 14922 4c63f2-4c63f9 14919->14922 14924 4c63ef 14920->14924 14933 4c62f1-4c6310 14921->14933 14934 4c6312-4c631e call 4242a0 14921->14934 14925 4c63fb-4c6409 14922->14925 14926 4c6425-4c6433 14922->14926 14924->14922 14928 4c641b-4c6422 call 4338f3 14925->14928 14929 4c640b-4c6419 14925->14929 14926->14900 14928->14926 14929->14928 14931 4c648e-4c6493 call 438c70 14929->14931 14936 4c6321-4c632e 14933->14936 14934->14936 14941 4c635c-4c6380 call 402df0 14936->14941 14942 4c6330-4c633c 14936->14942 14941->14900 14943 4c633e-4c634c 14942->14943 14944 4c6352-4c6359 call 4338f3 14942->14944 14943->14931 14943->14944 14944->14941
                                        APIs
                                        • FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                        • FindNextFileA.KERNELBASE(00000000,00000010), ref: 004C643F
                                        • GetLastError.KERNEL32 ref: 004C644D
                                        • FindClose.KERNEL32(00000000), ref: 004C645D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseErrorFirstLastNext
                                        • String ID:
                                        • API String ID: 819619735-0
                                        • Opcode ID: 90cf4eca11af66bb089fdb4a1b4223e767fc84b405f6936ed3c5d03910aaf901
                                        • Instruction ID: afe6fe270f27518361ed143ef8865d869d8c660e8b4c9bb3a5978c93709ae348
                                        • Opcode Fuzzy Hash: 90cf4eca11af66bb089fdb4a1b4223e767fc84b405f6936ed3c5d03910aaf901
                                        • Instruction Fuzzy Hash: ACD17CB4C043488FDB24CF98C994BEEBBB1BF45314F14829ED4496B392D7785A84CB59
                                        Function 004C6B00 Relevance: 4.7, APIs: 3, Instructions: 206encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004C6B57
                                        • LocalFree.KERNEL32(?), ref: 004C6B86
                                        • LocalFree.KERNEL32(?), ref: 004C6C82
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: FreeLocal$CryptDataUnprotect
                                        • String ID:
                                        • API String ID: 2835072361-0
                                        • Opcode ID: ca1e730759337fa49bbce61ea0016bf7f681cd111c34800b91b137380e4f608d
                                        • Instruction ID: 6019ec204b0dd747d4126109e6a4f8e7bf51aa55734569d67b400ef60c6c0d13
                                        • Opcode Fuzzy Hash: ca1e730759337fa49bbce61ea0016bf7f681cd111c34800b91b137380e4f608d
                                        • Instruction Fuzzy Hash: 6171B171C002489BDB00DFA8C945BEEFBB4EF14314F10826EE851B3391EB786A44DBA5
                                        Function 0053F550 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                                        Download Yara Rule
                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053F705
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053FA07
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 885266447-0
                                        • Opcode ID: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                                        • Instruction ID: 1f76d2344d35fe0e13097961589cbfb84b6978ae6f877586e2245b879765d82e
                                        • Opcode Fuzzy Hash: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                                        • Instruction Fuzzy Hash: E3029C71A04702AFDB18CF29C840B6ABBE4BF88318F14867DE859D7650D774ED94CB92
                                        Function 0044002D Relevance: .3, Instructions: 318COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                                        • Instruction ID: 127d1e6b524efbadbaaaff55744b8fab0cc6e196c82b7e7b6ae44d0b7ee8643f
                                        • Opcode Fuzzy Hash: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                                        • Instruction Fuzzy Hash: 3BB1F67090060A9BFB28CE68D855ABFBBB1AF04304F140A1FDA52A7791C77D9D21CB59
                                        Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279networksleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 8282 4c7b00-4c7b38 8283 4c7ecc-4c7ee0 8282->8283 8284 4c7b3e 8282->8284 8285 4c7b44-4c7b4c 8284->8285 8286 4c7b4e-4c7b74 call 4c8590 8285->8286 8287 4c7b87-4c7bd0 setsockopt recv WSAGetLastError 8285->8287 8290 4c7b79-4c7b81 8286->8290 8287->8283 8289 4c7bd6-4c7bd9 8287->8289 8291 4c7bdf-4c7be6 8289->8291 8292 4c7e2a-4c7e53 call 433069 call 458660 8289->8292 8290->8287 8293 4c7eb7-4c7ec6 Sleep 8290->8293 8294 4c7bec-4c7c48 call 418dc0 recv 8291->8294 8295 4c7e15-4c7e25 recv 8291->8295 8297 4c7eaf-4c7eb1 Sleep 8292->8297 8306 4c7e55 8292->8306 8293->8283 8293->8285 8302 4c7c4e-4c7c69 recv 8294->8302 8303 4c7dc3-4c7dd0 8294->8303 8295->8297 8297->8293 8302->8303 8305 4c7c6f-4c7caa 8302->8305 8307 4c7dfe-4c7e10 8303->8307 8308 4c7dd2-4c7dde 8303->8308 8309 4c7cac-4c7cb1 8305->8309 8310 4c7d1d-4c7d7d call 4163b0 call 408d50 call 4c7ef0 8305->8310 8311 4c7e5f-4c7e97 call 409280 8306->8311 8312 4c7e57-4c7e5d 8306->8312 8307->8297 8313 4c7df4-4c7dfb call 4338f3 8308->8313 8314 4c7de0-4c7dee 8308->8314 8317 4c7cc7-4c7cd1 call 418dc0 8309->8317 8318 4c7cb3-4c7cc5 8309->8318 8332 4c7d7f-4c7d8b 8310->8332 8333 4c7dab-4c7dbf 8310->8333 8326 4c7e9c-4c7eaa 8311->8326 8312->8297 8312->8311 8313->8307 8314->8313 8320 4c7ee1-4c7ee6 call 438c70 8314->8320 8324 4c7cd6-4c7d1b setsockopt recv 8317->8324 8318->8324 8324->8310 8326->8297 8334 4c7d8d-4c7d9b 8332->8334 8335 4c7da1-4c7da3 call 4338f3 8332->8335 8333->8303 8334->8320 8334->8335 8337 4c7da8 8335->8337 8337->8333
                                        APIs
                                        • setsockopt.WS2_32(00000358,0000FFFF,00001006,?,00000008), ref: 004C7BA6
                                        • recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
                                        • WSAGetLastError.WS2_32 ref: 004C7BC5
                                        • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
                                        • recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
                                        • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
                                        • recv.WS2_32(00000000,?,00000008), ref: 004C7D1B
                                          • Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
                                          • Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
                                          • Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
                                          • Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
                                          • Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
                                          • Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
                                          • Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690
                                        • recv.WS2_32(?,00000004,00000008), ref: 004C7E23
                                        • __Xtime_get_ticks.LIBCPMT ref: 004C7E2A
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
                                        • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
                                        • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
                                        • String ID:
                                        • API String ID: 3089209366-0
                                        • Opcode ID: f9e28bc168eabd23f713c9d075067e09dfc649ed2f0dd86ee053ab152bb4c171
                                        • Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
                                        • Opcode Fuzzy Hash: f9e28bc168eabd23f713c9d075067e09dfc649ed2f0dd86ee053ab152bb4c171
                                        • Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95
                                        Function 0045E140 Relevance: 17.4, APIs: 11, Instructions: 889COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 8667 45e140-45e246 call 40b8e0 call 4132d0 call 41ab20 CreateDirectoryA 8674 45e8e1-45e8e8 8667->8674 8675 45e24c-45e250 8667->8675 8676 45f16d-45f452 call 402df0 8674->8676 8677 45e8ee-45e98a call 4132d0 call 41ab20 CreateDirectoryA 8674->8677 8678 45e252-45e26d 8675->8678 8695 45e990-45e994 8677->8695 8696 45f15e-45f168 call 402df0 8677->8696 8681 45e8a5-45e8d0 call 4163b0 call 4df030 8678->8681 8682 45e273-45e3bd call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8678->8682 8681->8674 8698 45e8d2-45e8d9 call 4e6770 8681->8698 8739 45e3dd-45e4b0 call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8682->8739 8740 45e3bf-45e3d7 CreateDirectoryA 8682->8740 8699 45e996-45e9b1 8695->8699 8696->8676 8709 45e8de 8698->8709 8702 45e9b7-45eb07 call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8699->8702 8703 45f11f-45f14d call 4163b0 call 4d7600 8699->8703 8756 45eb27-45ebfa call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8702->8756 8757 45eb09-45eb21 CreateDirectoryA 8702->8757 8703->8696 8721 45f14f-45f156 call 4e6770 8703->8721 8709->8674 8727 45f15b 8721->8727 8727->8696 8791 45e4d0-45e4d7 8739->8791 8792 45e4b2-45e4ca CreateDirectoryA 8739->8792 8740->8739 8742 45e854-45e8a0 call 402df0 * 5 8740->8742 8742->8678 8816 45ebfc-45ec14 CreateDirectoryA 8756->8816 8817 45ec1a-45ec21 8756->8817 8757->8756 8760 45f0ce-45f11a call 402df0 * 5 8757->8760 8760->8699 8795 45e5e0-45e5e4 8791->8795 8796 45e4dd-45e59d call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8791->8796 8792->8742 8792->8791 8797 45e5e6-45e649 call 4132d0 8795->8797 8798 45e64e-45e652 8795->8798 8853 45e5c2-45e5cc call 416290 8796->8853 8854 45e59f-45e5c0 CreateDirectoryA 8796->8854 8813 45e704-45e7f2 call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 4162c0 call 402df0 * 3 call 4e6ca0 8797->8813 8805 45e654-45e6b7 call 4132d0 8798->8805 8806 45e6b9-45e6ff call 4132d0 8798->8806 8805->8813 8806->8813 8905 45e7f4-45e80c CreateDirectoryA 8813->8905 8906 45e80e-45e84e call 4163b0 * 2 call 4dff00 8813->8906 8816->8760 8816->8817 8820 45ec27-45ece7 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8817->8820 8821 45ed2a-45ed2e 8817->8821 8882 45ed0c-45ed16 call 416290 8820->8882 8883 45ece9-45ed0a CreateDirectoryA 8820->8883 8825 45ed34-45edce call 4132d0 call 41ab20 call 4e6ca0 8821->8825 8826 45ee43-45ee47 8821->8826 8870 45edd0-45edf1 CreateDirectoryA 8825->8870 8871 45edf3-45ee31 call 4163b0 * 2 call 4dff00 8825->8871 8831 45eeb1-45eeb5 8826->8831 8832 45ee49-45eeac call 4132d0 8826->8832 8839 45eeb7-45ef1a call 4132d0 8831->8839 8840 45ef1c-45ef7a call 4132d0 8831->8840 8849 45ef7f-45f04e call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 402df0 * 2 call 4e6ca0 8832->8849 8839->8849 8840->8849 8912 45f050-45f071 CreateDirectoryA 8849->8912 8913 45f073-45f0b9 call 4163b0 * 2 call 4dff00 8849->8913 8860 45e5d1-45e5db call 402df0 8853->8860 8854->8853 8854->8860 8860->8795 8870->8871 8875 45ee34-45ee3e 8870->8875 8871->8875 8880 45f0c9 call 402df0 8875->8880 8880->8760 8888 45ed1b-45ed25 call 402df0 8882->8888 8883->8882 8883->8888 8888->8821 8905->8742 8905->8906 8906->8742 8921 45e850 8906->8921 8912->8913 8914 45f0bf-45f0c3 8912->8914 8913->8914 8925 45f0bb 8913->8925 8914->8880 8921->8742 8925->8914
                                        APIs
                                          • Part of subcall function 0040B8E0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E242
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045E3D3
                                        • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045E4C6
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045E5BC
                                        • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 0045E808
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E986
                                        • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045EB1D
                                        • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045EC10
                                          • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                          • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045ED06
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045EDED
                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045F06D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                        • String ID:
                                        • API String ID: 453214671-0
                                        • Opcode ID: e1ed7e54ebd5b020c8e79904b3ae03e0818e29e9e47e40a3245b38651c09fec3
                                        • Instruction ID: 0e418cf523baa0a35c0a910b93c4bb77d5942d6061cfe1063ad62b245a56bb8b
                                        • Opcode Fuzzy Hash: e1ed7e54ebd5b020c8e79904b3ae03e0818e29e9e47e40a3245b38651c09fec3
                                        • Instruction Fuzzy Hash: 4FA226B0D012688BCB25DB65CD95BDDBBB4AF14304F0040EED44A67282EB785F88DF5A
                                        Function 004E4720 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 291registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 9337 4e4720-4e4a78 call 4359b0 RegGetValueA 9340 4e4a7a-4e4a89 9337->9340 9341 4e4aa8-4e4aac 9337->9341 9342 4e4a90-4e4a95 9340->9342 9343 4e4bad-4e4bc0 9341->9343 9344 4e4ab2-4e4ae4 call 4359b0 GetComputerNameExA 9341->9344 9342->9342 9346 4e4a97-4e4aa3 call 416130 9342->9346 9349 4e4b08-4e4b0c 9344->9349 9350 4e4ae6-4e4aef 9344->9350 9346->9341 9349->9343 9352 4e4b12-4e4b3d call 4359b0 LsaOpenPolicy 9349->9352 9351 4e4af0-4e4af5 9350->9351 9351->9351 9353 4e4af7-4e4b03 call 416130 9351->9353 9357 4e4b3f-4e4b50 LsaQueryInformationPolicy 9352->9357 9358 4e4b85-4e4b92 9352->9358 9353->9349 9360 4e4b7c-4e4b7f LsaClose 9357->9360 9361 4e4b52-4e4b59 9357->9361 9359 4e4b95-4e4b9a 9358->9359 9359->9359 9362 4e4b9c-4e4ba8 call 416130 9359->9362 9360->9358 9363 4e4b5e-4e4b76 call 403440 LsaFreeMemory 9361->9363 9364 4e4b5b 9361->9364 9362->9343 9363->9360 9364->9363
                                        APIs
                                        • RegGetValueA.KERNELBASE(80000002,?,?,0001FFFF,?,?,00000104), ref: 004E4A70
                                        • GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 004E4ADC
                                        • LsaOpenPolicy.ADVAPI32(00000000,00587684,00000001,?), ref: 004E4B35
                                        • LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 004E4B48
                                        • LsaFreeMemory.ADVAPI32(?), ref: 004E4B76
                                        • LsaClose.ADVAPI32(?), ref: 004E4B7F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
                                        • String ID: %wZ$&"N$;Yb.
                                        • API String ID: 762890658-4094109456
                                        • Opcode ID: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                                        • Instruction ID: db120a3af714b361d6db134a28a940fef9e0d4b71911d12d67c4190411436b99
                                        • Opcode Fuzzy Hash: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                                        • Instruction Fuzzy Hash: 1EE101B4D0425A8FDB14CF98C985BEEBBB4BF08304F2041AAE949B7341D7745A85CFA5
                                        Function 00448910 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 12645 448910-448920 12646 448922-448935 call 4416ec call 4416ff 12645->12646 12647 44893a-44893c 12645->12647 12663 448c94 12646->12663 12649 448942-448948 12647->12649 12650 448c7c-448c89 call 4416ec call 4416ff 12647->12650 12649->12650 12653 44894e-448977 12649->12653 12668 448c8f call 438c60 12650->12668 12653->12650 12656 44897d-448986 12653->12656 12659 4489a0-4489a2 12656->12659 12660 448988-44899b call 4416ec call 4416ff 12656->12660 12661 448c78-448c7a 12659->12661 12662 4489a8-4489ac 12659->12662 12660->12668 12667 448c97-448c9a 12661->12667 12662->12661 12666 4489b2-4489b6 12662->12666 12663->12667 12666->12660 12670 4489b8-4489cf 12666->12670 12668->12663 12673 448a04-448a0a 12670->12673 12674 4489d1-4489d4 12670->12674 12678 448a0c-448a13 12673->12678 12679 4489de-4489f5 call 4416ec call 4416ff call 438c60 12673->12679 12676 4489d6-4489dc 12674->12676 12677 4489fa-448a02 12674->12677 12676->12677 12676->12679 12681 448a77-448a96 12677->12681 12682 448a15 12678->12682 12683 448a17-448a35 call 44b094 call 44b01a * 2 12678->12683 12710 448baf 12679->12710 12684 448b52-448b5b call 453be3 12681->12684 12685 448a9c-448aa8 12681->12685 12682->12683 12714 448a37-448a4d call 4416ff call 4416ec 12683->12714 12715 448a52-448a75 call 4425fd 12683->12715 12699 448bcc 12684->12699 12700 448b5d-448b6f 12684->12700 12685->12684 12688 448aae-448ab0 12685->12688 12688->12684 12692 448ab6-448ad7 12688->12692 12692->12684 12696 448ad9-448aef 12692->12696 12696->12684 12701 448af1-448af3 12696->12701 12703 448bd0-448be6 ReadFile 12699->12703 12700->12699 12705 448b71-448b80 GetConsoleMode 12700->12705 12701->12684 12706 448af5-448b18 12701->12706 12708 448c44-448c4f GetLastError 12703->12708 12709 448be8-448bee 12703->12709 12705->12699 12711 448b82-448b86 12705->12711 12706->12684 12713 448b1a-448b30 12706->12713 12716 448c51-448c63 call 4416ff call 4416ec 12708->12716 12717 448c68-448c6b 12708->12717 12709->12708 12718 448bf0 12709->12718 12712 448bb2-448bbc call 44b01a 12710->12712 12711->12703 12719 448b88-448ba0 ReadConsoleW 12711->12719 12712->12667 12713->12684 12725 448b32-448b34 12713->12725 12714->12710 12715->12681 12716->12710 12722 448c71-448c73 12717->12722 12723 448ba8-448bae call 4416a5 12717->12723 12729 448bf3-448c05 12718->12729 12720 448bc1-448bca 12719->12720 12721 448ba2 GetLastError 12719->12721 12720->12729 12721->12723 12722->12712 12723->12710 12725->12684 12732 448b36-448b4d 12725->12732 12729->12712 12736 448c07-448c0b 12729->12736 12732->12684 12740 448c24-448c31 12736->12740 12741 448c0d-448c1d call 448622 12736->12741 12743 448c33 call 448779 12740->12743 12744 448c3d-448c42 call 448468 12740->12744 12750 448c20-448c22 12741->12750 12751 448c38-448c3b 12743->12751 12744->12751 12750->12712 12751->12750
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0ebc92e5ca6f275d4bbb75147d6ad3a24cc47560e82a7b4de6b8652cd53fa6b
                                        • Instruction ID: d4d7462daa34083545f9d93f0c5ebf53bf58a01a885379ada905c47cec286c1a
                                        • Opcode Fuzzy Hash: f0ebc92e5ca6f275d4bbb75147d6ad3a24cc47560e82a7b4de6b8652cd53fa6b
                                        • Instruction Fuzzy Hash: E2B1F4B0A00245AFFB11DF99C881BAE7BB1FF55304F14015EE414AB392CB78AD81CB69
                                        Function 004D6BA0 Relevance: 9.2, APIs: 6, Instructions: 164fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 13040 4d6ba0-4d6bd8 GetLastError 13041 4d6bde-4d6bf1 13040->13041 13042 4d6d19-4d6d31 CopyFileA 13040->13042 13043 4d6bf4-4d6bf9 13041->13043 13044 4d6d73-4d6d85 13042->13044 13045 4d6d33-4d6d38 GetLastError 13042->13045 13043->13043 13046 4d6bfb-4d6c5a call 429070 call 4359b0 6CF77CF0 13043->13046 13047 4d6d5f-4d6d72 13045->13047 13048 4d6d3a-4d6d3c call 4e77e0 13045->13048 13055 4d6cf4-4d6d13 SetLastError call 4188d0 13046->13055 13056 4d6c60-4d6c9b call 415eb0 13046->13056 13052 4d6d41-4d6d5e CopyFileA 13048->13052 13055->13042 13063 4d6c9d-4d6cc3 13056->13063 13064 4d6ce2-4d6cef call 4188d0 13056->13064 13067 4d6ccd-4d6cd1 13063->13067 13068 4d6cc5-4d6ccb 13063->13068 13064->13055 13067->13064 13069 4d6cd3-4d6ce0 13067->13069 13068->13064 13068->13067 13069->13064
                                        APIs
                                        • GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                        • 6CF77CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                        • SetLastError.KERNEL32(00000000), ref: 004D6CFE
                                        • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D25
                                        • GetLastError.KERNEL32(?,?,00000000), ref: 004D6D33
                                        • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CopyFile
                                        • String ID:
                                        • API String ID: 936320341-0
                                        • Opcode ID: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                        • Instruction ID: cca443e56f4e81c83c2dc89493b37bcb85ee1d7da0cfa031959f485395bd6110
                                        • Opcode Fuzzy Hash: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                        • Instruction Fuzzy Hash: 6051C172D01219ABCB21CF94DC55BEEBBB8EB04320F10026AE804B3390D7396E05CBA4
                                        Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382libraryloadernetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 13992 409280-4092dd call 4163b0 13995 409413-409521 call 402df0 call 4ea420 13992->13995 13996 4092e3-4092e9 13992->13996 14012 409523-409535 13995->14012 14013 409537-40953f call 418dc0 13995->14013 13997 4092f0-409313 13996->13997 13999 409324-409331 13997->13999 14000 409315-40931f 13997->14000 14003 409342-40934f 13999->14003 14004 409333-40933d 13999->14004 14002 409403-409406 14000->14002 14006 409409-40940d 14002->14006 14007 409360-40936d 14003->14007 14008 409351-40935b 14003->14008 14004->14002 14006->13995 14006->13997 14010 40937e-40938b 14007->14010 14011 40936f-409379 14007->14011 14008->14002 14014 409399-4093a6 14010->14014 14015 40938d-409397 14010->14015 14011->14002 14016 409544-409597 call 4ea420 * 2 14012->14016 14013->14016 14018 4093b4-4093c1 14014->14018 14019 4093a8-4093b2 14014->14019 14015->14002 14029 409599-4095c8 call 4ea420 call 435270 14016->14029 14030 4095cb-4095e1 call 4ea420 14016->14030 14021 4093c3-4093cd 14018->14021 14022 4093cf-4093dc 14018->14022 14019->14002 14021->14002 14024 4093ea-4093f4 14022->14024 14025 4093de-4093e8 14022->14025 14024->14006 14028 4093f6-4093ff 14024->14028 14025->14002 14028->14002 14029->14030 14036 4096e2 14030->14036 14037 4095e7-4095ed 14030->14037 14040 4096e6-4096f0 14036->14040 14039 4095f0-4096ce GetModuleHandleA GetProcAddress WSASend 14037->14039 14041 4096d4-4096dc 14039->14041 14042 40975f-409763 14039->14042 14043 4096f2-4096fe 14040->14043 14044 40971e-40973d 14040->14044 14041->14036 14041->14039 14042->14040 14045 409700-40970e 14043->14045 14046 409714-40971b call 4338f3 14043->14046 14047 40976f-409796 14044->14047 14048 40973f-40974b 14044->14048 14045->14046 14049 409797-4097fe call 438c70 call 402df0 * 2 14045->14049 14046->14044 14051 409765-40976c call 4338f3 14048->14051 14052 40974d-40975b 14048->14052 14051->14047 14052->14049 14054 40975d 14052->14054 14054->14051
                                        APIs
                                        • GetModuleHandleA.KERNEL32(Ws2_32.dll), ref: 004096A6
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
                                        • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 004096C9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProcSend
                                        • String ID: Ws2_32.dll
                                        • API String ID: 2819740048-3093949381
                                        • Opcode ID: f134e1088910f21205feb50cafa7421b375cc3c6533d6feb8916e2264968fd77
                                        • Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
                                        • Opcode Fuzzy Hash: f134e1088910f21205feb50cafa7421b375cc3c6533d6feb8916e2264968fd77
                                        • Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96
                                        Function 00463830 Relevance: 6.9, APIs: 3, Instructions: 2365COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                          • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                          • Part of subcall function 004E6C10: CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                                        • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00465CB0
                                        • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465FD5
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                          • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                        • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465EC6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                        • String ID:
                                        • API String ID: 453214671-0
                                        • Opcode ID: 05a502395d9f526f757c14469c863ff3b4cefea8d5e99dd5fdd399119d475625
                                        • Instruction ID: bdb7de5e538d98cc2bc1e856d074b668cb5d4ba5ca64421d2565693f44b24664
                                        • Opcode Fuzzy Hash: 05a502395d9f526f757c14469c863ff3b4cefea8d5e99dd5fdd399119d475625
                                        • Instruction Fuzzy Hash: 8053CFB0D052688FDB65DF55C994BDDBBB0BB58304F0041EAD44AA7292EB382F84DF49
                                        Function 004E6CA0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                        • GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                        • String ID:
                                        • API String ID: 995686243-0
                                        • Opcode ID: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                                        • Instruction ID: 241e2f942859b358e1133ab4bf22632851a161ac9c5554c12c2f2fb0b7350d8e
                                        • Opcode Fuzzy Hash: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                                        • Instruction Fuzzy Hash: DF11CE71A0028496DB205F6A5C08F6A7F60EB22772F64031BD8359B3D4DB3948058759
                                        Function 004D6790 Relevance: 4.8, APIs: 3, Instructions: 278fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6A20
                                          • Part of subcall function 004D6BA0: GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                          • Part of subcall function 004D6BA0: 6CF77CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B84
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B95
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Cpp_errorThrow_std::_$CopyErrorFileLast
                                        • String ID:
                                        • API String ID: 1723067277-0
                                        • Opcode ID: e483eb5b337a640106d2fd647702f1d046535e5974e3c1cb80ba773399d43a59
                                        • Instruction ID: af59b977606615079acd7a310a8afa41bd250120d803ccb4a837ad8b48953fd5
                                        • Opcode Fuzzy Hash: e483eb5b337a640106d2fd647702f1d046535e5974e3c1cb80ba773399d43a59
                                        • Instruction Fuzzy Hash: 5BD18BB0C00249DBDB04DFA9C9557EEBBB1BF54304F14419ED80577382EB785A45CBA6
                                        Function 00493B60 Relevance: 4.8, APIs: 3, Instructions: 264registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 00493D89
                                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?), ref: 00493DAC
                                        • RegCloseKey.ADVAPI32(?), ref: 00493DB7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                                        • Instruction ID: c2861601c7c989816088ca7cd521e7ac3defefe444e22908af63c5fcea44e6b0
                                        • Opcode Fuzzy Hash: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                                        • Instruction Fuzzy Hash: C8C136B1D042499FDB14CFA8D986BAEBBB0EF09314F204169E905B7391E7345A84CFA5
                                        Function 004E6C10 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                                          • Part of subcall function 00432BAA: RtlReleaseSRWLockExclusive.NTDLL(004E6D30), ref: 00432BBE
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C84
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C95
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Cpp_errorThrow_std::_$CreateDirectoryExclusiveLockRelease
                                        • String ID:
                                        • API String ID: 1881651058-0
                                        • Opcode ID: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                                        • Instruction ID: b54f6e02dbe68d52aaf8ce57ceccae370b453a77f91dfdb3bbc81736346272f4
                                        • Opcode Fuzzy Hash: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                                        • Instruction Fuzzy Hash: B2F049B1500640FBD7109F999D06B6ABBA8FB05731F14031AFC35A63D0D7B5190087AA
                                        Function 0044B9D0 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNELBASE(?,?,0043D2B1,?), ref: 0044B9D8
                                        • GetLastError.KERNEL32(?,0043D2B1,?), ref: 0044B9E2
                                        • __dosmaperr.LIBCMT ref: 0044B9E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: DeleteErrorFileLast__dosmaperr
                                        • String ID:
                                        • API String ID: 1545401867-0
                                        • Opcode ID: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                                        • Instruction ID: 29a5b21677c8caf908dcad016bfb5ae84cbfd6cad116b975ceede8be2d8f2443
                                        • Opcode Fuzzy Hash: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                                        • Instruction Fuzzy Hash: 00D0C9321146086BEA106BB6BC089163B6D9A913797140616F52CC52A0EE25C895A665
                                        Function 004E57F0 Relevance: 3.4, APIs: 2, Instructions: 350COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004E588F
                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004E5B9B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: DirectoryInformationVolumeWindows
                                        • String ID:
                                        • API String ID: 3487004747-0
                                        • Opcode ID: 0a0dcd09eef47cc32d5847b2942677d40245ae2126d3bdebcd0edae20a9bad6e
                                        • Instruction ID: 009fea26e280c08ebde66711631a2368a09a7ac58c7b38572a32fddf838a6e16
                                        • Opcode Fuzzy Hash: 0a0dcd09eef47cc32d5847b2942677d40245ae2126d3bdebcd0edae20a9bad6e
                                        • Instruction Fuzzy Hash: 81F157B0D002499BDB14CFA8C9957EEBBB1FF08304F24425EE545BB381DB756A84CBA5
                                        Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(B86A89DA,00000000,00000000,0043D0C7), ref: 00448F02
                                        • WriteFile.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,?,004E6E3C,?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7), ref: 0044990E
                                        • GetLastError.KERNEL32(?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7,004E6E3C,?,00000000,?), ref: 00449918
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorFileLastOutputWrite
                                        • String ID:
                                        • API String ID: 2915228174-0
                                        • Opcode ID: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                                        • Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
                                        • Opcode Fuzzy Hash: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                                        • Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65
                                        Function 004D65F0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004D676A
                                        • std::_Throw_Cpp_error.LIBCPMT ref: 004D677B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Cpp_errorThrow_std::_
                                        • String ID:
                                        • API String ID: 2134207285-0
                                        • Opcode ID: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                                        • Instruction ID: 177bb7d1701b8dda1f5a90c4ee3be826f8175b366ab48e47effb054e9b4aa952
                                        • Opcode Fuzzy Hash: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                                        • Instruction Fuzzy Hash: 6441F2B1E002058BC720DF68995136EBBA1BB94314F19072FE815673D1EB79EA04C795
                                        Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E55
                                        • GetLastError.KERNEL32(?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E5F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: ChangeCloseErrorFindLastNotification
                                        • String ID:
                                        • API String ID: 1687624791-0
                                        • Opcode ID: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                                        • Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
                                        • Opcode Fuzzy Hash: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                                        • Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D
                                        Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointerEx.KERNELBASE(00000000,00000000,0043D0C7,00000000,00000002,00000000,00000000,00000000,00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000), ref: 00442558
                                        • GetLastError.KERNEL32(00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000,?,0044982E,00000000,00000000,00000000,00000002,0043D0C7,00000000), ref: 00442565
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                                        • Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
                                        • Opcode Fuzzy Hash: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                                        • Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4
                                        Function 0044B01A Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000000,00000000,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B030
                                        • GetLastError.KERNEL32(?,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B03B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 485612231-0
                                        • Opcode ID: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                        • Instruction ID: f233056e1464041c82b2d36bf1c88bdb576215b3e64377b8de55bab97aefa9e3
                                        • Opcode Fuzzy Hash: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                        • Instruction Fuzzy Hash: 66E08C32100204ABEB212FA5AC0CB9A3B69EF00756F15802AF608971B0DB38C894D798
                                        Function 004C7EF0 Relevance: 1.9, APIs: 1, Instructions: 399COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d479b4dc473ff75364f43403d3a36830ea6f3dd8b2948d9b5135abdfa02e0f6
                                        • Instruction ID: 65307ecbef6fb9e01e3d4ad067897c34c173f6a72c2a6aa1ef5fcaa49911cde8
                                        • Opcode Fuzzy Hash: 2d479b4dc473ff75364f43403d3a36830ea6f3dd8b2948d9b5135abdfa02e0f6
                                        • Instruction Fuzzy Hash: 0E02A070D04248DFDB14DF68C945BDDBBB0AB14308F14419ED8057B386EBB95E88DB9A
                                        Function 00415350 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 0041546E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Concurrency::cancel_current_task
                                        • String ID:
                                        • API String ID: 118556049-0
                                        • Opcode ID: bec13ab4d36df1c77f4f48b23f515b006b246256a435ef31511c977ea406d557
                                        • Instruction ID: bd448271620100f3a1b1b6e8090fbb17c8ec551eb96fe3ea9a7077eb077db61a
                                        • Opcode Fuzzy Hash: bec13ab4d36df1c77f4f48b23f515b006b246256a435ef31511c977ea406d557
                                        • Instruction Fuzzy Hash: AF6199B1A00614DFCB10CF59C984B9ABBF5FF88310F24816EE8199B391C778EA41CB95
                                        Function 00438E02 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                                        • Instruction ID: 9663080612542d3e5f9b84a36c3ecf1ef98ea00319430370267f097460dfd66c
                                        • Opcode Fuzzy Hash: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                                        • Instruction Fuzzy Hash: 2651C670A00204AFDF14DF59C881AAABBA2EF8D328F24915EF8089B352D775DD41CB55
                                        Function 00429E20 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                        Download Yara Rule
                                        APIs
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00429F7B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Concurrency::cancel_current_task
                                        • String ID:
                                        • API String ID: 118556049-0
                                        • Opcode ID: 49d9410ba7a25a1ed46be8af988e90367723f5328f058a33b79d5012bd0e806f
                                        • Instruction ID: efe4cd6a287aa12a83b409d23e88dd93d6c4865ddef84cf0d949cd52fc0f7608
                                        • Opcode Fuzzy Hash: 49d9410ba7a25a1ed46be8af988e90367723f5328f058a33b79d5012bd0e806f
                                        • Instruction Fuzzy Hash: AA410271E001259FCB14DF68C9419AEBBB9EB89310F64422EE815E7381D738DE01CBE4
                                        Function 004E7640 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID:
                                        • API String ID: 2638373210-0
                                        • Opcode ID: 025cbb467e96eb611f2940d14225f23d526d4ccfef296c2d3f6c21a772ab55fe
                                        • Instruction ID: 028c77ef4637c0ac0bfd58be9ca2c186fed01019b569c5d695070078eed700b9
                                        • Opcode Fuzzy Hash: 025cbb467e96eb611f2940d14225f23d526d4ccfef296c2d3f6c21a772ab55fe
                                        • Instruction Fuzzy Hash: A8517FB0D043499BDB10DF99D986BAEFBB4FF44714F10012EE8416B381D7796A44CBA5
                                        Function 004E74C0 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID:
                                        • API String ID: 2638373210-0
                                        • Opcode ID: 630099f540daf6efa67ea676e65f3a2a0d7fe5641c6b0820276aea293422c398
                                        • Instruction ID: 959dba962c579710b3c8227977385e6342f185642bc3a86ace1f34c607c4467c
                                        • Opcode Fuzzy Hash: 630099f540daf6efa67ea676e65f3a2a0d7fe5641c6b0820276aea293422c398
                                        • Instruction Fuzzy Hash: 78416CB0D04248EBDB14DF99D985BEEBBB4FF48714F10416EE801AB381D7799901CBA5
                                        Function 00406870 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 00406908
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: ___std_fs_directory_iterator_open@12
                                        • String ID:
                                        • API String ID: 29801545-0
                                        • Opcode ID: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                                        • Instruction ID: 382a6ddcba4688358f9e0a4ad0208e6a3358ad319658d54a7c18dfc33c73484c
                                        • Opcode Fuzzy Hash: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                                        • Instruction Fuzzy Hash: AB21AE76E00619ABCB14EF49D841BAAB7B4FB84324F00466EED1663780DB396D10CB94
                                        Function 004E5D00 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetupDiGetClassDevsA.SETUPAPI(0055D560,00000000,00000000), ref: 004E5D47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: ClassDevsSetup
                                        • String ID:
                                        • API String ID: 2330331845-0
                                        • Opcode ID: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                                        • Instruction ID: 3af1858aaf6aa964ebdd9f4359c5c99147492c850a3065a18f0c0dee6211d041
                                        • Opcode Fuzzy Hash: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                                        • Instruction Fuzzy Hash: A0110EB1D04B449BE3208F28DD0A757BBF0EB00B28F10471EE850573C1E3BA6A4887E2
                                        Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • Concurrency::cancel_current_task.LIBCPMT ref: 0040331F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: Concurrency::cancel_current_task
                                        • String ID:
                                        • API String ID: 118556049-0
                                        • Opcode ID: 4c9de15bf43b7906aab7ed6efc04c82af185101d7b74466eda9590404471e6f8
                                        • Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
                                        • Opcode Fuzzy Hash: 4c9de15bf43b7906aab7ed6efc04c82af185101d7b74466eda9590404471e6f8
                                        • Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788
                                        Function 0044A65A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,000000FF,00000000), ref: 0044A69B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 44fe68ec2fca24d705c4288583a30094579fd4d4051ae38cb78614132530c581
                                        • Instruction ID: 9689b7dccde3e7d2c1426315cc49502dff6dd5535dcc2f3da2dc3831567fdc71
                                        • Opcode Fuzzy Hash: 44fe68ec2fca24d705c4288583a30094579fd4d4051ae38cb78614132530c581
                                        • Instruction Fuzzy Hash: 4CF0E0311905246BFB216A66DC05B5B375CAF41760F1E8117EC84EB190CA3CDC3146EE
                                        Function 00406840 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406853
                                          • Part of subcall function 00431F7B: FindNextFileW.KERNELBASE(?,?,?,00406858,?,?,?,?,0040691A,?,?,?,00000000,?,?), ref: 00431F84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                                        • String ID:
                                        • API String ID: 3878998205-0
                                        • Opcode ID: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                                        • Instruction ID: f155dccb83496c4d8f98fbb14974b26749813e83e467fdfa34ea523ab42003ff
                                        • Opcode Fuzzy Hash: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                                        • Instruction Fuzzy Hash: 63D05E22701520118D24752738085AF06498DC66A8A42447FB84AB32C2EA2D8C0311AD
                                        Function 004466D5 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1963629538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1963603313.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963754539.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963789360.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963816103.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963845295.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1963871656.00000000007EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1964461391.00000000009B2000.00000020.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_plTAoSCew2.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                                        • Instruction ID: ccf5b3b5ee64302dd7184922bc8d264c22512182c10063c293431932d1ea205a
                                        • Opcode Fuzzy Hash: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                                        • Instruction Fuzzy Hash: 13E09AB2C0020D9ADB00DFD5C452BEFBBB8AB08315F50446BA205E6181EB789748CBE5