Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1461134
MD5:200f9f4aacee6abe76ff4c56869aa836
SHA1:582e3099dba8aec26548d211ad6c3d8b5e5b6ab4
SHA256:57bd105185f5216245ff7a967967fb191159828a9f918ece31b48030119aad52
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 200F9F4AACEE6ABE76FF4C56869AA836)
    • schtasks.exe (PID: 4476 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2336 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 6108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 1920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 432 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 200F9F4AACEE6ABE76FF4C56869AA836)
  • MPGPH131.exe (PID: 6324 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 200F9F4AACEE6ABE76FF4C56869AA836)
  • RageMP131.exe (PID: 4916 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 200F9F4AACEE6ABE76FF4C56869AA836)
  • RageMP131.exe (PID: 1448 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 200F9F4AACEE6ABE76FF4C56869AA836)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\62AbnS8U76t4fChT49E_pCT.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3558548817.0000000005798000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: file.exe PID: 6332JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          Process Memory Space: file.exe PID: 6332JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: RageMP131.exe PID: 4916JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

              Snort Signatures

              Timestamp:06/22/24-22:55:23.960247
              SID:2046269
              Source Port:49738
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-22:56:52.783227
              SID:2046267
              Source Port:58709
              Destination Port:49753
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-22:56:24.564246
              SID:2046266
              Source Port:58709
              Destination Port:49752
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-22:56:59.648082
              SID:2046269
              Source Port:49752
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-22:56:31.171917
              SID:2046266
              Source Port:58709
              Destination Port:49753
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-22:56:52.419694
              SID:2046267
              Source Port:58709
              Destination Port:49752
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-22:56:34.334522
              SID:2046269
              Source Port:49753
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-22:54:16.496660
              SID:2049060
              Source Port:49738
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-22:54:25.279747
              SID:2046267
              Source Port:58709
              Destination Port:49738
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-22:54:17.088231
              SID:2046266
              Source Port:58709
              Destination Port:49738
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: malware
              Source: http://77.91.77.81/cost/lenin.exetAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: phishing
              Multi AV Scanner detection for domain / URL
              Source: http://77.91.77.81/mine/amadka.exeVirustotal: Detection: 23%Perma Link
              Source: http://77.91.77.81/cost/go.exeVirustotal: Detection: 23%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 52%
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 52%
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 52%
              Source: file.exeVirustotal: Detection: 58%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004C6B00
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E67A8 FindFirstFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,0_2_004E67A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49738 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49738
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49738
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49752
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49752 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49753
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49753 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49752
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49753
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
              Source: global trafficTCP traffic: 192.168.2.4:49738 -> 77.91.77.66:58709
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
              Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
              Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: unknownDNS query: name: ipinfo.io
              Source: unknownDNS query: name: ipinfo.io
              Source: unknownDNS query: name: ipinfo.io
              Source: unknownDNS query: name: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,0_2_004C8590
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficDNS traffic detected: DNS query: ipinfo.io
              Source: global trafficDNS traffic detected: DNS query: db-ip.com
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exet
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: Amcache.hve.15.drString found in binary or memory: http://upx.sf.net
              Source: file.exe, 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1675059249.0000000002990000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2474939313.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4142206687.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.4142253887.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2475489562.0000000002760000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2567545061.0000000000CE0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4142172979.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2648323919.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4142168146.000000000055D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
              Source: file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/5
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/c
              Source: RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33#
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.334C
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33C
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33ut
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/o
              Source: RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33)W
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000DB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33E
              Source: file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000EA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
              Source: file.exe, 00000000.00000002.3557114655.0000000000C96000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
              Source: RageMP131.exe, 0000000C.00000002.4144857009.0000000000E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/N
              Source: file.exe, 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1675059249.0000000002990000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2474939313.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4142206687.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.4142253887.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2475489562.0000000002760000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2567545061.0000000000CE0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4142172979.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2648323919.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4142168146.000000000055D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
              Source: file.exe, 00000000.00000002.3557114655.0000000000C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/j
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/t
              Source: file.exe, 00000000.00000002.3557114655.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.335
              Source: file.exe, 00000000.00000002.3557114655.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33:
              Source: file.exe, 00000000.00000002.3557114655.0000000000C96000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: file.exe, 00000000.00000003.3161576522.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, n7J29lEH1LkuHistory.0.dr, tpFa0VILO3AVHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: n7J29lEH1LkuHistory.0.dr, tpFa0VILO3AVHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: file.exe, 00000000.00000003.3161576522.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, n7J29lEH1LkuHistory.0.dr, tpFa0VILO3AVHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: n7J29lEH1LkuHistory.0.dr, tpFa0VILO3AVHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: file.exe, 00000000.00000002.3558548817.0000000005798000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3557114655.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, 62AbnS8U76t4fChT49E_pCT.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
              Source: RageMP131.exe, 0000000C.00000002.4144857009.0000000000E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT$
              Source: file.exe, 00000000.00000002.3558548817.0000000005798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT?
              Source: file.exe, 00000000.00000002.3557114655.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTQ
              Source: RageMP131.exe, 0000000B.00000002.4144884433.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTzo0u
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3165387841.0000000005836000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.drString found in binary or memory: https://t.me/risepro_bot
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botiC
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
              Source: file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: file.exe, 00000000.00000002.3558548817.0000000005787000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/V
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: file.exe, 00000000.00000002.3558548817.0000000005787000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5FF0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,735274A0,DeleteObject,DeleteObject,ReleaseDC,0_2_004E5FF0

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044002D0_2_0044002D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DF0300_2_004DF030
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049F0D00_2_0049F0D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AA2000_2_004AA200
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D3A00_2_0049D3A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004963B00_2_004963B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004904400_2_00490440
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DE4300_2_004DE430
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053F5500_2_0053F550
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D76000_2_004D7600
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004986B00_2_004986B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B8E00_2_0040B8E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00481C100_2_00481C10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FAD000_2_004FAD00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00493F400_2_00493F40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049AF600_2_0049AF60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DFF000_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004930800_2_00493080
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004371A00_2_004371A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044036F0_2_0044036F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A43200_2_004A4320
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004845E00_2_004845E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042F5800_2_0042F580
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A36100_2_004A3610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005486C00_2_005486C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005477600_2_00547760
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E77E00_2_004E77E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004547BF0_2_004547BF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043C9600_2_0043C960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043A9280_2_0043A928
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044DA860_2_0044DA86
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00458BB00_2_00458BB0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EEC400_2_004EEC40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EFC400_2_004EFC40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534D400_2_00534D40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00546D200_2_00546D20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00545DE00_2_00545DE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00458E300_2_00458E30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00541F000_2_00541F00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2FD00_2_004F2FD0
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 0041ACE0 appears 86 times
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 1920
              Source: file.exeBinary or memory string: OriginalFilename vs file.exe
              Source: file.exe, 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
              Source: file.exe, 00000000.00000000.1672672325.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
              Source: file.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.997961416070008
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9927895911654135
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.99267578125
              Source: file.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.997961416070008
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9927895911654135
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99267578125
              Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.997961416070008
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9927895911654135
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99267578125
              Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/31@3/3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6332
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5224:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1675059249.0000000002990000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2474939313.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4142206687.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.4142253887.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2475489562.0000000002760000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2567545061.0000000000CE0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4142172979.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2648323919.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4142168146.000000000055D000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: file.exe, 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1675059249.0000000002990000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2474939313.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4142206687.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.4142253887.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2475489562.0000000002760000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2567545061.0000000000CE0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4142172979.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2648323919.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4142168146.000000000055D000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: file.exe, 00000000.00000003.3159035158.0000000005798000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159314134.0000000005798000.00000004.00000020.00020000.00000000.sdmp, L8VsEhFCGIPBLogin Data.0.dr, 8uidv_1gOa1CLogin Data For Account.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeReversingLabs: Detection: 52%
              Source: file.exeVirustotal: Detection: 58%
              Source: file.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 1920
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: file.exeStatic file information: File size 3329552 > 1048576
              Source: file.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x275600
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .themida
              Source: file.exeStatic PE information: section name: .boot
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
              Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name: .themida
              Source: RageMP131.exe.0.drStatic PE information: section name: .boot
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
              Source: file.exeStatic PE information: section name: entropy: 7.970562796260684
              Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.970562796260684
              Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.970562796260684
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found stalling execution ending in API Sleep call
              Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleepgraph_0-53688
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-53688
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-53803
              Source: C:\Users\user\Desktop\file.exe TID: 6352Thread sleep count: 74 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6352Thread sleep count: 31 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6112Thread sleep count: 86 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6112Thread sleep count: 242 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6112Thread sleep count: 81 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1848Thread sleep count: 187 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1848Thread sleep count: 91 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E67A8 FindFirstFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,0_2_004E67A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
              Source: MPGPH131.exe, 00000009.00000002.4144559384.0000000000C47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: Amcache.hve.15.drBinary or memory string: VMware
              Source: Amcache.hve.15.drBinary or memory string: VMware Virtual USB Mouse
              Source: file.exe, 00000000.00000002.3557114655.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
              Source: Amcache.hve.15.drBinary or memory string: vmci.syshbin
              Source: file.exe, 00000000.00000003.2453319184.0000000000C82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!
              Source: file.exe, 00000000.00000002.3558548817.00000000057DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4FD3E300
              Source: Amcache.hve.15.drBinary or memory string: VMware, Inc.
              Source: RageMP131.exe, 0000000C.00000002.4144857009.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: Amcache.hve.15.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.15.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.15.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.15.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.15.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
              Source: file.exe, 00000000.00000002.3557114655.0000000000C6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
              Source: file.exe, 00000000.00000002.3557114655.0000000000C7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}5
              Source: RageMP131.exe, 0000000C.00000003.3793475150.0000000000E99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: RageMP131.exe, 0000000C.00000002.4144857009.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_di
              Source: Amcache.hve.15.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.15.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: file.exe, 00000000.00000002.3557114655.0000000000C8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}sz
              Source: Amcache.hve.15.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: RageMP131.exe, 0000000C.00000002.4144857009.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
              Source: Amcache.hve.15.drBinary or memory string: vmci.sys
              Source: Amcache.hve.15.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: file.exe, 00000000.00000002.3558548817.00000000057DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
              Source: Amcache.hve.15.drBinary or memory string: vmci.syshbin`
              Source: MPGPH131.exe, 00000008.00000002.4145036164.0000000000E7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__m
              Source: Amcache.hve.15.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.15.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: MPGPH131.exe, 00000008.00000002.4141460726.000000000009C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__em00024
              Source: MPGPH131.exe, 00000008.00000002.4144739037.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4144784186.0000000000DE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
              Source: Amcache.hve.15.drBinary or memory string: VMware20,1
              Source: Amcache.hve.15.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.15.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.15.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.15.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.15.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.15.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.15.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.15.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.15.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.15.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: MPGPH131.exe, 00000009.00000002.4141585370.000000000009C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__em00024
              Source: Amcache.hve.15.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]0_2_004C6D80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00493F40 mov eax, dword ptr fs:[00000030h]0_2_00493F40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,0_2_004E9A70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Contains functionality to inject threads in other processes
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: C:\Users\user\Desktop\file.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004531CA
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004533F9
              Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0044B734
              Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00452D5F
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452E51
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452E06
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452EEC
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
              Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.15.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.15.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.15.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.15.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 00000000.00000002.3558548817.0000000005798000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6332, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4916, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 1448, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\62AbnS8U76t4fChT49E_pCT.zip, type: DROPPED
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: file.exe, 00000000.00000002.3557114655.0000000000C6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
              Source: file.exe, 00000000.00000002.3557114655.0000000000C6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
              Source: file.exe, 00000000.00000002.3558548817.00000000057BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local StorageP
              Source: file.exe, 00000000.00000002.3558548817.00000000057BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
              Source: file.exe, 00000000.00000002.3558548817.00000000057BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: file.exe, 00000000.00000002.3557114655.0000000000C6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
              Source: file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
              Source: file.exe, 00000000.00000002.3557114655.0000000000C6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: file.exe, 00000000.00000002.3557114655.0000000000C6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
              Source: file.exe, 00000000.00000002.3557114655.0000000000C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live9
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6332, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 00000000.00000002.3558548817.0000000005798000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6332, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4916, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 1448, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\62AbnS8U76t4fChT49E_pCT.zip, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		11
              Process Injection              		3
              Obfuscated Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol2
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		2
              Software Packing              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Screen Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		NTDS35
              System Information Discovery              		Distributed Component Object Model1
              Email Collection              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets351
              Security Software Discovery              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
              Virtualization/Sandbox Evasion              		Cached Domain Credentials13
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Process Injection              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Owner/User Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Network Configuration Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1461134 Sample: file.exe Startdate: 22/06/2024 Architecture: WINDOWS Score: 100 40 ipinfo.io 2->40 42 db-ip.com 2->42 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for URL or domain 2->54 56 6 other signatures 2->56 8 file.exe 1 62 2->8         started        13 RageMP131.exe 2 2->13         started        15 MPGPH131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 44 77.91.77.66, 49738, 49752, 49753 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->44 46 ipinfo.io 34.117.186.192, 443, 49739, 49754 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->46 48 db-ip.com 104.26.4.15, 443, 49740, 49756 CLOUDFLARENETUS United States 8->48 32 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->32 dropped 34 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->34 dropped 36 C:\Users\user\...\62AbnS8U76t4fChT49E_pCT.zip, Zip 8->36 dropped 38 2 other malicious files 8->38 dropped 58 Query firmware table information (likely to detect VMs) 8->58 60 Tries to steal Mail credentials (via file / registry access) 8->60 62 Found many strings related to Crypto-Wallets (likely being stolen) 8->62 70 4 other signatures 8->70 19 WerFault.exe 21 16 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 68 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->68 file6 signatures7 process8 file9 30 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->30 dropped 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started        process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe53%ReversingLabsWin32.Trojan.RiseProStealer
              file.exe58%VirustotalBrowse
              file.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
              C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
              C:\ProgramData\MPGPH131\MPGPH131.exe53%ReversingLabsWin32.Trojan.RiseProStealer
              C:\Users\user\AppData\Local\RageMP131\RageMP131.exe53%ReversingLabsWin32.Trojan.RiseProStealer

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              ipinfo.io0%VirustotalBrowse
              db-ip.com0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://upx.sf.net0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://ipinfo.io/0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://ipinfo.io:443/widget/demo/8.46.123.330%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              http://77.91.77.81/mine/amadka.exe100%Avira URL Cloudphishing
              https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%Avira URL Cloudsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              http://77.91.77.81/mine/amadka.exe23%VirustotalBrowse
              http://77.91.77.81/cost/go.exe100%Avira URL Cloudmalware
              http://crl.microsoft0%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%VirustotalBrowse
              https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
              https://db-ip.com:443/demo/home.php?s=8.46.123.33E0%Avira URL Cloudsafe
              https://db-ip.com/0%Avira URL Cloudsafe
              http://crl.microsoft0%VirustotalBrowse
              https://ipinfo.io/widget/demo/8.46.123.3350%Avira URL Cloudsafe
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%Avira URL Cloudsafe
              https://db-ip.com/0%VirustotalBrowse
              https://ipinfo.io/widget/demo/8.46.123.33:0%Avira URL Cloudsafe
              http://77.91.77.81/cost/go.exe23%VirustotalBrowse
              https://db-ip.com/demo/home.php?s=8.46.123.33ut0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.33C0%Avira URL Cloudsafe
              https://t.me/risepro_botiC0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORTQ0%Avira URL Cloudsafe
              https://ipinfo.io/widget/demo/8.46.123.330%Avira URL Cloudsafe
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.334C0%Avira URL Cloudsafe
              https://db-ip.com/50%Avira URL Cloudsafe
              https://ipinfo.io/t0%Avira URL Cloudsafe
              https://db-ip.com:443/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
              https://t.me/risepro_botisepro_bot0%Avira URL Cloudsafe
              https://ipinfo.io/t0%VirustotalBrowse
              https://ipinfo.io/j0%Avira URL Cloudsafe
              https://db-ip.com/50%VirustotalBrowse
              https://t.me/RiseProSUPPORT?0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.33#0%Avira URL Cloudsafe
              https://db-ip.com/c0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORTzo0u0%Avira URL Cloudsafe
              https://ipinfo.io/j0%VirustotalBrowse
              https://t.me/RiseProSUPPORT?1%VirustotalBrowse
              https://db-ip.com/c0%VirustotalBrowse
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
              https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORTQ1%VirustotalBrowse
              https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%VirustotalBrowse
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORT$0%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
              https://db-ip.com/o0%Avira URL Cloudsafe
              https://t.me/risepro_botisepro_bot0%VirustotalBrowse
              https://ipinfo.io/N0%Avira URL Cloudsafe
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%VirustotalBrowse
              https://t.me/RiseProSUPPORT0%VirustotalBrowse
              https://ipinfo.io/Mozilla/5.00%Avira URL Cloudsafe
              https://db-ip.com:443/demo/home.php?s=8.46.123.33)W0%Avira URL Cloudsafe
              http://77.91.77.81/cost/lenin.exet100%Avira URL Cloudphishing
              https://t.me/RiseProSUPPORT$1%VirustotalBrowse
              https://db-ip.com/o0%VirustotalBrowse
              https://t.me/risepro_bot0%Avira URL Cloudsafe
              https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
              http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
              https://support.mozilla.org0%Avira URL Cloudsafe
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe
              https://ipinfo.io/N0%VirustotalBrowse
              https://ipinfo.io/Mozilla/5.00%VirustotalBrowse
              https://db-ip.com/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
              http://77.91.77.81/cost/lenin.exe100%Avira URL Cloudphishing

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ipinfo.io
              		34.117.186.192
              		truefalseunknown
              db-ip.com
              		104.26.4.15
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://ipinfo.io/widget/demo/8.46.123.33false
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/false
              • URL Reputation: safe
              		unknown
              https://db-ip.com/demo/home.php?s=8.46.123.33false
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://77.91.77.81/mine/amadka.exefile.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpfalse
              • 23%, Virustotal, Browse
              • Avira URL Cloud: phishing
              		unknown
              https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io:443/widget/demo/8.46.123.33file.exe, 00000000.00000002.3557114655.0000000000C96000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFD87fZN3R3jFeplaces.sqlite.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://77.91.77.81/cost/go.exefile.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpfalse
              • 23%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://crl.microsoftRageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com:443/demo/home.php?s=8.46.123.33ERageMP131.exe, 0000000B.00000002.4144884433.0000000000DB4000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/widget/demo/8.46.123.335RageMP131.exe, 0000000B.00000002.4144884433.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drfalse
              • URL Reputation: safe
              		unknown
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17file.exe, 00000000.00000003.3161576522.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, n7J29lEH1LkuHistory.0.dr, tpFa0VILO3AVHistory.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/widget/demo/8.46.123.33:file.exe, 00000000.00000002.3557114655.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/demo/home.php?s=8.46.123.33utRageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/demo/home.php?s=8.46.123.33CRageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/risepro_botiCfile.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/RiseProSUPPORTQfile.exe, 00000000.00000002.3557114655.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installn7J29lEH1LkuHistory.0.dr, tpFa0VILO3AVHistory.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drfalse
              • URL Reputation: safe
              		unknown
              https://db-ip.com/demo/home.php?s=8.46.123.334Cfile.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/5RageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/tRageMP131.exe, 0000000B.00000002.4144884433.0000000000D61000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com:443/demo/home.php?s=8.46.123.33RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/risepro_botisepro_botfile.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/jfile.exe, 00000000.00000002.3557114655.0000000000C8A000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/RiseProSUPPORT?file.exe, 00000000.00000002.3558548817.0000000005798000.00000004.00000020.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/demo/home.php?s=8.46.123.33#file.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/cRageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/RiseProSUPPORTzo0uRageMP131.exe, 0000000B.00000002.4144884433.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllfile.exe, 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1675059249.0000000002990000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2474939313.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4142206687.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.4142253887.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2475489562.0000000002760000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2567545061.0000000000CE0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4142172979.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2648323919.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4142168146.000000000055D000.00000002.00000001.01000000.00000006.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://upx.sf.netAmcache.hve.15.drfalse
              • URL Reputation: safe
              		unknown
              https://t.me/RiseProSUPPORTfile.exe, 00000000.00000002.3558548817.0000000005798000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3557114655.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, 62AbnS8U76t4fChT49E_pCT.zip.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016file.exe, 00000000.00000003.3161576522.00000000057D2000.00000004.00000020.00020000.00000000.sdmp, n7J29lEH1LkuHistory.0.dr, tpFa0VILO3AVHistory.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/RiseProSUPPORT$RageMP131.exe, 0000000C.00000002.4144857009.0000000000E37000.00000004.00000020.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/oRageMP131.exe, 0000000B.00000002.4144884433.0000000000DDD000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/NRageMP131.exe, 0000000C.00000002.4144857009.0000000000E70000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.ecosia.org/newtab/file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drfalse
              • URL Reputation: safe
              		unknown
              https://ipinfo.io/Mozilla/5.0file.exe, 00000000.00000002.3557114655.0000000000C96000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4144884433.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4144857009.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.0.drfalse
              • URL Reputation: safe
              		unknown
              https://db-ip.com:443/demo/home.php?s=8.46.123.33)Wfile.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drfalse
              • URL Reputation: safe
              		unknown
              http://77.91.77.81/cost/lenin.exetfile.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://t.me/risepro_botfile.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3165387841.0000000005836000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.maxmind.com/en/locate-my-ip-addressMPGPH131.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://www.winimage.com/zLibDllfile.exe, 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1675059249.0000000002990000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2474939313.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4142206687.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.4142253887.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2475489562.0000000002760000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2567545061.0000000000CE0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4142172979.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2648323919.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4142168146.000000000055D000.00000002.00000001.01000000.00000006.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesn7J29lEH1LkuHistory.0.dr, tpFa0VILO3AVHistory.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.3162088253.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3160353482.00000000057F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3159603527.00000000057D4000.00000004.00000020.00020000.00000000.sdmp, Tv5HrFbm6VQdWeb Data.0.dr, 5FkjBEcdJ5c0Web Data.0.dr, 4bB2RBXJ9t2XWeb Data.0.drfalse
              • URL Reputation: safe
              		unknown
              http://77.91.77.81/cost/lenin.exefile.exe, 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              34.117.186.192
              		ipinfo.ioUnited States
              		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
              104.26.4.15
              		db-ip.comUnited States
              		13335CLOUDFLARENETUSfalse
              77.91.77.66
              		unknownRussian Federation
              		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1461134
              Start date and time:2024-06-22 22:52:06 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 10m 40s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:17
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:file.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@12/31@3/3
              EGA Information:
              • Successful, ratio: 33.3%
              HCA Information:
              • Successful, ratio: 62%
              • Number of executed functions: 52
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 20.189.173.20
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target MPGPH131.exe, PID 432 because there are no executed function
              • Execution Graph export aborted for target MPGPH131.exe, PID 6324 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtCreateFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              16:55:21API Interceptor39x Sleep call for process: file.exe modified
              16:56:05API Interceptor1x Sleep call for process: WerFault.exe modified
              21:54:17Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
              21:54:17Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
              21:54:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
              21:54:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              34.117.186.192HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/
              HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/
              HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/
              SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/json
              SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/json
              Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
              • ipinfo.io/ip
              Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
              • ipinfo.io/
              Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
              • ipinfo.io/
              w.shGet hashmaliciousXmrigBrowse
              • /ip
              Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
              • ipinfo.io/ip
              104.26.4.15#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exeGet hashmaliciousNemty, XmrigBrowse
              • api.db-ip.com/v2/free/102.129.152.212/countryName
              77.91.77.66file.exeGet hashmaliciousRisePro StealerBrowse
                plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                  7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                    PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                      YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                        AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                          setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                            D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                              WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ipinfo.iofile.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 34.117.186.192
                                  D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                  • 34.117.186.192
                                  db-ip.comhttp://feedbackreview-id0284892389423.d1o0pnrgaue9g2.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                                  • 104.26.4.15
                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                  • 172.67.75.166
                                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.5.15
                                  7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 172.67.75.166
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 104.26.5.15
                                  D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                  • 104.26.4.15
                                  WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUsetup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                  • 77.91.77.81
                                  setup.exeGet hashmaliciousAmadeyBrowse
                                  • 77.91.77.81
                                  It5068xROy.dllGet hashmaliciousRedLineBrowse
                                  • 77.91.77.6
                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 77.91.77.81
                                  GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttps://peringatanfb772.wixsite.com/mysiteGet hashmaliciousUnknownBrowse
                                  • 34.117.60.144
                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                  • 34.117.239.71
                                  https://my.visme.co/v/pvmd79je-dj6mqvGet hashmaliciousUnknownBrowse
                                  • 34.117.77.79
                                  CLOUDFLARENETUSMT STENA IMPRESSION Vessel Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 188.114.96.3
                                  omgsoft.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.138.40
                                  Zahlung.docx.docGet hashmaliciousUnknownBrowse
                                  • 172.67.135.214
                                  Zahlung.docx.docGet hashmaliciousUnknownBrowse
                                  • 172.67.135.214
                                  https://havenhostelbremerhaven.eu/4659080558Get hashmaliciousUnknownBrowse
                                  • 104.17.25.14
                                  Baltic questionnaire.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 188.114.97.3
                                  TS-240622-BlankGrabber3.exeGet hashmaliciousBlank GrabberBrowse
                                  • 162.159.136.232
                                  TS-240622-Creal2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                  • 104.26.3.16
                                  TS-240622-Lumma4.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.49.90
                                  https://th.sparrow-golf.com/index.php/campaigns/tz181hd4n20e8/track-url/ab370qhrl0e77/39494c72ffac678ff4c07d71b9274c7f79918666Get hashmaliciousUnknownBrowse
                                  • 172.67.147.84

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  a0e9f5d64349fb13191bc781f81f42e1omgsoft.exeGet hashmaliciousLummaCBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  Zahlung.docx.docGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  TS-240622-Lumma4.exeGet hashmaliciousLummaCBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  NEW ORDER.docx.docGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  https://bcr.serviciul.com/Get hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  SecuriteInfo.com.Script.SNH-gen.23298.6936.xlsxGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  SecuriteInfo.com.FileRepMalware.3625.5069.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  Form_Ver-13-59-03 (1).jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  93.bin.exeGet hashmaliciousLummaCBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\MPGPH131\MPGPH131.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3329552
                                  Entropy (8bit):7.962033034801858
                                  Encrypted:false
                                  SSDEEP:98304:BWs3Yh0MA6vUsHAMd57XgfynxOGBsBBbDvq:BWsoh0kvFFgf6RsBBbjq
                                  MD5:200F9F4AACEE6ABE76FF4C56869AA836
                                  SHA1:582E3099DBA8AEC26548D211AD6C3D8B5E5B6AB4
                                  SHA-256:57BD105185F5216245FF7A967967FB191159828A9F918ECE31B48030119AAD52
                                  SHA-512:27FF20213A73EC3A4FFAE79DBC424DC24061F019C0D860D98DF50D3DE07F6D95D19B1D54FA24FB6638A7FBCAA259FCFDC5AF954069EA05EBBB68DF572423062B
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 53%
                                  Reputation:low
                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@..........................p........2......................................a..........8....................`...............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....V'...X..V'..x..............`..`.reloc.......`........2................@................................................................

                                  C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_ee875fea51fd677b6244cbbfce203f99c672fd1e_2b1844b5_53e0877d-73ea-4182-a226-aef0b3a36460\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.0429828005402146
                                  Encrypted:false
                                  SSDEEP:192:WtdAUBuG+vPPuY0C2CvkXI3jyZrosLZuzuiFKZ24IO8eBP:y3QPGzClvkAjyuzuiFKY4IO8eP
                                  MD5:B8DB9A234490121E9FF1E4D95CB5B0DA
                                  SHA1:9FD89EA5F6EC22B8262F54981C94EE6B095E0DFC
                                  SHA-256:9442308B33BFC02052F59F544D506AB52B1E2BA590BC7DAF298B333085D0B0AF
                                  SHA-512:E4DE58A07A05DC5021F7F73DD59BC101BEDE531E61656BBFB6528C4B7A61B9B4CEFDE4C49F54C247AB5DE00A17B0B17AE6D4311E9829704FE8EAC5F4B1200D12
                                  Malicious:true
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.5.6.3.3.3.1.6.6.8.7.2.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.5.6.3.3.3.3.8.0.9.3.9.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.e.0.8.7.7.d.-.7.3.e.a.-.4.1.8.2.-.a.2.2.6.-.a.e.f.0.b.3.a.3.6.4.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.c.0.d.8.f.4.-.7.4.2.1.-.4.d.3.0.-.8.5.2.2.-.f.6.9.4.8.f.5.0.6.9.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.b.c.-.0.0.0.1.-.0.0.1.4.-.3.6.a.8.-.7.8.2.9.e.6.c.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.5.8.2.e.3.0.9.9.d.b.a.8.a.e.c.2.6.5.4.8.d.2.1.1.a.d.6.c.3.d.8.b.5.e.5.b.6.a.b.4.!.f.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER80C0.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Sat Jun 22 20:55:31 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):104356
                                  Entropy (8bit):2.0451293197880056
                                  Encrypted:false
                                  SSDEEP:384:AmU+ixQexVFtvLXoNkLs0zz0P14Td/GJvLp3MC9jTD7obS6b6Nd9tN9qtNdqf4D5:AU6Q+VFtvhvx/evV9V34DqU
                                  MD5:528AC3D1E53A214A9BAB45F7CBD9BDC7
                                  SHA1:4B4DB736BA683C9BAFE839EE64F0FA53A7E57710
                                  SHA-256:B9907CD8609E6150BA9619C27DA47497B19CF659746DBC647A3F4C8F9997DE9D
                                  SHA-512:F6FDD8C10F1F5452790702205ED32C54D50D6B5A7CA19EDB592FC73477920A80CE091BFBC3DD0C49B8EBFEB2B6C1B57EEE514C9355254151C29A9973E17921AD
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP..a..... .......C:wf....................................l....#...........L..........`.......8...........T............J...M...........#...........%..............................................................................eJ.......&......GenuineIntel............T............9wfH............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8286.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8376
                                  Entropy (8bit):3.697199979345875
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJcCv6vR3Abz6Y9YSU6gmfBjJJpY9pra89bbZsfrNpm:R6lXJL6vxAbz6YSSU6gmf1JJ2jbyfO
                                  MD5:903E0B80169D4846A07F33A8C5B99B2F
                                  SHA1:E43A58AABBB88D7C0BCFA50F2D0D7459E46D365A
                                  SHA-256:F775D3AB7A85305906274B1E62E9156D6BC5E9E82A8505D5C6AD540E8230FC94
                                  SHA-512:C94DA5B96ADA4199B3C6EF9F0DD60ABE6DCC31CFAADFD15A7946F4E19F2D383A9A6CD4FBCD684D635B38D8C55B3045E80E689B604143BAAE01D4FAC469507FDB
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.3.2.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER82B6.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4683
                                  Entropy (8bit):4.492245951583203
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsENJg77aI9XjiTlWpW8VY/Ym8M4JD3FJA+q8ru186CdPud:uIjfEnI7R+TU7V7JEH8RdPud
                                  MD5:0104BB34325E1379F059D04530E0999D
                                  SHA1:76561CDEED0B4698A03BFDAF0DDF7B66386D55B7
                                  SHA-256:94A5E195A886B33831620F6059C0D366ED1B6C01ADB79DA243DCE9DDD935A0E9
                                  SHA-512:8CC77F66D743199D07FA7EED06905B792F759905CC5928BE6AF554C86B8CC5C9FAED15C164DF02985335FCBF12AE3A06590C631A8648833C7D88A28166B39F5A
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="379438" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3329552
                                  Entropy (8bit):7.962033034801858
                                  Encrypted:false
                                  SSDEEP:98304:BWs3Yh0MA6vUsHAMd57XgfynxOGBsBBbDvq:BWsoh0kvFFgf6RsBBbjq
                                  MD5:200F9F4AACEE6ABE76FF4C56869AA836
                                  SHA1:582E3099DBA8AEC26548D211AD6C3D8B5E5B6AB4
                                  SHA-256:57BD105185F5216245FF7A967967FB191159828A9F918ECE31B48030119AAD52
                                  SHA-512:27FF20213A73EC3A4FFAE79DBC424DC24061F019C0D860D98DF50D3DE07F6D95D19B1D54FA24FB6638A7FBCAA259FCFDC5AF954069EA05EBBB68DF572423062B
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 53%
                                  Reputation:low
                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@..........................p........2......................................a..........8....................`...............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....V'...X..V'..x..............`..`.reloc.......`........2................@................................................................

                                  C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\Users\user\AppData\Local\Temp\62AbnS8U76t4fChT49E_pCT.zip

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                  Category:modified
                                  Size (bytes):5454
                                  Entropy (8bit):7.896443183337605
                                  Encrypted:false
                                  SSDEEP:96:JWGzqeAoMq+YK0KF8cAJiI2i+uJtS7TxKmEwe9Jkm623KJ0y:9qASpF8wFas8brJjj6Jb
                                  MD5:AC5C366B8ED524A59588CEE20AA2ED43
                                  SHA1:8A596B98BBBD5C3E5487389622D8A951DEB964AE
                                  SHA-256:9BB463F7C66938E7D039A447BD0B7605A25301648D4B953C62B434F81DF98CFD
                                  SHA-512:595EB13303AA5393512FE86932B2E497C0C84CC00E3F6015CABB5352807AD1E218CF2E8984341B651362D3B084173E40137EEA145BC20C75B9EDA725D9F469D1
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\62AbnS8U76t4fChT49E_pCT.zip, Author: Joe Security
                                  Preview:PK..........X................Cookies\..PK..........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                  C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):13
                                  Entropy (8bit):2.8150724101159437
                                  Encrypted:false
                                  SSDEEP:3:LEAVq:IZ
                                  MD5:DDCC5F9DAF4C890D94FDD66ECB713D86
                                  SHA1:BFFA49A6128BB8D25147663042E9405E4AA10094
                                  SHA-256:069B1F4F76B58B3A41196B63596E8642BCF81C78120A5A8E923E06E8F367125D
                                  SHA-512:2C2A5BD924A004E12360B8FA677BC0A47CB04521A9F1673E5C4107B073D3B87E9D24A9058EDAD0F8731DEBD1EAE04AF1A096A4A0D4662079B3B3B88196C8CDA3
                                  Malicious:false
                                  Preview:1719095006982

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\02zdBXl47cvzcookies.sqlite

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):98304
                                  Entropy (8bit):0.08235737944063153
                                  Encrypted:false
                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\3b6N2Xdh3CYwplaces.sqlite

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):5242880
                                  Entropy (8bit):0.037963276276857943
                                  Encrypted:false
                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                  Malicious:false
                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\4bB2RBXJ9t2XWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.1358696453229276
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\5FkjBEcdJ5c0Web Data

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.1358696453229276
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\8uidv_1gOa1CLogin Data For Account

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):40960
                                  Entropy (8bit):0.8553638852307782
                                  Encrypted:false
                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\APLOT_ZUF7_HCookies

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                  Category:dropped
                                  Size (bytes):28672
                                  Entropy (8bit):2.5793180405395284
                                  Encrypted:false
                                  SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                  MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                  SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                  SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                  SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\D87fZN3R3jFeplaces.sqlite

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):5242880
                                  Entropy (8bit):0.037963276276857943
                                  Encrypted:false
                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                  Malicious:false
                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\Ev77dyZ6DdytWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):114688
                                  Entropy (8bit):0.9746603542602881
                                  Encrypted:false
                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\L8VsEhFCGIPBLogin Data

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):40960
                                  Entropy (8bit):0.8553638852307782
                                  Encrypted:false
                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\Tv5HrFbm6VQdWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.1358696453229276
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\b7LL445YiWRPLogin Data

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):49152
                                  Entropy (8bit):0.8180424350137764
                                  Encrypted:false
                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                  MD5:349E6EB110E34A08924D92F6B334801D
                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\kAIBgX1YcxPWWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):114688
                                  Entropy (8bit):0.9746603542602881
                                  Encrypted:false
                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\mdFBWxXG_sLFHistory

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):126976
                                  Entropy (8bit):0.47147045728725767
                                  Encrypted:false
                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\n7J29lEH1LkuHistory

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                  Category:dropped
                                  Size (bytes):159744
                                  Entropy (8bit):0.7873599747470391
                                  Encrypted:false
                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\rGcUXvhfIN7LHistory

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):126976
                                  Entropy (8bit):0.47147045728725767
                                  Encrypted:false
                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\tpFa0VILO3AVHistory

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                  Category:dropped
                                  Size (bytes):159744
                                  Entropy (8bit):0.7873599747470391
                                  Encrypted:false
                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\spanA_q_KFFENg59\ybDrHyl_Me_EWeb Data

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):114688
                                  Entropy (8bit):0.9746603542602881
                                  Encrypted:false
                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\trixyA_q_KFFENg59\Cookies\Chrome_Default.txt

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):6085
                                  Entropy (8bit):6.038274200863744
                                  Encrypted:false
                                  SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                  MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                  SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                  SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                  SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                  Malicious:false
                                  Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                  C:\Users\user\AppData\Local\Temp\trixyA_q_KFFENg59\information.txt

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:ASCII text, with CRLF, LF line terminators
                                  Category:dropped
                                  Size (bytes):5085
                                  Entropy (8bit):5.373584115099081
                                  Encrypted:false
                                  SSDEEP:96:xhAhRRuCWcT4Aisph892DDowu4mmngvANUbg3x:xuECWvAtphw2DDoXFmXB
                                  MD5:2EF833C95FF4A45CB47D7BE17FE6BA31
                                  SHA1:D770AEBC57500FABFD792A1C8429546629BC1B46
                                  SHA-256:32E6C4F794C1255F0E96E57D222F03AE2A79E75D22D000006E328C13E0CAB989
                                  SHA-512:1BA0227F33D58A1063411F9F22055685DC0A9389B2FE2B5019414FF4FF2AE463FCB5A79E2ECC17295D3CCDA56853455FC157D1E229FF4D6E97E6A8A5B0B3EDDB
                                  Malicious:false
                                  Preview:Build: fulka..Version: 2.0....Date: Sat Jun 22 16:55:27 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: dd77f2d610b53b58c700b59fd5a20a4b....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyA_q_KFFENg59....IP: 8.46.123.33..Location: US, New York..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 942247 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 22/6/2024 16:55:27..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..sv

                                  C:\Users\user\AppData\Local\Temp\trixyA_q_KFFENg59\passwords.txt

                                  Download File
                                  Process:C:\Users\user\Desktop\file.exe
                                  File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                  Category:dropped
                                  Size (bytes):4897
                                  Entropy (8bit):2.518316437186352
                                  Encrypted:false
                                  SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                  MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                  SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                  SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                  SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.465826346426732
                                  Encrypted:false
                                  SSDEEP:6144:kIXfpi67eLPU9skLmb0b4iWSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbN:ZXD94iWlLZMM6YFH1+N
                                  MD5:BF196CFB4D522EB9412E84579C3FCECF
                                  SHA1:E0FE5C9566129E46105FDAEEE0240949000323E3
                                  SHA-256:6EC1D00D859FFAC93CF1038280A5DE7A38782FB3FD2749CA25B3BF62F7C4E069
                                  SHA-512:417FD437D3452A56653569FD5B6F986035D8DF2A473180364EDE11002CEDCD5E66AB2EF8E6F507C66D1CCD4CD8661CB4B81F161CB6DDCD36E8EA5AACA779B402
                                  Malicious:false
                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....................................................................................................................................................................................................................................................................................................................................................!..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.962033034801858
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:3'329'552 bytes
                                  MD5:200f9f4aacee6abe76ff4c56869aa836
                                  SHA1:582e3099dba8aec26548d211ad6c3d8b5e5b6ab4
                                  SHA256:57bd105185f5216245ff7a967967fb191159828a9f918ece31b48030119aad52
                                  SHA512:27ff20213a73ec3a4ffae79dbc424dc24061f019c0d860d98df50d3de07f6d95d19b1d54fa24fb6638a7fbcaa259fcfdc5af954069ea05ebbb68df572423062b
                                  SSDEEP:98304:BWs3Yh0MA6vUsHAMd57XgfynxOGBsBBbDvq:BWsoh0kvFFgf6RsBBbjq
                                  TLSH:34F53327B5C04CB9C9B20BFBBC53094D5E4FAA6587119325B53F8ADD312C48D8BF25A8
                                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                  File Icon

                                  Icon Hash:8596a1a0a1a1b171

                                  Static PE Info

                                  General

                                  Entrypoint:0x980058
                                  Entrypoint Section:.boot
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x664C6914 [Tue May 21 09:27:48 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                                  Entrypoint Preview

                                  Instruction
                                  call 00007FD844834FF0h
                                  push ebx
                                  mov ebx, esp
                                  push ebx
                                  mov esi, dword ptr [ebx+08h]
                                  mov edi, dword ptr [ebx+10h]
                                  cld
                                  mov dl, 80h
                                  mov al, byte ptr [esi]
                                  inc esi
                                  mov byte ptr [edi], al
                                  inc edi
                                  mov ebx, 00000002h
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jnc 00007FD844834E8Ch
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jnc 00007FD844834EF3h
                                  xor eax, eax
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jnc 00007FD844834F87h
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  je 00007FD844834EAAh
                                  push edi
                                  mov eax, eax
                                  sub edi, eax
                                  mov al, byte ptr [edi]
                                  pop edi
                                  mov byte ptr [edi], al
                                  inc edi
                                  mov ebx, 00000002h
                                  jmp 00007FD844834E3Bh
                                  mov eax, 00000001h
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jc 00007FD844834E8Ch
                                  sub eax, ebx
                                  mov ebx, 00000001h
                                  jne 00007FD844834ECAh
                                  mov ecx, 00000001h
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc ecx, ecx
                                  add dl, dl
                                  jne 00007FD844834EA7h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jc 00007FD844834E8Ch
                                  push esi
                                  mov esi, edi
                                  sub esi, ebp

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x19618b0x184.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000x1638.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7f60000x10.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x1970180x18.tls
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x15bbc80x9d2002ba7a0fbdd34a17b90ad60eb025031e4False0.997961416070008data7.970562796260684IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  0x15d0000x27e320x10a0099bc1ff5a03860a11215e62849ac2787False0.9927895911654135data7.945549630166553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  0x1850000x49300x800f146833fa0e788ef058e7854601d79a5False0.99267578125data7.793978096287101IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x18a0000x16380x1800fe6f3fdb9e7e97cba92d8ce4e4fcc95bFalse0.7220052083333334data6.54017046361188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  0x18c0000x98580x72008d5731a433ff8d49f45fa55aee3d50c4False0.9794750548245614data7.93307183804952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  .idata0x1960000x10000x4001b20e07443fa333ff9692026d1e6c6c2False0.3984375data3.42439969016873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tls0x1970000x10000x20054a50a058e0f3b6aa2fe1b22e2033106False0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .themida0x1980000x3e80000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .boot0x5800000x2756000x2756008761b4811e06c893b0d9359c8d51b7dbunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .reloc0x7f60000x10000x10f5bc99b71bad9e8a775cc32747e3ca58False1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x18a4400x1060PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.8838263358778626
                                  RT_GROUP_ICON0x18b4a00x14dataRussianRussia1.05
                                  RT_VERSION0x18a1300x310dataRussianRussia0.45408163265306123
                                  RT_MANIFEST0x18b4b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                  Imports

                                  DLLImport
                                  kernel32.dllGetModuleHandleA
                                  USER32.dllwsprintfA
                                  GDI32.dllCreateCompatibleBitmap
                                  ADVAPI32.dllRegQueryValueExA
                                  SHELL32.dllShellExecuteA
                                  ole32.dllCoInitialize
                                  WS2_32.dllWSAStartup
                                  CRYPT32.dllCryptUnprotectData
                                  SHLWAPI.dllPathFindExtensionA
                                  gdiplus.dllGdipGetImageEncoders
                                  SETUPAPI.dllSetupDiEnumDeviceInfo
                                  ntdll.dllRtlUnicodeStringToAnsiString
                                  RstrtMgr.DLLRmStartSession

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  RussianRussia
                                  EnglishUnited States

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  06/22/24-22:55:23.960247TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973858709192.168.2.477.91.77.66
                                  06/22/24-22:56:52.783227TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094975377.91.77.66192.168.2.4
                                  06/22/24-22:56:24.564246TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094975277.91.77.66192.168.2.4
                                  06/22/24-22:56:59.648082TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4975258709192.168.2.477.91.77.66
                                  06/22/24-22:56:31.171917TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094975377.91.77.66192.168.2.4
                                  06/22/24-22:56:52.419694TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094975277.91.77.66192.168.2.4
                                  06/22/24-22:56:34.334522TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4975358709192.168.2.477.91.77.66
                                  06/22/24-22:54:16.496660TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973858709192.168.2.477.91.77.66
                                  06/22/24-22:54:25.279747TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973877.91.77.66192.168.2.4
                                  06/22/24-22:54:17.088231TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973877.91.77.66192.168.2.4

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 22, 2024 22:54:16.475754976 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:16.481462002 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:16.481628895 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:16.496659994 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:16.502367020 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:17.088231087 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:17.131715059 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:20.225563049 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:20.230835915 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:25.279747009 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:25.397953987 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:54:25.398063898 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:25.398144007 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:54:25.399310112 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:54:25.399390936 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:25.444474936 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:25.881417990 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:25.881747961 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:54:25.883452892 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:54:25.883517027 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:25.884640932 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:25.926302910 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:54:25.972538948 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:26.076378107 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:26.076716900 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:26.076797962 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:54:26.079888105 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:54:26.079937935 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:26.079993963 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:54:26.080010891 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 22:54:26.095294952 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:54:26.095385075 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.095555067 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:54:26.096038103 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:54:26.096127033 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.566569090 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.566700935 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:54:26.587281942 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:54:26.587354898 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.588401079 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.590306997 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:54:26.636606932 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.781589031 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.781680107 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.781959057 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:54:26.782721043 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:54:26.782721996 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:54:26.782794952 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.782833099 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:54:26.783025980 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:26.788134098 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:28.024004936 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:28.241272926 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:30.487631083 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:30.506927013 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:30.512902975 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:32.497445107 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:32.538132906 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:32.585098982 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:32.592430115 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.955744028 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.955809116 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.955847979 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.955885887 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956084967 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:33.956157923 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956192017 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956224918 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956238985 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:33.956263065 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956291914 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956326008 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956365108 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956394911 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956427097 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:33.956453085 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:33.956605911 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956634998 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956741095 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.956799030 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:33.961759090 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.961812973 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.961853027 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:33.961898088 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:33.961992025 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:34.073458910 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:34.073513031 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:34.073554039 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:34.073611021 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:34.074398041 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:34.074640989 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:34.078457117 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:34.116439104 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:34.122153997 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:49.530035019 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:49.600614071 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:49.606075048 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:54:52.648143053 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:54:52.653721094 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:23.960247040 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:55:23.966305971 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:26.450154066 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:26.538218975 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:55:27.731662989 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:55:27.731736898 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:55:27.736721039 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:27.736785889 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:27.736818075 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:27.736845970 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:27.736893892 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:55:27.736983061 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:27.737075090 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:27.742288113 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:30.788368940 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:55:30.794229031 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 22:55:30.794547081 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:23.960170031 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:23.965480089 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:23.965574980 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:23.987380028 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:23.992584944 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:24.564245939 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:24.741734028 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:27.679461956 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:27.684664965 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:30.499641895 CEST4975358709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:30.504719019 CEST587094975377.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:30.504889011 CEST4975358709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:30.520092964 CEST4975358709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:30.525245905 CEST587094975377.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:31.171916962 CEST587094975377.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:31.366796970 CEST4975358709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:34.334522009 CEST4975358709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:34.339616060 CEST587094975377.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:52.419693947 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:52.513431072 CEST49754443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:52.513519049 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:52.513612986 CEST49754443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:52.514522076 CEST49754443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:52.514564037 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:52.538616896 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:52.783226967 CEST587094975377.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:52.821562052 CEST49755443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:52.821604013 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:52.821824074 CEST49755443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:52.822747946 CEST49755443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:52.822762966 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:52.866791010 CEST4975358709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:52.973824978 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:52.974018097 CEST49754443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:52.975158930 CEST49754443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:52.975193024 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:52.975547075 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.015868902 CEST49754443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.056559086 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.144577026 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.144691944 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.144820929 CEST49754443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.145705938 CEST49754443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.145756960 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.145787001 CEST49754443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.145803928 CEST4434975434.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.147830009 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.147921085 CEST44349756104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.148123980 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.148457050 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.148514986 CEST44349756104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.287683964 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.287786007 CEST49755443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.289237022 CEST49755443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.289277077 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.289691925 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.337378025 CEST49755443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.384531021 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.476761103 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.477068901 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.477147102 CEST49755443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.477974892 CEST49755443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.478018999 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.478046894 CEST49755443192.168.2.434.117.186.192
                                  Jun 22, 2024 22:56:53.478061914 CEST4434975534.117.186.192192.168.2.4
                                  Jun 22, 2024 22:56:53.480539083 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.480643034 CEST44349757104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.480721951 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.481072903 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.481108904 CEST44349757104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.608921051 CEST44349756104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.609033108 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.610094070 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.610112906 CEST44349756104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.610480070 CEST44349756104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.611987114 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.656549931 CEST44349756104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.836415052 CEST44349756104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.836505890 CEST44349756104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.836762905 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.836762905 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.836762905 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.837235928 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:53.842228889 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:53.977319956 CEST44349757104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.977449894 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.978466988 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:53.978498936 CEST44349757104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.979013920 CEST44349757104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:53.982551098 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:54.024581909 CEST44349757104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:54.184341908 CEST44349757104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:54.184670925 CEST44349757104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:54.184986115 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:54.184986115 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:54.184986115 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:54.185359001 CEST4975358709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:54.190233946 CEST587094975377.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:54.213649035 CEST49756443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:54.213717937 CEST44349756104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:54.679418087 CEST49757443192.168.2.4104.26.4.15
                                  Jun 22, 2024 22:56:54.679483891 CEST44349757104.26.4.15192.168.2.4
                                  Jun 22, 2024 22:56:56.509208918 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:56.652391911 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:56.731173038 CEST587094975377.91.77.66192.168.2.4
                                  Jun 22, 2024 22:56:56.866785049 CEST4975358709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:59.648082018 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:56:59.653048038 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:57:03.972543955 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:57:04.007626057 CEST4975258709192.168.2.477.91.77.66
                                  Jun 22, 2024 22:57:04.012689114 CEST587094975277.91.77.66192.168.2.4
                                  Jun 22, 2024 22:57:07.983200073 CEST587094975377.91.77.66192.168.2.4
                                  Jun 22, 2024 22:57:08.038644075 CEST4975358709192.168.2.477.91.77.66

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 22, 2024 22:54:25.384589911 CEST6238253192.168.2.41.1.1.1
                                  Jun 22, 2024 22:54:25.392137051 CEST53623821.1.1.1192.168.2.4
                                  Jun 22, 2024 22:54:26.082113028 CEST5184853192.168.2.41.1.1.1
                                  Jun 22, 2024 22:54:26.094408035 CEST53518481.1.1.1192.168.2.4
                                  Jun 22, 2024 22:56:52.501929998 CEST6290653192.168.2.41.1.1.1
                                  Jun 22, 2024 22:56:52.509466887 CEST53629061.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jun 22, 2024 22:54:25.384589911 CEST192.168.2.41.1.1.10xb4d5Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                  Jun 22, 2024 22:54:26.082113028 CEST192.168.2.41.1.1.10x39c5Standard query (0)db-ip.comA (IP address)IN (0x0001)false
                                  Jun 22, 2024 22:56:52.501929998 CEST192.168.2.41.1.1.10x4fc4Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jun 22, 2024 22:54:25.392137051 CEST1.1.1.1192.168.2.40xb4d5No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                  Jun 22, 2024 22:54:26.094408035 CEST1.1.1.1192.168.2.40x39c5No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                  Jun 22, 2024 22:54:26.094408035 CEST1.1.1.1192.168.2.40x39c5No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                  Jun 22, 2024 22:54:26.094408035 CEST1.1.1.1192.168.2.40x39c5No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                  Jun 22, 2024 22:56:52.509466887 CEST1.1.1.1192.168.2.40x4fc4No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • ipinfo.io
                                  • https:
                                  • db-ip.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination Port
                                  0192.168.2.44973034.117.186.192443
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 20:52:52 UTC59OUTGET / HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  2024-06-22 20:52:52 UTC513INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Sat, 22 Jun 2024 20:52:52 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 319
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 2
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-22 20:52:52 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                                  Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.44973934.117.186.1924436332C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 20:54:25 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-22 20:54:26 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Sat, 22 Jun 2024 20:54:25 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 2
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-22 20:54:26 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-22 20:54:26 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.449740104.26.4.154436332C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 20:54:26 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-22 20:54:26 UTC655INHTTP/1.1 200 OK
                                  Date: Sat, 22 Jun 2024 20:54:26 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: A29E9EB7:CC3C_93878F2E:0050_66773A02_1533224A:4F34
                                  x-iplb-instance: 59215
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J5mLc66zJwlfX75QOdP6oInmi2Vt%2Fb3vDLjwiUB%2FLY%2BYRm6r7uJ5V3M3z0LPiu9KZ5asUqmFWD2qvjYmuXy9GC1ZY8UHvIJFZl3yAlwr6jV95MDUWY8576wX3w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 897f223069af4238-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-22 20:54:26 UTC673INData Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b
                                  Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
                                  2024-06-22 20:54:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.44975434.117.186.1924434916C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 20:56:53 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-22 20:56:53 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Sat, 22 Jun 2024 20:56:53 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 1
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-22 20:56:53 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-22 20:56:53 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.44975534.117.186.1924431448C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 20:56:53 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-22 20:56:53 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Sat, 22 Jun 2024 20:56:53 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 1
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-22 20:56:53 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-22 20:56:53 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.449756104.26.4.154434916C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 20:56:53 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-22 20:56:53 UTC653INHTTP/1.1 200 OK
                                  Date: Sat, 22 Jun 2024 20:56:53 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: AC467377:4854_93878F2E:0050_66773A95_151FE737:7B63
                                  x-iplb-instance: 59128
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rd3uj1RB8CU0KvmjwVNt4NmQeZqORw%2FS6GrOKrgcC7SCOS4s45jit2t5eUhOaSAOpXUvocCZjQZSj%2Fig9Vfgbqb0CbeC3XOmQHnY7g8f5Dv8eOfOcX6AXrfeRA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 897f25c7894d7d13-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-22 20:56:53 UTC673INData Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b
                                  Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
                                  2024-06-22 20:56:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.449757104.26.4.154431448C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 20:56:53 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-22 20:56:54 UTC655INHTTP/1.1 200 OK
                                  Date: Sat, 22 Jun 2024 20:56:54 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: A29E3E47:56BE_93878F2E:0050_66773A96_151FE74A:7B63
                                  x-iplb-instance: 59128
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1HfPgmfXhLQfqPYZC7h54uGLX8sPlFPeTjvjSKcXcX5aTG9408LvN%2FG2b37kIuIpryvXCF5PODGwsselMaR%2BOEpk6VT8H1cQ99X2gZDO%2BK9W6RGbun5jWG59Mg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 897f25c9df78c35a-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-22 20:56:54 UTC673INData Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b
                                  Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
                                  2024-06-22 20:56:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:16:52:57
                                  Start date:22/06/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0x400000
                                  File size:3'329'552 bytes
                                  MD5 hash:200F9F4AACEE6ABE76FF4C56869AA836
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.3558548817.0000000005798000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3557114655.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:16:54:15
                                  Start date:22/06/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                  Imagebase:0xb80000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:16:54:15
                                  Start date:22/06/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:16:54:15
                                  Start date:22/06/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                  Imagebase:0xb80000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:16:54:15
                                  Start date:22/06/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:16:54:17
                                  Start date:22/06/2024
                                  Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Imagebase:0x400000
                                  File size:3'329'552 bytes
                                  MD5 hash:200F9F4AACEE6ABE76FF4C56869AA836
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 53%, ReversingLabs
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:9
                                  Start time:16:54:17
                                  Start date:22/06/2024
                                  Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Imagebase:0x400000
                                  File size:3'329'552 bytes
                                  MD5 hash:200F9F4AACEE6ABE76FF4C56869AA836
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:11
                                  Start time:16:54:27
                                  Start date:22/06/2024
                                  Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                  Imagebase:0x400000
                                  File size:3'329'552 bytes
                                  MD5 hash:200F9F4AACEE6ABE76FF4C56869AA836
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 53%, ReversingLabs
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:12
                                  Start time:16:54:35
                                  Start date:22/06/2024
                                  Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                  Imagebase:0x400000
                                  File size:3'329'552 bytes
                                  MD5 hash:200F9F4AACEE6ABE76FF4C56869AA836
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:15
                                  Start time:16:55:31
                                  Start date:22/06/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 1920
                                  Imagebase:0x280000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:23.4%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:52.7%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:36
                                    execution_graph 46811 45e140 46867 40b8e0 46811->46867 46813 45e1a1 46814 41ab20 41 API calls 46813->46814 46815 45e218 CreateDirectoryA 46814->46815 46821 45e8de 46815->46821 46843 45e24c 46815->46843 46816 45f16d 46817 402df0 std::_Throw_Cpp_error 41 API calls 46816->46817 46820 45f17c 46817->46820 46818 45e8a5 46819 4163b0 std::_Throw_Cpp_error 41 API calls 46818->46819 46822 45e8b9 46819->46822 46821->46816 46823 41ab20 41 API calls 46821->46823 47506 4df030 46822->47506 46825 45e962 CreateDirectoryA 46823->46825 46827 45f15b 46825->46827 46844 45e990 46825->46844 46828 402df0 std::_Throw_Cpp_error 41 API calls 46827->46828 46828->46816 46829 45f11f 46831 4163b0 std::_Throw_Cpp_error 41 API calls 46829->46831 46830 4e6770 93 API calls 46830->46821 46832 45f136 46831->46832 47611 4d7600 46832->47611 46835 4163b0 41 API calls std::_Throw_Cpp_error 46835->46844 46837 4e6ca0 86 API calls 46837->46843 46838 45e3bf CreateDirectoryA 46838->46843 46839 402df0 41 API calls std::_Throw_Cpp_error 46839->46843 46840 41ab20 41 API calls 46840->46843 46841 45eb09 CreateDirectoryA 46841->46844 46842 4162c0 41 API calls 46842->46843 46843->46818 46843->46837 46843->46838 46843->46839 46843->46840 46843->46842 46848 45e4b2 CreateDirectoryA 46843->46848 46850 41ad80 41 API calls 46843->46850 46851 402cf0 std::_Throw_Cpp_error 41 API calls 46843->46851 46854 45e59f CreateDirectoryA 46843->46854 46861 45e7f4 CreateDirectoryA 46843->46861 46863 4163b0 41 API calls std::_Throw_Cpp_error 46843->46863 48470 416290 41 API calls 46843->48470 48471 41ae20 46843->48471 48474 4dff00 46843->48474 46844->46829 46844->46835 46844->46841 46845 41ad80 41 API calls 46844->46845 46846 402df0 41 API calls std::_Throw_Cpp_error 46844->46846 46849 45ebfc CreateDirectoryA 46844->46849 46852 41ab20 41 API calls 46844->46852 46855 402cf0 std::_Throw_Cpp_error 41 API calls 46844->46855 46857 45edd0 CreateDirectoryA 46844->46857 46858 45ece9 CreateDirectoryA 46844->46858 46860 41ae20 41 API calls 46844->46860 46862 4e6ca0 86 API calls 46844->46862 46864 45f050 CreateDirectoryA 46844->46864 46866 4dff00 205 API calls 46844->46866 48709 4162c0 46844->48709 48713 416290 41 API calls 46844->48713 46845->46844 46846->46844 46848->46843 46849->46844 46850->46843 46851->46843 46852->46844 46854->46843 46855->46844 46857->46844 46858->46844 46860->46844 46861->46843 46862->46844 46863->46843 46864->46844 46866->46844 46868 40b916 46867->46868 46869 40c004 46868->46869 46870 41ab20 41 API calls 46868->46870 46871 40f393 46869->46871 46873 41ab20 41 API calls 46869->46873 46872 40b9e7 CreateDirectoryA 46870->46872 46874 411da6 46871->46874 46878 41ab20 41 API calls 46871->46878 46875 40bff2 46872->46875 46876 40ba12 46872->46876 46877 40c0ab CreateDirectoryA 46873->46877 46879 412294 46874->46879 46885 41ab20 41 API calls 46874->46885 46880 402df0 std::_Throw_Cpp_error 41 API calls 46875->46880 46881 41ab20 41 API calls 46876->46881 46882 40f381 46877->46882 46883 40c0d6 46877->46883 46884 40f43a CreateDirectoryA 46878->46884 46879->46813 46880->46869 46887 40bab4 CreateDirectoryA 46881->46887 46888 402df0 std::_Throw_Cpp_error 41 API calls 46882->46888 46889 41ab20 41 API calls 46883->46889 46890 411d94 46884->46890 46891 40f465 46884->46891 46886 411e4d CreateDirectoryA 46885->46886 46892 412282 46886->46892 46893 411e78 46886->46893 46894 40bae2 __fread_nolock 46887->46894 46895 40bc4c 46887->46895 46888->46871 46896 40c178 CreateDirectoryA 46889->46896 46897 402df0 std::_Throw_Cpp_error 41 API calls 46890->46897 46898 41ab20 41 API calls 46891->46898 46901 402df0 std::_Throw_Cpp_error 41 API calls 46892->46901 46900 41ab20 41 API calls 46893->46900 46908 40baf5 SHGetFolderPathA 46894->46908 46899 41ab20 41 API calls 46895->46899 46902 40c1a0 46896->46902 46903 40c4b9 46896->46903 46897->46874 46904 40f507 CreateDirectoryA 46898->46904 46905 40bcea CreateDirectoryA 46899->46905 46906 411fa0 CreateDirectoryA 46900->46906 46901->46879 46909 402cf0 std::_Throw_Cpp_error 41 API calls 46902->46909 46907 41ab20 41 API calls 46903->46907 46910 40f877 46904->46910 46911 40f52f 46904->46911 46912 40bd12 __fread_nolock 46905->46912 46913 40bfbf 46905->46913 46928 411fc8 46906->46928 47155 41225e 46906->47155 46914 40c557 CreateDirectoryA 46907->46914 46915 402cf0 std::_Throw_Cpp_error 41 API calls 46908->46915 46923 40c2be 46909->46923 46916 41ab20 41 API calls 46910->46916 46925 403040 std::_Throw_Cpp_error 41 API calls 46911->46925 46926 40bd25 SHGetFolderPathA 46912->46926 46931 4e6770 93 API calls 46913->46931 46943 40bfd1 46913->46943 46918 40d1de 46914->46918 46919 40c57f 46914->46919 46920 40bba1 46915->46920 46921 40f915 CreateDirectoryA 46916->46921 46917 4e6770 93 API calls 46922 412270 46917->46922 46927 41ab20 41 API calls 46918->46927 46929 402cf0 std::_Throw_Cpp_error 41 API calls 46919->46929 46930 41ace0 41 API calls 46920->46930 46932 40fb99 46921->46932 46933 40f93d 46921->46933 46946 402df0 std::_Throw_Cpp_error 41 API calls 46922->46946 46934 41ace0 41 API calls 46923->46934 46924 402df0 std::_Throw_Cpp_error 41 API calls 46935 40bfe3 46924->46935 46936 40f704 46925->46936 46937 402cf0 std::_Throw_Cpp_error 41 API calls 46926->46937 46938 40d27c CreateDirectoryA 46927->46938 46939 403040 std::_Throw_Cpp_error 41 API calls 46928->46939 46941 40c727 46929->46941 46942 40bbb7 46930->46942 46931->46943 46940 41ab20 41 API calls 46932->46940 46944 402cf0 std::_Throw_Cpp_error 41 API calls 46933->46944 46947 40c367 46934->46947 46948 402df0 std::_Throw_Cpp_error 41 API calls 46935->46948 46965 41ace0 41 API calls 46936->46965 46949 40be57 46937->46949 46950 40d2a4 46938->46950 46951 40d63c 46938->46951 46952 41211c 46939->46952 46953 40fc37 CreateDirectoryA 46940->46953 46968 41ace0 41 API calls 46941->46968 46954 402df0 std::_Throw_Cpp_error 41 API calls 46942->46954 46943->46924 46945 40fa5b 46944->46945 46971 41ace0 41 API calls 46945->46971 46946->46892 46956 402df0 std::_Throw_Cpp_error 41 API calls 46947->46956 46948->46875 46957 41ace0 41 API calls 46949->46957 46978 402cf0 std::_Throw_Cpp_error 41 API calls 46950->46978 46955 41ab20 41 API calls 46951->46955 46979 41ace0 41 API calls 46952->46979 46958 40fe35 46953->46958 46959 40fc5f 46953->46959 46960 40bbc9 46954->46960 46963 40d6da CreateDirectoryA 46955->46963 46964 40c379 46956->46964 46966 40be6d 46957->46966 46962 41ab20 41 API calls 46958->46962 46967 402cf0 std::_Throw_Cpp_error 41 API calls 46959->46967 46961 4e6ca0 86 API calls 46960->46961 46970 40bbe2 46961->46970 46972 40fed3 CreateDirectoryA 46962->46972 46973 40d702 46963->46973 46974 40da1b 46963->46974 46975 402cf0 std::_Throw_Cpp_error 41 API calls 46964->46975 46976 40f7b1 46965->46976 46977 402df0 std::_Throw_Cpp_error 41 API calls 46966->46977 46980 40fcf7 46967->46980 46969 40c7d0 46968->46969 46982 402df0 std::_Throw_Cpp_error 41 API calls 46969->46982 46983 40bc21 46970->46983 46999 4163b0 std::_Throw_Cpp_error 41 API calls 46970->46999 46984 40fb04 46971->46984 46985 410e56 46972->46985 46986 40fefb 46972->46986 46987 402cf0 std::_Throw_Cpp_error 41 API calls 46973->46987 46981 41ab20 41 API calls 46974->46981 46988 40c39b 46975->46988 46989 40f7d6 46976->46989 48764 402fe0 41 API calls 2 library calls 46976->48764 46990 40be7f 46977->46990 46991 40d3bb 46978->46991 46992 4121c9 46979->46992 47018 41ace0 41 API calls 46980->47018 46997 40dab9 CreateDirectoryA 46981->46997 46998 40c7e2 46982->46998 47003 4e6770 93 API calls 46983->47003 47015 40bc28 46983->47015 46993 402df0 std::_Throw_Cpp_error 41 API calls 46984->46993 47004 41ab20 41 API calls 46985->47004 47000 402cf0 std::_Throw_Cpp_error 41 API calls 46986->47000 47001 40d820 46987->47001 47002 4e6d70 78 API calls 46988->47002 46996 4e6ca0 86 API calls 46989->46996 46995 402cf0 std::_Throw_Cpp_error 41 API calls 46990->46995 47029 41ace0 41 API calls 46991->47029 47005 402df0 std::_Throw_Cpp_error 41 API calls 46992->47005 47006 40fb16 46993->47006 47007 40bea1 46995->47007 47008 40f80d 46996->47008 47009 40de80 46997->47009 47010 40dae1 46997->47010 47011 402cf0 std::_Throw_Cpp_error 41 API calls 46998->47011 47012 40bbfa 46999->47012 47013 40ff97 47000->47013 47044 41ace0 41 API calls 47001->47044 47014 40c3a8 47002->47014 47003->47015 47016 410ef4 CreateDirectoryA 47004->47016 47017 4121db 47005->47017 47019 4e6ca0 86 API calls 47006->47019 48714 4e6d70 47007->48714 47022 40f84c 47008->47022 47038 4163b0 std::_Throw_Cpp_error 41 API calls 47008->47038 47021 41ab20 41 API calls 47009->47021 47023 402cf0 std::_Throw_Cpp_error 41 API calls 47010->47023 47024 40c804 47011->47024 47025 4163b0 std::_Throw_Cpp_error 41 API calls 47012->47025 47061 41ace0 41 API calls 47013->47061 47026 40c49b 47014->47026 47045 41ab20 41 API calls 47014->47045 47046 402df0 std::_Throw_Cpp_error 41 API calls 47015->47046 47027 411842 47016->47027 47028 410f1c 47016->47028 47030 4e6ca0 86 API calls 47017->47030 47031 40fda0 47018->47031 47035 40fb2f 47019->47035 47037 40df1e CreateDirectoryA 47021->47037 47043 4e6770 93 API calls 47022->47043 47060 40f853 47022->47060 47039 40dc85 47023->47039 47041 4e6d70 78 API calls 47024->47041 47042 40bc12 47025->47042 47034 4e6770 93 API calls 47026->47034 47040 41ab20 41 API calls 47027->47040 47047 402cf0 std::_Throw_Cpp_error 41 API calls 47028->47047 47048 40d464 47029->47048 47032 4121f4 47030->47032 47033 402df0 std::_Throw_Cpp_error 41 API calls 47031->47033 47049 412233 47032->47049 47067 4163b0 std::_Throw_Cpp_error 41 API calls 47032->47067 47050 40fdb2 47033->47050 47051 40c4a7 47034->47051 47052 40fb6e 47035->47052 47070 4163b0 std::_Throw_Cpp_error 41 API calls 47035->47070 47054 40df46 47037->47054 47055 40e638 47037->47055 47056 40f825 47038->47056 47096 41ace0 41 API calls 47039->47096 47057 4118e6 CreateDirectoryA 47040->47057 47058 40c811 47041->47058 47059 4dff00 205 API calls 47042->47059 47043->47060 47062 40d8c9 47044->47062 47063 40c451 47045->47063 47046->46895 47064 410fb9 47047->47064 47065 402df0 std::_Throw_Cpp_error 41 API calls 47048->47065 47069 4e6770 93 API calls 47049->47069 47089 41223a 47049->47089 47068 4e6ca0 86 API calls 47050->47068 47088 402df0 std::_Throw_Cpp_error 41 API calls 47051->47088 47075 4e6770 93 API calls 47052->47075 47095 40fb75 47052->47095 47053 40bfa1 47079 4e6770 93 API calls 47053->47079 47072 402cf0 std::_Throw_Cpp_error 41 API calls 47054->47072 47073 41ab20 41 API calls 47055->47073 47074 4163b0 std::_Throw_Cpp_error 41 API calls 47056->47074 47076 411d25 47057->47076 47077 41190e 47057->47077 47078 40c98c 47058->47078 47097 41ab20 41 API calls 47058->47097 47059->46983 47099 402df0 std::_Throw_Cpp_error 41 API calls 47060->47099 47080 410040 47061->47080 47081 402df0 std::_Throw_Cpp_error 41 API calls 47062->47081 47082 40c460 47063->47082 47083 40c462 CopyFileA 47063->47083 47107 41ace0 41 API calls 47064->47107 47066 40d476 47065->47066 47085 402cf0 std::_Throw_Cpp_error 41 API calls 47066->47085 47086 41220c 47067->47086 47087 40fdcb 47068->47087 47069->47089 47090 40fb47 47070->47090 47071 41ab20 41 API calls 47091 40bf57 47071->47091 47092 40dfe3 47072->47092 47093 40e6dc CreateDirectoryA 47073->47093 47094 40f83d 47074->47094 47075->47095 47101 411d37 47076->47101 47120 4e6770 93 API calls 47076->47120 47136 403040 std::_Throw_Cpp_error 41 API calls 47077->47136 47084 402cf0 std::_Throw_Cpp_error 41 API calls 47078->47084 47098 40bfad 47079->47098 47100 402df0 std::_Throw_Cpp_error 41 API calls 47080->47100 47102 40d8db 47081->47102 47082->47083 47103 402df0 std::_Throw_Cpp_error 41 API calls 47083->47103 47106 40cb30 47084->47106 47108 40d498 47085->47108 47109 4163b0 std::_Throw_Cpp_error 41 API calls 47086->47109 47110 40fe0a 47087->47110 47127 4163b0 std::_Throw_Cpp_error 41 API calls 47087->47127 47088->46903 47130 402df0 std::_Throw_Cpp_error 41 API calls 47089->47130 47111 4163b0 std::_Throw_Cpp_error 41 API calls 47090->47111 47112 40bf66 47091->47112 47113 40bf68 CopyFileA 47091->47113 47148 41ace0 41 API calls 47092->47148 47114 40f2fd 47093->47114 47115 40e704 47093->47115 47116 4dff00 205 API calls 47094->47116 47134 402df0 std::_Throw_Cpp_error 41 API calls 47095->47134 47117 40dd2e 47096->47117 47118 40c940 47097->47118 47099->46910 47119 410052 47100->47119 47104 402df0 std::_Throw_Cpp_error 41 API calls 47101->47104 47121 402cf0 std::_Throw_Cpp_error 41 API calls 47102->47121 47105 40c491 47103->47105 47122 411d49 47104->47122 47105->47026 47123 40c495 47105->47123 47162 41ace0 41 API calls 47106->47162 47124 411062 47107->47124 47125 4e6d70 78 API calls 47108->47125 47126 412224 47109->47126 47129 4e6770 93 API calls 47110->47129 47154 40fe11 47110->47154 47131 40fb5f 47111->47131 47112->47113 47132 402df0 std::_Throw_Cpp_error 41 API calls 47113->47132 47128 40f315 47114->47128 47145 4e6770 93 API calls 47114->47145 47133 402cf0 std::_Throw_Cpp_error 41 API calls 47115->47133 47116->47022 47135 402df0 std::_Throw_Cpp_error 41 API calls 47117->47135 47137 40c951 CopyFileA 47118->47137 47138 40c94f 47118->47138 47140 4e6ca0 86 API calls 47119->47140 47120->47101 47141 40d8fd 47121->47141 47142 402df0 std::_Throw_Cpp_error 41 API calls 47122->47142 47123->47051 47143 402df0 std::_Throw_Cpp_error 41 API calls 47124->47143 47144 40d4a5 47125->47144 47152 4dff00 205 API calls 47126->47152 47153 40fde3 47127->47153 47146 402df0 std::_Throw_Cpp_error 41 API calls 47128->47146 47129->47154 47130->47155 47147 4dff00 205 API calls 47131->47147 47149 40e826 47133->47149 47134->46932 47157 40dd40 47135->47157 47150 4119dc 47136->47150 47158 402df0 std::_Throw_Cpp_error 41 API calls 47137->47158 47138->47137 47159 41006b 47140->47159 47151 4e6d70 78 API calls 47141->47151 47161 411d58 47142->47161 47163 411074 47143->47163 47164 40d61e 47144->47164 47177 41ab20 41 API calls 47144->47177 47145->47128 47166 40f327 47146->47166 47147->47052 47167 40e08c 47148->47167 47200 41ace0 41 API calls 47150->47200 47160 40d90a 47151->47160 47152->47049 47165 4163b0 std::_Throw_Cpp_error 41 API calls 47153->47165 47184 402df0 std::_Throw_Cpp_error 41 API calls 47154->47184 47155->46917 47155->46922 47170 402cf0 std::_Throw_Cpp_error 41 API calls 47157->47170 47171 40c980 47158->47171 47172 410e32 47159->47172 47173 41ab20 41 API calls 47159->47173 47182 40d9fd 47160->47182 47188 41ab20 41 API calls 47160->47188 47175 40cbd9 47162->47175 47176 4163b0 std::_Throw_Cpp_error 41 API calls 47163->47176 47179 4e6770 93 API calls 47164->47179 47183 40fdfb 47165->47183 47180 402df0 std::_Throw_Cpp_error 41 API calls 47167->47180 47186 40dd62 47170->47186 47171->47078 47185 4e6770 93 API calls 47172->47185 47198 410e44 47172->47198 47187 410111 47173->47187 47190 402df0 std::_Throw_Cpp_error 41 API calls 47175->47190 47191 411088 47176->47191 47192 40d5d4 47177->47192 47196 40d62a 47179->47196 47197 40e09e 47180->47197 47194 4e6770 93 API calls 47182->47194 47193 4dff00 205 API calls 47183->47193 47184->46958 47185->47198 47201 4e6d70 78 API calls 47186->47201 47202 4e6ca0 86 API calls 47187->47202 47213 40d9b3 47188->47213 47204 40cbeb 47190->47204 47206 40d5e3 47192->47206 47207 40d5e5 CopyFileA 47192->47207 47193->47110 47224 402df0 std::_Throw_Cpp_error 41 API calls 47196->47224 47226 402df0 std::_Throw_Cpp_error 41 API calls 47198->47226 47211 411a89 47200->47211 47221 402cf0 std::_Throw_Cpp_error 41 API calls 47204->47221 47206->47207 47222 402df0 std::_Throw_Cpp_error 41 API calls 47207->47222 47228 402df0 std::_Throw_Cpp_error 41 API calls 47211->47228 47224->46951 47226->46985 47507 4359b0 __fread_nolock 47506->47507 47508 4df088 SHGetFolderPathA 47507->47508 47509 4df150 47508->47509 47509->47509 47510 403040 std::_Throw_Cpp_error 41 API calls 47509->47510 47511 4df16c 47510->47511 47512 41fbf0 41 API calls 47511->47512 47513 4df19d 47512->47513 47514 4df210 std::ios_base::_Ios_base_dtor 47513->47514 47516 4dfed9 47513->47516 47515 4e6ca0 86 API calls 47514->47515 47517 4df245 47515->47517 47519 438c70 std::_Throw_Cpp_error 41 API calls 47516->47519 47518 4dfe6b 47517->47518 47520 41ab20 41 API calls 47517->47520 47521 4dfe9b std::ios_base::_Ios_base_dtor 47518->47521 47527 4dfede 47518->47527 47519->47527 47523 4df2e8 47520->47523 47522 402df0 std::_Throw_Cpp_error 41 API calls 47521->47522 47524 45e8c9 47522->47524 47525 4e6ca0 86 API calls 47523->47525 47524->46821 47524->46830 47526 4df308 47525->47526 47530 4df312 CreateDirectoryA 47526->47530 47533 4df333 47526->47533 47528 438c70 std::_Throw_Cpp_error 41 API calls 47527->47528 47529 4dfef2 47528->47529 47531 4dfe59 47530->47531 47530->47533 47533->47527 47612 4d7636 __fread_nolock 47611->47612 47613 4d7654 SHGetFolderPathA 47612->47613 47614 4359b0 __fread_nolock 47613->47614 47615 4d7681 SHGetFolderPathA 47614->47615 47616 4d77c8 47615->47616 47616->47616 47617 403040 std::_Throw_Cpp_error 41 API calls 47616->47617 47618 4d77e4 47617->47618 47619 41ace0 41 API calls 47618->47619 47622 4d7800 std::ios_base::_Ios_base_dtor 47619->47622 47620 4e6ca0 86 API calls 47623 4d7875 47620->47623 47621 4de427 47625 438c70 std::_Throw_Cpp_error 41 API calls 47621->47625 47622->47620 47622->47621 47624 4d79fb 47623->47624 47626 41ab20 41 API calls 47623->47626 47630 403040 std::_Throw_Cpp_error 41 API calls 47624->47630 47627 4de42c 47625->47627 47628 4d791e 47626->47628 48470->46843 49029 41e710 48471->49029 48473 41ae54 48473->46843 48475 41ab20 41 API calls 48474->48475 48477 4e005f 48475->48477 48476 402df0 std::_Throw_Cpp_error 41 API calls 48478 4e00f2 FindFirstFileA 48476->48478 48479 4e06bc 48477->48479 48480 4e009f std::ios_base::_Ios_base_dtor 48477->48480 48487 4e058f std::ios_base::_Ios_base_dtor 48478->48487 48554 4e011f std::_Locinfo::_Locinfo_ctor 48478->48554 48481 438c70 std::_Throw_Cpp_error 41 API calls 48479->48481 48480->48476 48483 4e06c1 48481->48483 48482 4e0564 FindNextFileA 48484 4e057b FindClose GetLastError 48482->48484 48482->48554 48486 438c70 std::_Throw_Cpp_error 41 API calls 48483->48486 48484->48487 48485 41e8a0 41 API calls 48485->48554 48489 4e06cb 48486->48489 48487->48483 48490 4e0670 std::ios_base::_Ios_base_dtor 48487->48490 48488 402df0 std::_Throw_Cpp_error 41 API calls 48491 4e0698 48488->48491 48493 41ab20 41 API calls 48489->48493 48490->48488 48492 402df0 std::_Throw_Cpp_error 41 API calls 48491->48492 48494 4e06a7 48492->48494 48495 4e083a 48493->48495 48494->46843 48496 439820 43 API calls 48495->48496 48497 4e08e8 48496->48497 48498 4e4585 48497->48498 49034 4e71e0 GetCurrentProcess IsWow64Process 48497->49034 48500 4163b0 std::_Throw_Cpp_error 41 API calls 48498->48500 48501 4e45a8 48500->48501 49107 4e7640 48501->49107 48504 403350 78 API calls 48506 4e09c4 48504->48506 48508 403350 78 API calls 48506->48508 48511 4e0a6e 48508->48511 48509 418f00 41 API calls std::_Throw_Cpp_error 48509->48554 49036 44196b GetSystemTimeAsFileTime 48511->49036 48518 402df0 41 API calls std::_Throw_Cpp_error 48518->48554 48526 4e053f CopyFileA 48530 4e05a0 GetLastError 48526->48530 48526->48554 48530->48487 48531 4e6ca0 86 API calls 48531->48554 48535 4e03cd CreateDirectoryA 48535->48530 48535->48554 48547 4032d0 41 API calls std::_Throw_Cpp_error 48547->48554 48552 4dff00 155 API calls 48552->48554 48554->48482 48554->48483 48554->48485 48554->48487 48554->48509 48554->48518 48554->48526 48554->48531 48554->48535 48554->48547 48554->48552 48710 4162d3 48709->48710 48711 4162ce 48709->48711 48710->46844 48712 402df0 std::_Throw_Cpp_error 41 API calls 48711->48712 48712->48710 48713->46844 48715 439820 43 API calls 48714->48715 48716 4e6e2f 48715->48716 48717 4e6e3c 48716->48717 48718 43d0a8 78 API calls 48716->48718 48719 402df0 std::_Throw_Cpp_error 41 API calls 48717->48719 48718->48717 48720 40beae 48719->48720 48720->47053 48720->47071 48764->46989 49030 41e753 49029->49030 49031 4032d0 std::_Throw_Cpp_error 41 API calls 49030->49031 49032 41e758 std::_Locinfo::_Locinfo_ctor 49030->49032 49033 41e843 std::_Locinfo::_Locinfo_ctor 49031->49033 49032->48473 49033->48473 49035 4e0900 49034->49035 49035->48504 49037 4419a4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 49036->49037 49108 439820 43 API calls 49107->49108 49109 4e7740 49108->49109 49123 4e77b9 49109->49123 49197 43d5f6 49109->49197 49111 402df0 std::_Throw_Cpp_error 41 API calls 49123->49111 49444 45f740 49445 45f794 49444->49445 49446 4602fc 49444->49446 49447 41ab20 41 API calls 49445->49447 49448 41ab20 41 API calls 49446->49448 49449 45f876 49447->49449 49450 4603de 49448->49450 49451 4e6ca0 86 API calls 49449->49451 49452 4e6ca0 86 API calls 49450->49452 49453 45f89c 49451->49453 49454 460404 49452->49454 49456 4e6c10 85 API calls 49453->49456 49458 45f8bf 49453->49458 49461 460427 49454->49461 49591 4e6c10 49454->49591 49456->49458 49457 4602cf 49462 4602ea 49457->49462 49467 4e6770 93 API calls 49457->49467 49458->49457 49458->49462 49463 41b260 41 API calls 49458->49463 49459 461b1b 49464 402df0 std::_Throw_Cpp_error 41 API calls 49459->49464 49460 461b00 49460->49459 49468 4e6770 93 API calls 49460->49468 49461->49459 49461->49460 49603 41b260 49461->49603 49465 402df0 std::_Throw_Cpp_error 41 API calls 49462->49465 49504 45f8ef 49463->49504 49469 461b2d 49464->49469 49465->49446 49467->49462 49468->49459 49470 4602c0 49639 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49470->49639 49471 461af1 49642 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49471->49642 49474 4130f0 41 API calls 49507 460457 std::ios_base::_Ios_base_dtor 49474->49507 49475 4130f0 41 API calls 49475->49504 49476 41b260 41 API calls 49476->49504 49477 41b260 41 API calls 49477->49507 49480 4163b0 41 API calls std::_Throw_Cpp_error 49480->49504 49481 41ac50 41 API calls 49481->49504 49482 4163b0 41 API calls std::_Throw_Cpp_error 49482->49507 49483 416240 41 API calls 49483->49507 49486 4e6ca0 86 API calls 49486->49507 49487 402df0 41 API calls std::_Throw_Cpp_error 49487->49504 49488 4e6c10 85 API calls 49488->49507 49489 41ac50 41 API calls 49489->49507 49490 4e6ca0 86 API calls 49490->49504 49491 439820 43 API calls 49491->49504 49492 439820 43 API calls 49492->49507 49493 4e6c10 85 API calls 49493->49504 49494 41ae20 41 API calls 49494->49504 49495 41ae20 41 API calls 49495->49507 49496 41abb0 41 API calls 49496->49504 49497 41abb0 41 API calls 49497->49507 49498 416240 41 API calls 49498->49504 49499 413200 41 API calls 49499->49507 49500 43d0a8 78 API calls 49500->49507 49501 413200 41 API calls 49501->49504 49502 43d0a8 78 API calls 49502->49504 49503 402cf0 41 API calls std::_Throw_Cpp_error 49503->49504 49504->49470 49504->49475 49504->49476 49504->49480 49504->49481 49504->49487 49504->49490 49504->49491 49504->49493 49504->49494 49504->49496 49504->49498 49504->49501 49504->49502 49504->49503 49505 41af80 41 API calls 49504->49505 49509 403350 78 API calls 49504->49509 49635 416210 41 API calls std::_Throw_Cpp_error 49504->49635 49636 41b400 41 API calls 49504->49636 49637 41bae0 41 API calls std::_Throw_Cpp_error 49504->49637 49638 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49504->49638 49505->49504 49506 402cf0 41 API calls std::_Throw_Cpp_error 49506->49507 49507->49471 49507->49474 49507->49477 49507->49482 49507->49483 49507->49486 49507->49488 49507->49489 49507->49492 49507->49495 49507->49497 49507->49499 49507->49500 49507->49506 49511 41af80 41 API calls 49507->49511 49513 403040 std::_Throw_Cpp_error 41 API calls 49507->49513 49514 41ace0 41 API calls 49507->49514 49515 4162c0 41 API calls 49507->49515 49516 402df0 41 API calls std::_Throw_Cpp_error 49507->49516 49517 41b400 41 API calls 49507->49517 49518 461e04 49507->49518 49526 416260 41 API calls 49507->49526 49527 403350 78 API calls 49507->49527 49624 4219a0 49507->49624 49640 416210 41 API calls std::_Throw_Cpp_error 49507->49640 49641 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49507->49641 49509->49504 49511->49507 49513->49507 49514->49507 49515->49507 49516->49507 49517->49507 49519 438c70 std::_Throw_Cpp_error 41 API calls 49518->49519 49520 461e09 49519->49520 49521 41ab20 41 API calls 49520->49521 49522 461f34 49521->49522 49523 4e6ca0 86 API calls 49522->49523 49524 461f5a 49523->49524 49525 4e6c10 85 API calls 49524->49525 49529 461f7d 49524->49529 49525->49529 49526->49507 49527->49507 49528 46299f 49532 4629be 49528->49532 49529->49528 49530 41b260 41 API calls 49529->49530 49529->49532 49592 432b99 12 API calls 49591->49592 49593 4e6c3d 49592->49593 49594 4e6c44 49593->49594 49595 4e6c82 49593->49595 49596 4e6c89 49594->49596 49597 4e6c50 CreateDirectoryA 49594->49597 49598 432534 std::_Throw_Cpp_error 76 API calls 49595->49598 49600 432534 std::_Throw_Cpp_error 76 API calls 49596->49600 49599 432baa RtlReleaseSRWLockExclusive 49597->49599 49598->49596 49601 4e6c6e 49599->49601 49602 4e6c9a 49600->49602 49601->49461 49604 433672 std::_Facet_Register 3 API calls 49603->49604 49605 41b2b8 49604->49605 49606 41b2e2 49605->49606 49607 41b3b4 49605->49607 49608 433672 std::_Facet_Register 3 API calls 49606->49608 49610 402cf0 std::_Throw_Cpp_error 41 API calls 49607->49610 49609 41b2f7 49608->49609 49649 42e7e0 49609->49649 49611 41b3c4 49610->49611 49612 41ace0 41 API calls 49611->49612 49614 41b3d9 49612->49614 49617 407cf0 41 API calls 49614->49617 49615 41b33b 49616 41b352 49615->49616 49619 41d1d0 41 API calls 49615->49619 49661 41d1d0 49616->49661 49618 41b3ee 49617->49618 49621 4351fb std::_Throw_Cpp_error RaiseException 49618->49621 49619->49616 49622 41b3ff 49621->49622 49623 41b390 std::ios_base::_Ios_base_dtor 49623->49507 49625 4219d0 49624->49625 49626 4219f5 49624->49626 49625->49507 49627 402cf0 std::_Throw_Cpp_error 41 API calls 49626->49627 49628 421a03 49627->49628 49629 41ace0 41 API calls 49628->49629 49630 421a18 49629->49630 49631 407cf0 41 API calls 49630->49631 49632 421a2d 49631->49632 49633 4351fb std::_Throw_Cpp_error RaiseException 49632->49633 49635->49504 49636->49504 49637->49504 49638->49504 49639->49457 49640->49507 49641->49507 49642->49460 49655 42e82a 49649->49655 49660 42e9ff 49649->49660 49651 4163b0 41 API calls std::_Throw_Cpp_error 49651->49655 49652 42ea1a 49699 407260 RaiseException 49652->49699 49653 433672 std::_Facet_Register 3 API calls 49653->49655 49655->49651 49655->49652 49655->49653 49658 402df0 std::_Throw_Cpp_error 41 API calls 49655->49658 49655->49660 49666 413d50 49655->49666 49656 42ea1f 49657 42ea3d 49656->49657 49700 42d6a0 41 API calls std::_Throw_Cpp_error 49656->49700 49657->49615 49658->49655 49660->49615 49662 41d24d 49661->49662 49665 41d1f8 std::ios_base::_Ios_base_dtor 49661->49665 49662->49623 49663 41d1d0 41 API calls 49663->49665 49664 402df0 std::_Throw_Cpp_error 41 API calls 49664->49665 49665->49662 49665->49663 49665->49664 49667 413df7 std::_Locinfo::_Locinfo_ctor 49666->49667 49668 413d8f 49666->49668 49667->49655 49668->49667 49669 413d96 49668->49669 49670 413e69 49668->49670 49671 413f7d 49668->49671 49672 413f1e 49668->49672 49675 433672 std::_Facet_Register 3 API calls 49669->49675 49674 433672 std::_Facet_Register 3 API calls 49670->49674 49676 433672 std::_Facet_Register 3 API calls 49671->49676 49703 417e80 41 API calls 2 library calls 49672->49703 49677 413e73 49674->49677 49678 413da0 49675->49678 49679 413f8a 49676->49679 49677->49667 49702 42bf30 41 API calls 3 library calls 49677->49702 49680 433672 std::_Facet_Register 3 API calls 49678->49680 49679->49667 49682 413fd3 49679->49682 49683 41408e 49679->49683 49681 413dd2 49680->49681 49701 42f460 41 API calls 2 library calls 49681->49701 49687 414004 49682->49687 49688 413fdb 49682->49688 49704 403330 RaiseException 49683->49704 49691 433672 std::_Facet_Register 3 API calls 49687->49691 49689 414093 49688->49689 49690 413fe6 49688->49690 49705 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 49689->49705 49693 433672 std::_Facet_Register 3 API calls 49690->49693 49691->49667 49695 413fec 49693->49695 49694 413d50 41 API calls 49696 413eb1 49694->49696 49695->49667 49697 438c70 std::_Throw_Cpp_error 41 API calls 49695->49697 49696->49667 49696->49694 49698 41409d 49697->49698 49699->49656 49700->49656 49701->49667 49702->49696 49703->49667 49705->49695 49862 46aa80 50089 46aaba 49862->50089 49863 478b27 49864 46aae1 49865 4163b0 std::_Throw_Cpp_error 41 API calls 49864->49865 49866 4163b0 std::_Throw_Cpp_error 41 API calls 49864->49866 49865->49864 49867 46ab3c 49866->49867 49868 46abc4 49867->49868 49870 46abde 49868->49870 49869 403040 std::_Throw_Cpp_error 41 API calls 49869->49870 49870->49869 49871 403040 std::_Throw_Cpp_error 41 API calls 49870->49871 49872 46ad59 49871->49872 49874 46ad84 49872->49874 51209 47721c 49872->51209 51210 4aa200 49872->51210 49877 46ad96 49874->49877 49875 47722a 49876 47724c 49875->49876 49879 4163b0 std::_Throw_Cpp_error 41 API calls 49876->49879 49878 46adb8 49877->49878 49880 4163b0 std::_Throw_Cpp_error 41 API calls 49878->49880 49881 47725b 49879->49881 49882 46adc0 49880->49882 49890 477278 49881->49890 49883 46adda 49882->49883 49884 46ade1 49883->49884 49885 4163b0 std::_Throw_Cpp_error 41 API calls 49884->49885 49887 46ade9 49885->49887 49886 4163b0 std::_Throw_Cpp_error 41 API calls 49886->49890 49889 402cf0 std::_Throw_Cpp_error 41 API calls 49887->49889 49888 402cf0 std::_Throw_Cpp_error 41 API calls 49888->49890 49891 46ae63 49889->49891 49890->49886 49890->49888 49897 47747b 49890->49897 49893 402cf0 std::_Throw_Cpp_error 41 API calls 49891->49893 49892 402cf0 std::_Throw_Cpp_error 41 API calls 49892->49897 49894 46af8d 49893->49894 49896 4aa200 222 API calls 49894->49896 49895 4aa200 222 API calls 49895->49897 49898 46afa8 49896->49898 49897->49892 49897->49895 49899 4774af 49897->49899 49900 46afbd 49898->49900 49901 4774d1 49899->49901 49902 46afdf 49900->49902 49903 4163b0 std::_Throw_Cpp_error 41 API calls 49901->49903 49904 4163b0 std::_Throw_Cpp_error 41 API calls 49902->49904 49905 4774e0 49903->49905 49906 46afe7 49904->49906 49915 4774fd 49905->49915 49907 46b001 49906->49907 49908 46b008 49907->49908 49909 4163b0 std::_Throw_Cpp_error 41 API calls 49909->49915 49912 402cf0 std::_Throw_Cpp_error 41 API calls 49912->49915 49915->49909 49915->49912 49921 477700 49915->49921 49917 402cf0 std::_Throw_Cpp_error 41 API calls 49917->49921 49919 4aa200 222 API calls 49919->49921 49921->49917 49921->49919 49923 477734 49921->49923 49924 477756 49923->49924 49927 4163b0 std::_Throw_Cpp_error 41 API calls 49924->49927 49930 477765 49927->49930 49938 477782 49930->49938 49933 4163b0 std::_Throw_Cpp_error 41 API calls 49933->49938 49936 402cf0 std::_Throw_Cpp_error 41 API calls 49936->49938 49938->49933 49938->49936 49946 477985 49938->49946 49940 402cf0 std::_Throw_Cpp_error 41 API calls 49940->49946 49943 4aa200 222 API calls 49943->49946 49946->49940 49946->49943 49947 4779b9 49946->49947 49948 4779db 49947->49948 50084 402cf0 std::_Throw_Cpp_error 41 API calls 50084->50089 50087 4aa200 222 API calls 50087->50089 50089->49863 50089->49864 50089->50084 50089->50087 51209->49875 51211 4359b0 __fread_nolock 51210->51211 51212 4aa25b SHGetFolderPathA 51211->51212 52171 41ac50 51212->52171 51214 4aa28f 51215 4aa2ad 51214->51215 51216 4ab3c5 51214->51216 51217 4163b0 std::_Throw_Cpp_error 41 API calls 51215->51217 51218 4152b0 41 API calls 51216->51218 51219 4aa2be 51217->51219 51220 4ab411 51218->51220 51221 4c6000 45 API calls 51219->51221 51222 402df0 std::_Throw_Cpp_error 41 API calls 51220->51222 51223 4aa2d1 51221->51223 51224 4ab3c3 51222->51224 51225 4aa2eb 51223->51225 51479 4aa355 std::_Locinfo::_Locinfo_ctor 51223->51479 51229 4242a0 41 API calls 51224->51229 51232 4ab46b 51224->51232 51480 4ab490 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 51224->51480 51227 4185d0 76 API calls 51225->51227 51226 4ab3b4 51230 4185d0 76 API calls 51226->51230 51228 4aa2f7 51227->51228 51231 4185d0 76 API calls 51228->51231 51229->51232 51230->51224 51233 4aa303 51231->51233 51234 402df0 std::_Throw_Cpp_error 41 API calls 51232->51234 51235 402df0 std::_Throw_Cpp_error 41 API calls 51233->51235 51234->51480 51237 4aa30f 51235->51237 51236 4adb0c 51240 417ef0 41 API calls 51236->51240 51238 402df0 std::_Throw_Cpp_error 41 API calls 51237->51238 51242 4adb7a 51240->51242 51245 4140c0 41 API calls 51242->51245 51244 41e710 41 API calls 51244->51480 51248 4adba4 51245->51248 52179 41af80 51248->52179 51259 4adb07 51263 438c70 std::_Throw_Cpp_error 41 API calls 51259->51263 51263->51236 51281 41ad80 41 API calls 51281->51480 51300 41e8a0 41 API calls 51300->51479 51312 418f00 41 API calls std::_Throw_Cpp_error 51312->51479 51320 41e8a0 41 API calls 51320->51480 51328 418f00 std::_Throw_Cpp_error 41 API calls 51328->51480 51335 41abb0 41 API calls 51335->51480 51347 41abb0 41 API calls 51347->51479 51364 4e6d70 78 API calls 51364->51480 51371 41ab20 41 API calls 51371->51480 51395 403040 41 API calls std::_Throw_Cpp_error 51395->51480 51401 4032d0 41 API calls std::_Throw_Cpp_error 51401->51480 51407 4235f0 41 API calls 51407->51480 51416 402df0 41 API calls std::_Throw_Cpp_error 51416->51480 51429 4163b0 41 API calls std::_Throw_Cpp_error 51429->51480 51430 402df0 41 API calls std::_Throw_Cpp_error 51430->51479 51436 402fe0 41 API calls std::_Throw_Cpp_error 51436->51480 51458 4032d0 std::_Throw_Cpp_error 41 API calls 51458->51479 51468 4163b0 41 API calls std::_Throw_Cpp_error 51468->51479 51479->51226 51479->51236 51479->51300 51479->51312 51479->51347 51479->51430 51479->51458 51479->51468 51481 4e6d70 78 API calls 51479->51481 52346 424400 44 API calls 4 library calls 51479->52346 51480->51228 51480->51236 51480->51244 51480->51259 51480->51281 51480->51320 51480->51328 51480->51335 51480->51364 51480->51371 51480->51395 51480->51401 51480->51407 51480->51416 51480->51429 51480->51436 51482 4098e0 41 API calls 51480->51482 51481->51479 51482->51480 52172 41ac81 52171->52172 52172->52172 52173 41ac9b 52172->52173 52176 41acd3 52172->52176 52174 41e8a0 41 API calls 52173->52174 52175 41acb2 52174->52175 52175->51214 52177 41fbf0 41 API calls 52176->52177 52178 41ad24 52177->52178 52178->51214 52346->51479 53031 46a140 53042 46a17b 53031->53042 53032 46aa60 53033 4163b0 41 API calls std::_Throw_Cpp_error 53033->53042 53037 41af80 41 API calls 53037->53042 53038 413d50 41 API calls 53038->53042 53039 4138b0 41 API calls 53039->53042 53042->53032 53042->53033 53042->53037 53042->53038 53042->53039 53043 49f0d0 53042->53043 53135 49d3a0 53042->53135 53215 49af60 53042->53215 53296 4986b0 53042->53296 53373 4963b0 53042->53373 53044 49f106 53043->53044 53045 417ef0 41 API calls 53044->53045 53046 49f12f 53045->53046 53047 4140c0 41 API calls 53046->53047 53048 49f159 53047->53048 53049 41af80 41 API calls 53048->53049 53050 49f1f4 __fread_nolock 53049->53050 53051 49f212 SHGetFolderPathA 53050->53051 53052 41ac50 41 API calls 53051->53052 53053 49f23f 53052->53053 53054 41ab20 41 API calls 53053->53054 53055 49f2e4 __fread_nolock 53054->53055 53056 49f2fe GetPrivateProfileSectionNamesA 53055->53056 53108 49f331 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53056->53108 53058 4a348d lstrlen 53059 4a34a3 53058->53059 53058->53108 53060 402df0 std::_Throw_Cpp_error 41 API calls 53059->53060 53062 4a34b2 53060->53062 53061 49f422 GetPrivateProfileStringA 53061->53108 53063 402df0 std::_Throw_Cpp_error 41 API calls 53062->53063 53064 4a34c1 53063->53064 53065 402df0 std::_Throw_Cpp_error 41 API calls 53064->53065 53066 4a34cd 53065->53066 53069 402df0 std::_Throw_Cpp_error 41 API calls 53066->53069 53067 4a34fb 53071 402cf0 std::_Throw_Cpp_error 41 API calls 53067->53071 53068 41abb0 41 API calls 53068->53108 53070 4a34d9 53069->53070 53072 402df0 std::_Throw_Cpp_error 41 API calls 53070->53072 53073 4a3514 53071->53073 53074 4a34e5 53072->53074 53075 41ace0 41 API calls 53073->53075 53074->53042 53076 4a3529 53075->53076 53077 407cf0 41 API calls 53076->53077 53078 4a3541 53077->53078 53079 4351fb std::_Throw_Cpp_error RaiseException 53078->53079 53080 4a3555 53079->53080 53081 438c70 std::_Throw_Cpp_error 41 API calls 53080->53081 53082 4a355a 53081->53082 53085 402cf0 std::_Throw_Cpp_error 41 API calls 53082->53085 53083 41e8a0 41 API calls 53083->53108 53084 4e7640 87 API calls 53084->53108 53087 4a356d 53085->53087 53086 4d6790 148 API calls 53086->53108 53090 41ace0 41 API calls 53087->53090 53088 4032d0 std::_Throw_Cpp_error 41 API calls 53088->53108 53089 41b430 53 API calls 53089->53108 53091 4a3582 53090->53091 53092 407cf0 41 API calls 53091->53092 53094 4a359a 53092->53094 53093 402df0 41 API calls std::_Throw_Cpp_error 53093->53108 53095 4351fb std::_Throw_Cpp_error RaiseException 53094->53095 53097 4a35ae 53095->53097 53096 4d65f0 87 API calls 53096->53108 53098 402cf0 std::_Throw_Cpp_error 41 API calls 53097->53098 53099 4a35c2 53098->53099 53100 41ace0 41 API calls 53099->53100 53101 4a35d7 53100->53101 53102 407cf0 41 API calls 53101->53102 53103 4a35ef 53102->53103 53104 4351fb std::_Throw_Cpp_error RaiseException 53103->53104 53105 4a3603 53104->53105 53106 417ef0 41 API calls 53106->53108 53107 4130f0 41 API calls 53107->53108 53108->53058 53108->53061 53108->53067 53108->53068 53108->53080 53108->53082 53108->53083 53108->53084 53108->53086 53108->53088 53108->53089 53108->53093 53108->53096 53108->53097 53108->53106 53108->53107 53110 4e6ca0 86 API calls 53108->53110 53111 4a1c5f CreateDirectoryA 53108->53111 53113 426db0 41 API calls 53108->53113 53114 41af80 41 API calls 53108->53114 53115 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53108->53115 53116 41ab20 41 API calls 53108->53116 53117 41ad80 41 API calls 53108->53117 53118 413d50 41 API calls 53108->53118 53119 41b0e0 41 API calls 53108->53119 53120 4a1f46 CreateDirectoryA 53108->53120 53121 41b7b0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection 53108->53121 53122 4e6d70 78 API calls 53108->53122 53123 439820 43 API calls 53108->53123 53124 402fe0 41 API calls std::_Throw_Cpp_error 53108->53124 53125 402cf0 std::_Throw_Cpp_error 41 API calls 53108->53125 53127 41ace0 41 API calls 53108->53127 53129 403040 41 API calls std::_Throw_Cpp_error 53108->53129 53130 4a3610 154 API calls 53108->53130 53131 441628 75 API calls 53108->53131 53132 413980 41 API calls 53108->53132 53134 43d0a8 78 API calls 53108->53134 53452 440fae 53108->53452 53466 42c080 41 API calls 2 library calls 53108->53466 53467 424900 41 API calls 53108->53467 53468 413200 53108->53468 53483 41b9d0 41 API calls 2 library calls 53108->53483 53484 4136c0 41 API calls std::_Throw_Cpp_error 53108->53484 53110->53108 53111->53108 53113->53108 53114->53108 53115->53108 53116->53108 53117->53108 53118->53108 53119->53108 53120->53108 53121->53108 53122->53108 53123->53108 53124->53108 53125->53108 53127->53108 53129->53108 53130->53108 53131->53108 53132->53108 53134->53108 53136 49d3d6 53135->53136 53137 417ef0 41 API calls 53136->53137 53138 49d3ff 53137->53138 53139 4140c0 41 API calls 53138->53139 53140 49d429 53139->53140 53141 41af80 41 API calls 53140->53141 53142 49d4c4 __fread_nolock 53141->53142 53143 49d4e2 SHGetFolderPathA 53142->53143 53144 41ac50 41 API calls 53143->53144 53145 49d50f 53144->53145 53146 41ab20 41 API calls 53145->53146 53147 49d5b4 __fread_nolock 53146->53147 53148 49d5ce GetPrivateProfileSectionNamesA 53147->53148 53209 49d601 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53148->53209 53149 440fae 50 API calls 53149->53209 53150 49ef31 lstrlen 53151 49ef47 53150->53151 53150->53209 53153 402df0 std::_Throw_Cpp_error 41 API calls 53151->53153 53152 49d6f2 GetPrivateProfileStringA 53152->53209 53154 49ef56 53153->53154 53155 402df0 std::_Throw_Cpp_error 41 API calls 53154->53155 53156 49ef65 53155->53156 53159 402df0 std::_Throw_Cpp_error 41 API calls 53156->53159 53157 49f068 53162 438c70 std::_Throw_Cpp_error 41 API calls 53157->53162 53158 41e8a0 41 API calls 53158->53209 53160 49ef71 53159->53160 53160->53042 53161 41abb0 41 API calls 53161->53209 53163 49f072 53162->53163 53164 402cf0 std::_Throw_Cpp_error 41 API calls 53163->53164 53165 49f089 53164->53165 53166 41ace0 41 API calls 53165->53166 53167 49f09e 53166->53167 53168 407cf0 41 API calls 53167->53168 53169 49f0b6 53168->53169 53171 4351fb std::_Throw_Cpp_error RaiseException 53169->53171 53170 41ab20 41 API calls 53170->53209 53172 49f0ca 53171->53172 53173 439820 43 API calls 53173->53209 53174 43d0a8 78 API calls 53174->53209 53175 402df0 41 API calls std::_Throw_Cpp_error 53175->53209 53176 4140c0 41 API calls 53176->53209 53177 4e64d0 44 API calls 53177->53209 53178 4032d0 41 API calls std::_Throw_Cpp_error 53178->53209 53180 49efc0 53183 402cf0 std::_Throw_Cpp_error 41 API calls 53180->53183 53181 4185d0 76 API calls 53181->53209 53182 416130 41 API calls 53182->53209 53184 49efd7 53183->53184 53185 41ace0 41 API calls 53184->53185 53186 49efec 53185->53186 53188 407cf0 41 API calls 53186->53188 53187 4d6790 148 API calls 53187->53209 53189 49f004 53188->53189 53190 4351fb std::_Throw_Cpp_error RaiseException 53189->53190 53190->53157 53191 49ef86 53193 402cf0 std::_Throw_Cpp_error 41 API calls 53191->53193 53192 4d65f0 87 API calls 53192->53209 53194 49ef99 53193->53194 53195 41ace0 41 API calls 53194->53195 53202 49ee87 53195->53202 53196 407cf0 41 API calls 53196->53189 53197 49ee5e 53199 402cf0 std::_Throw_Cpp_error 41 API calls 53197->53199 53198 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53198->53209 53200 49ee72 53199->53200 53201 41ace0 41 API calls 53200->53201 53201->53202 53202->53196 53203 417ef0 41 API calls 53203->53209 53205 426db0 41 API calls 53205->53209 53206 403040 41 API calls std::_Throw_Cpp_error 53206->53209 53207 4180a0 41 API calls 53207->53209 53208 49f014 53211 402cf0 std::_Throw_Cpp_error 41 API calls 53208->53211 53209->53149 53209->53150 53209->53152 53209->53157 53209->53158 53209->53161 53209->53163 53209->53170 53209->53173 53209->53174 53209->53175 53209->53176 53209->53177 53209->53178 53209->53180 53209->53181 53209->53182 53209->53187 53209->53191 53209->53192 53209->53197 53209->53198 53209->53203 53209->53205 53209->53206 53209->53207 53209->53208 53210 424900 41 API calls 53209->53210 53212 413d50 41 API calls 53209->53212 53492 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53209->53492 53493 423f40 102 API calls 4 library calls 53209->53493 53210->53209 53213 49f027 53211->53213 53212->53209 53214 41ace0 41 API calls 53213->53214 53214->53202 53216 49af96 53215->53216 53217 417ef0 41 API calls 53216->53217 53218 49afbf 53217->53218 53219 4140c0 41 API calls 53218->53219 53220 49afe9 53219->53220 53221 41af80 41 API calls 53220->53221 53222 49b128 __fread_nolock 53221->53222 53223 49b146 SHGetFolderPathA 53222->53223 53224 41ac50 41 API calls 53223->53224 53225 49b173 53224->53225 53226 41ab20 41 API calls 53225->53226 53227 49b227 __fread_nolock 53226->53227 53228 49b241 GetPrivateProfileSectionNamesA 53227->53228 53276 49b274 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53228->53276 53229 440fae 50 API calls 53229->53276 53230 49d22c lstrlen 53231 49d242 53230->53231 53230->53276 53232 402df0 std::_Throw_Cpp_error 41 API calls 53231->53232 53234 49d251 53232->53234 53233 49b365 GetPrivateProfileStringA 53233->53276 53235 402df0 std::_Throw_Cpp_error 41 API calls 53234->53235 53236 49d260 53235->53236 53238 402df0 std::_Throw_Cpp_error 41 API calls 53236->53238 53237 49d329 53242 438c70 std::_Throw_Cpp_error 41 API calls 53237->53242 53240 49d26c 53238->53240 53239 41e8a0 41 API calls 53239->53276 53240->53042 53241 41abb0 41 API calls 53241->53276 53243 49d333 53242->53243 53495 419e60 RaiseException 53243->53495 53245 49d338 53246 402cf0 std::_Throw_Cpp_error 41 API calls 53245->53246 53247 49d34f 53246->53247 53248 41ace0 41 API calls 53247->53248 53249 49d364 53248->53249 53251 407cf0 41 API calls 53249->53251 53250 41ab20 41 API calls 53250->53276 53252 49d37c 53251->53252 53254 4351fb std::_Throw_Cpp_error RaiseException 53252->53254 53253 439820 43 API calls 53253->53276 53255 49d390 53254->53255 53256 43d0a8 78 API calls 53256->53276 53257 417ef0 41 API calls 53257->53276 53258 4140c0 41 API calls 53258->53276 53259 4e64d0 44 API calls 53259->53276 53261 49d281 53264 402cf0 std::_Throw_Cpp_error 41 API calls 53261->53264 53262 4032d0 41 API calls std::_Throw_Cpp_error 53262->53276 53263 4185d0 76 API calls 53263->53276 53266 49d298 53264->53266 53265 416130 41 API calls 53265->53276 53267 41ace0 41 API calls 53266->53267 53269 49d2ad 53267->53269 53268 4d6790 148 API calls 53268->53276 53270 407cf0 41 API calls 53269->53270 53271 49d2c5 53270->53271 53273 4351fb std::_Throw_Cpp_error RaiseException 53271->53273 53272 41af80 41 API calls 53272->53276 53273->53237 53274 4d65f0 87 API calls 53274->53276 53275 49d0d3 53279 402cf0 std::_Throw_Cpp_error 41 API calls 53275->53279 53276->53229 53276->53230 53276->53233 53276->53237 53276->53239 53276->53241 53276->53243 53276->53245 53276->53250 53276->53253 53276->53256 53276->53257 53276->53258 53276->53259 53276->53261 53276->53262 53276->53263 53276->53265 53276->53268 53276->53272 53276->53274 53276->53275 53277 413d50 41 API calls 53276->53277 53278 424900 41 API calls 53276->53278 53283 41fbf0 41 API calls 53276->53283 53284 418f00 std::_Throw_Cpp_error 41 API calls 53276->53284 53285 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53276->53285 53286 402df0 41 API calls std::_Throw_Cpp_error 53276->53286 53287 403040 41 API calls std::_Throw_Cpp_error 53276->53287 53288 426db0 41 API calls 53276->53288 53289 4163b0 std::_Throw_Cpp_error 41 API calls 53276->53289 53290 4180a0 41 API calls 53276->53290 53291 49d2d5 53276->53291 53494 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53276->53494 53277->53276 53278->53276 53280 49d0e6 53279->53280 53281 41ace0 41 API calls 53280->53281 53295 49d0fb 53281->53295 53282 407cf0 41 API calls 53282->53271 53283->53276 53284->53276 53285->53276 53286->53276 53287->53276 53288->53276 53289->53276 53290->53276 53292 402cf0 std::_Throw_Cpp_error 41 API calls 53291->53292 53293 49d2e8 53292->53293 53294 41ace0 41 API calls 53293->53294 53294->53295 53295->53282 53297 4986e6 53296->53297 53298 417ef0 41 API calls 53297->53298 53299 49870f 53298->53299 53300 4140c0 41 API calls 53299->53300 53301 498739 53300->53301 53302 41af80 41 API calls 53301->53302 53303 4987d4 __fread_nolock 53302->53303 53304 4987f2 SHGetFolderPathA 53303->53304 53305 41ac50 41 API calls 53304->53305 53306 49881f 53305->53306 53307 41ab20 41 API calls 53306->53307 53308 4988c4 __fread_nolock 53307->53308 53309 4988de GetPrivateProfileSectionNamesA 53308->53309 53363 498914 std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 53309->53363 53310 440fae 50 API calls 53310->53363 53311 49ae10 lstrlen 53312 49ae29 53311->53312 53311->53363 53314 402df0 std::_Throw_Cpp_error 41 API calls 53312->53314 53313 498a05 GetPrivateProfileStringA 53313->53363 53315 49ae38 53314->53315 53316 402df0 std::_Throw_Cpp_error 41 API calls 53315->53316 53318 49ae47 53316->53318 53317 49aef7 53323 438c70 std::_Throw_Cpp_error 41 API calls 53317->53323 53320 402df0 std::_Throw_Cpp_error 41 API calls 53318->53320 53319 41e8a0 41 API calls 53319->53363 53321 49ae53 53320->53321 53321->53042 53322 41abb0 41 API calls 53322->53363 53324 49af01 53323->53324 53326 402cf0 std::_Throw_Cpp_error 41 API calls 53324->53326 53325 402df0 41 API calls std::_Throw_Cpp_error 53325->53363 53327 49af15 53326->53327 53328 41ace0 41 API calls 53327->53328 53329 49af2a 53328->53329 53330 407cf0 41 API calls 53329->53330 53331 49af42 53330->53331 53332 4351fb std::_Throw_Cpp_error RaiseException 53331->53332 53334 49af56 53332->53334 53333 41ab20 41 API calls 53333->53363 53335 439820 43 API calls 53335->53363 53336 43d0a8 78 API calls 53336->53363 53337 417ef0 41 API calls 53337->53363 53338 4140c0 41 API calls 53338->53363 53339 4e64d0 44 API calls 53339->53363 53340 4032d0 41 API calls std::_Throw_Cpp_error 53340->53363 53342 49ae68 53344 402cf0 std::_Throw_Cpp_error 41 API calls 53342->53344 53343 4185d0 76 API calls 53343->53363 53345 49ae7f 53344->53345 53347 41ace0 41 API calls 53345->53347 53346 416130 41 API calls 53346->53363 53349 49ad42 53347->53349 53348 4d6790 148 API calls 53348->53363 53350 407cf0 41 API calls 53349->53350 53351 49aee3 53350->53351 53353 4351fb std::_Throw_Cpp_error RaiseException 53351->53353 53352 41af80 41 API calls 53352->53363 53353->53317 53354 4d65f0 87 API calls 53354->53363 53355 49ad1a 53358 402cf0 std::_Throw_Cpp_error 41 API calls 53355->53358 53356 413d50 41 API calls 53356->53363 53357 424900 41 API calls 53357->53363 53359 49ad2d 53358->53359 53360 41ace0 41 API calls 53359->53360 53360->53349 53361 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53361->53363 53362 403040 41 API calls std::_Throw_Cpp_error 53362->53363 53363->53310 53363->53311 53363->53313 53363->53317 53363->53319 53363->53322 53363->53324 53363->53325 53363->53333 53363->53335 53363->53336 53363->53337 53363->53338 53363->53339 53363->53340 53363->53342 53363->53343 53363->53346 53363->53348 53363->53352 53363->53354 53363->53355 53363->53356 53363->53357 53363->53361 53363->53362 53364 4412f6 50 API calls 53363->53364 53365 426db0 41 API calls 53363->53365 53366 402fe0 41 API calls std::_Throw_Cpp_error 53363->53366 53368 4180a0 41 API calls 53363->53368 53369 49aea3 53363->53369 53496 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53363->53496 53497 42c080 41 API calls 2 library calls 53363->53497 53364->53363 53365->53363 53366->53363 53368->53363 53370 402cf0 std::_Throw_Cpp_error 41 API calls 53369->53370 53371 49aeb6 53370->53371 53372 41ace0 41 API calls 53371->53372 53372->53349 53374 4963e6 53373->53374 53375 417ef0 41 API calls 53374->53375 53376 49640f 53375->53376 53377 4140c0 41 API calls 53376->53377 53378 496439 53377->53378 53379 41af80 41 API calls 53378->53379 53380 4964d4 __fread_nolock 53379->53380 53381 4964f2 SHGetFolderPathA 53380->53381 53382 41ac50 41 API calls 53381->53382 53383 49651f 53382->53383 53384 41ab20 41 API calls 53383->53384 53385 4965c4 __fread_nolock 53384->53385 53386 4965de GetPrivateProfileSectionNamesA 53385->53386 53389 496611 std::ios_base::_Ios_base_dtor __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::_Locinfo::_Locinfo_ctor 53386->53389 53387 440fae 50 API calls 53387->53389 53388 49854e lstrlen 53388->53389 53390 498564 53388->53390 53389->53387 53389->53388 53392 496702 GetPrivateProfileStringA 53389->53392 53396 49864b 53389->53396 53397 41e8a0 41 API calls 53389->53397 53401 41abb0 41 API calls 53389->53401 53402 498655 53389->53402 53409 41ab20 41 API calls 53389->53409 53412 439820 43 API calls 53389->53412 53413 43d0a8 78 API calls 53389->53413 53414 402df0 41 API calls std::_Throw_Cpp_error 53389->53414 53415 4140c0 41 API calls 53389->53415 53416 4e64d0 44 API calls 53389->53416 53418 4985a3 53389->53418 53419 4032d0 41 API calls std::_Throw_Cpp_error 53389->53419 53420 4185d0 76 API calls 53389->53420 53421 4180a0 41 API calls 53389->53421 53422 416130 41 API calls 53389->53422 53427 4d6790 148 API calls 53389->53427 53430 41af80 41 API calls 53389->53430 53432 4d65f0 87 API calls 53389->53432 53433 4983f5 53389->53433 53434 413d50 41 API calls 53389->53434 53435 424900 41 API calls 53389->53435 53441 41fbf0 41 API calls 53389->53441 53442 418f00 std::_Throw_Cpp_error 41 API calls 53389->53442 53443 417ef0 41 API calls 53389->53443 53444 433672 std::_Facet_Register 3 API calls 53389->53444 53445 403040 41 API calls std::_Throw_Cpp_error 53389->53445 53446 426db0 41 API calls 53389->53446 53447 4412f6 50 API calls 53389->53447 53448 4985f7 53389->53448 53498 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 53389->53498 53391 402df0 std::_Throw_Cpp_error 41 API calls 53390->53391 53393 498573 53391->53393 53392->53389 53394 402df0 std::_Throw_Cpp_error 41 API calls 53393->53394 53395 498582 53394->53395 53398 402df0 std::_Throw_Cpp_error 41 API calls 53395->53398 53400 438c70 std::_Throw_Cpp_error 41 API calls 53396->53400 53397->53389 53399 49858e 53398->53399 53399->53042 53400->53402 53401->53389 53403 402cf0 std::_Throw_Cpp_error 41 API calls 53402->53403 53404 49866c 53403->53404 53405 41ace0 41 API calls 53404->53405 53406 498681 53405->53406 53407 407cf0 41 API calls 53406->53407 53408 498699 53407->53408 53410 4351fb std::_Throw_Cpp_error RaiseException 53408->53410 53409->53389 53411 4986ad 53410->53411 53412->53389 53413->53389 53414->53389 53415->53389 53416->53389 53423 402cf0 std::_Throw_Cpp_error 41 API calls 53418->53423 53419->53389 53420->53389 53421->53389 53422->53389 53424 4985ba 53423->53424 53425 41ace0 41 API calls 53424->53425 53426 4985cf 53425->53426 53428 407cf0 41 API calls 53426->53428 53427->53389 53429 4985e7 53428->53429 53431 4351fb std::_Throw_Cpp_error RaiseException 53429->53431 53430->53389 53431->53396 53432->53389 53436 402cf0 std::_Throw_Cpp_error 41 API calls 53433->53436 53434->53389 53435->53389 53437 498408 53436->53437 53438 41ace0 41 API calls 53437->53438 53439 49841d 53438->53439 53440 407cf0 41 API calls 53439->53440 53440->53429 53441->53389 53442->53389 53443->53389 53444->53389 53445->53389 53446->53389 53447->53389 53449 402cf0 std::_Throw_Cpp_error 41 API calls 53448->53449 53450 49860a 53449->53450 53451 41ace0 41 API calls 53450->53451 53451->53439 53453 441005 53452->53453 53454 440fbd 53452->53454 53489 44101b 50 API calls 3 library calls 53453->53489 53456 440fc3 53454->53456 53459 440fe0 53454->53459 53485 4416ff 14 API calls __dosmaperr 53456->53485 53457 440fd3 53457->53108 53465 440ffe 53459->53465 53487 4416ff 14 API calls __dosmaperr 53459->53487 53460 440fc8 53486 438c60 41 API calls __fread_nolock 53460->53486 53463 440fef 53488 438c60 41 API calls __fread_nolock 53463->53488 53465->53108 53466->53108 53467->53108 53469 41325c 53468->53469 53472 413225 53468->53472 53470 402cf0 std::_Throw_Cpp_error 41 API calls 53469->53470 53471 413269 53470->53471 53490 407b10 41 API calls 3 library calls 53471->53490 53473 413235 53472->53473 53476 402cf0 std::_Throw_Cpp_error 41 API calls 53472->53476 53473->53108 53475 413281 53477 4351fb std::_Throw_Cpp_error RaiseException 53475->53477 53478 41329f 53476->53478 53477->53472 53491 407b10 41 API calls 3 library calls 53478->53491 53480 4132b7 53481 4351fb std::_Throw_Cpp_error RaiseException 53480->53481 53482 4132c8 53481->53482 53483->53108 53484->53108 53485->53460 53486->53457 53487->53463 53488->53457 53489->53457 53490->53475 53491->53480 53492->53209 53493->53209 53494->53276 53496->53363 53497->53363 53498->53389 53684 4c7b00 53685 4c7ecc 53684->53685 53703 4c7b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 53684->53703 53686 4c7b87 setsockopt recv WSAGetLastError 53686->53685 53686->53703 53688 4c7eb7 Sleep 53688->53685 53688->53703 53689 4c7e15 recv 53691 4c7eaf Sleep 53689->53691 53691->53688 53692 418dc0 41 API calls 53693 4c7c2d recv 53692->53693 53694 4c7c4e recv 53693->53694 53693->53703 53694->53703 53695 409280 44 API calls 53695->53703 53696 4c7ee1 53700 438c70 std::_Throw_Cpp_error 41 API calls 53696->53700 53697 4163b0 std::_Throw_Cpp_error 41 API calls 53697->53703 53698 4c7cd6 setsockopt recv 53698->53703 53699 418dc0 41 API calls 53699->53698 53701 4c7ee6 53700->53701 53703->53686 53703->53688 53703->53689 53703->53691 53703->53692 53703->53695 53703->53696 53703->53697 53703->53698 53703->53699 53704 4c8590 WSAStartup 53703->53704 53717 4c7ef0 53703->53717 53789 433069 53703->53789 53705 4c8696 53704->53705 53706 4c85c8 53704->53706 53705->53703 53706->53705 53707 4c85fe getaddrinfo 53706->53707 53708 4c8646 53707->53708 53709 4c8690 WSACleanup 53707->53709 53710 4c86a4 FreeAddrInfoW 53708->53710 53712 4c8654 socket 53708->53712 53709->53705 53710->53709 53711 4c86b0 53710->53711 53711->53703 53712->53709 53713 4c866a connect 53712->53713 53714 4c867c closesocket 53713->53714 53715 4c86a0 53713->53715 53714->53712 53716 4c8686 FreeAddrInfoW 53714->53716 53715->53710 53716->53709 53718 4c7f6c 53717->53718 53719 4c7f3e 53717->53719 53720 4c7f8e 53718->53720 53721 4c7f74 53718->53721 53722 402cf0 std::_Throw_Cpp_error 41 API calls 53719->53722 53725 4c7f96 53720->53725 53726 4c7fb0 53720->53726 53792 416290 41 API calls 53721->53792 53723 4c7f50 53722->53723 53727 409280 44 API calls 53723->53727 53793 416290 41 API calls 53725->53793 53729 4c7fb8 53726->53729 53730 4c7fd5 53726->53730 53757 4c7f64 53727->53757 53729->53757 53794 416290 41 API calls 53729->53794 53731 4c7fdd 53730->53731 53732 4c7ffb 53730->53732 53795 4412b7 50 API calls __fread_nolock 53731->53795 53737 4c801b 53732->53737 53738 4c82c0 53732->53738 53732->53757 53734 402df0 std::_Throw_Cpp_error 41 API calls 53736 4c84f1 53734->53736 53736->53703 53796 405400 85 API calls std::_Throw_Cpp_error 53737->53796 53740 4c82c8 53738->53740 53741 4c831b 53738->53741 53744 41b430 53 API calls 53740->53744 53742 4c8376 53741->53742 53743 4c8323 53741->53743 53746 4c837e 53742->53746 53747 4c83d1 53742->53747 53745 41b430 53 API calls 53743->53745 53744->53757 53745->53757 53748 41b430 53 API calls 53746->53748 53750 4c842c 53747->53750 53751 4c83d9 53747->53751 53748->53757 53749 4c82a5 53755 432baa RtlReleaseSRWLockExclusive 53749->53755 53753 4c8484 53750->53753 53754 4c8434 53750->53754 53752 41b430 53 API calls 53751->53752 53752->53757 53753->53757 53801 458b00 50 API calls 2 library calls 53753->53801 53758 41b430 53 API calls 53754->53758 53755->53757 53756 402cf0 std::_Throw_Cpp_error 41 API calls 53759 4c8040 53756->53759 53757->53734 53758->53757 53759->53749 53759->53756 53762 41ace0 41 API calls 53759->53762 53766 402df0 41 API calls std::_Throw_Cpp_error 53759->53766 53767 4c810b 53759->53767 53761 4c849a 53763 4162c0 41 API calls 53761->53763 53762->53759 53764 4c84a9 53763->53764 53765 402df0 std::_Throw_Cpp_error 41 API calls 53764->53765 53765->53757 53766->53759 53797 402d30 41 API calls std::_Throw_Cpp_error 53767->53797 53769 4c812f 53798 4d62c0 43 API calls 5 library calls 53769->53798 53771 4c8140 53772 402df0 std::_Throw_Cpp_error 41 API calls 53771->53772 53773 4c814f 53772->53773 53774 4c81b2 GetCurrentProcess 53773->53774 53778 4c81e5 53773->53778 53775 4163b0 std::_Throw_Cpp_error 41 API calls 53774->53775 53776 4c81ce 53775->53776 53799 4cf280 61 API calls 3 library calls 53776->53799 53780 439820 43 API calls 53778->53780 53779 4c81dd 53781 4c8279 53779->53781 53782 4c8247 53780->53782 53800 415230 41 API calls std::_Throw_Cpp_error 53781->53800 53782->53781 53784 441628 75 API calls 53782->53784 53786 4c8273 53784->53786 53785 4c8296 53787 402df0 std::_Throw_Cpp_error 41 API calls 53785->53787 53788 43d0a8 78 API calls 53786->53788 53787->53749 53788->53781 53802 43361d 53789->53802 53792->53757 53793->53757 53794->53757 53795->53757 53796->53759 53797->53769 53798->53771 53799->53779 53800->53785 53801->53761 53803 433659 GetSystemTimeAsFileTime 53802->53803 53804 43364d GetSystemTimePreciseAsFileTime 53802->53804 53805 433077 53803->53805 53804->53805 53805->53703 45733 419950 45734 419968 45733->45734 45735 419978 std::ios_base::_Ios_base_dtor 45733->45735 45734->45735 45745 438c70 45734->45745 45750 438bac 41 API calls __fread_nolock 45745->45750 45747 438c7f 45751 438c8d 11 API calls std::locale::_Setgloballocale 45747->45751 45749 438c8c 45750->45747 45751->45749 46566 45dcd0 46567 45de11 46566->46567 46568 45dd1d 46566->46568 46569 41ab20 41 API calls 46567->46569 46570 41ab20 41 API calls 46568->46570 46571 45de6d 46569->46571 46572 45dd79 46570->46572 46573 4163b0 std::_Throw_Cpp_error 41 API calls 46571->46573 46653 41b980 41 API calls 46572->46653 46575 45de88 46573->46575 46586 481c10 46575->46586 46576 45ddd0 46654 4e5ff0 11 API calls 46576->46654 46580 402df0 std::_Throw_Cpp_error 41 API calls 46582 45dea7 46580->46582 46581 45ddf0 46655 4188d0 46581->46655 46584 45de02 46585 402df0 std::_Throw_Cpp_error 41 API calls 46584->46585 46585->46567 46587 4e6ca0 86 API calls 46586->46587 46651 481c6c __fread_nolock std::_Locinfo::_Locinfo_ctor 46587->46651 46588 48443c 46589 402df0 std::_Throw_Cpp_error 41 API calls 46588->46589 46590 45de95 46589->46590 46590->46580 46591 48449d 46592 402cf0 std::_Throw_Cpp_error 41 API calls 46591->46592 46593 4844ad 46592->46593 46742 407b10 41 API calls 3 library calls 46593->46742 46595 484598 46597 402cf0 std::_Throw_Cpp_error 41 API calls 46595->46597 46596 4844c8 46598 4351fb std::_Throw_Cpp_error RaiseException 46596->46598 46599 4845a8 46597->46599 46600 4844dc 46598->46600 46745 407b10 41 API calls 3 library calls 46599->46745 46601 438c70 std::_Throw_Cpp_error 41 API calls 46600->46601 46604 4844e1 46601->46604 46602 48445e 46605 402cf0 std::_Throw_Cpp_error 41 API calls 46602->46605 46743 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 46604->46743 46609 48446e 46605->46609 46606 4845c3 46607 4351fb std::_Throw_Cpp_error RaiseException 46606->46607 46610 4845d7 46607->46610 46741 407b10 41 API calls 3 library calls 46609->46741 46611 4844e6 46744 403330 RaiseException 46611->46744 46614 484489 46615 4351fb std::_Throw_Cpp_error RaiseException 46614->46615 46615->46591 46616 41b0e0 41 API calls 46616->46651 46617 4844eb 46618 402cf0 std::_Throw_Cpp_error 41 API calls 46617->46618 46619 484503 46618->46619 46620 41ace0 41 API calls 46619->46620 46621 484518 46620->46621 46623 407cf0 41 API calls 46621->46623 46622 484544 46627 402cf0 std::_Throw_Cpp_error 41 API calls 46622->46627 46624 484530 46623->46624 46625 4351fb std::_Throw_Cpp_error RaiseException 46624->46625 46625->46622 46629 484557 46627->46629 46631 41ace0 41 API calls 46629->46631 46630 41af80 41 API calls 46630->46651 46633 48456c 46631->46633 46632 402fe0 41 API calls std::_Throw_Cpp_error 46632->46651 46634 407cf0 41 API calls 46633->46634 46635 484584 46634->46635 46636 4351fb std::_Throw_Cpp_error RaiseException 46635->46636 46636->46595 46637 4e64d0 44 API calls 46637->46651 46638 482793 SHGetFolderPathA 46638->46651 46639 482a95 SHGetFolderPathA 46639->46651 46640 482d93 SHGetFolderPathA 46640->46651 46641 4830f3 SHGetFolderPathA 46641->46651 46642 48341b SHGetFolderPathA 46642->46651 46643 483725 SHGetFolderPathA 46643->46651 46644 418b00 41 API calls 46644->46651 46645 4032d0 41 API calls std::_Throw_Cpp_error 46645->46651 46647 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46647->46651 46648 4185d0 76 API calls 46648->46651 46649 4163b0 41 API calls std::_Throw_Cpp_error 46649->46651 46650 403040 41 API calls std::_Throw_Cpp_error 46650->46651 46651->46588 46651->46591 46651->46595 46651->46600 46651->46602 46651->46604 46651->46611 46651->46616 46651->46617 46651->46622 46651->46630 46651->46632 46651->46637 46651->46638 46651->46639 46651->46640 46651->46641 46651->46642 46651->46643 46651->46644 46651->46645 46651->46647 46651->46648 46651->46649 46651->46650 46652 402df0 41 API calls std::_Throw_Cpp_error 46651->46652 46660 4412b7 50 API calls __fread_nolock 46651->46660 46661 4845e0 46651->46661 46740 416130 41 API calls 2 library calls 46651->46740 46652->46651 46653->46576 46654->46581 46656 4188f3 46655->46656 46657 418914 std::ios_base::_Ios_base_dtor 46655->46657 46656->46657 46658 438c70 std::_Throw_Cpp_error 41 API calls 46656->46658 46657->46584 46659 418947 46658->46659 46660->46651 46662 484641 46661->46662 46663 485d64 46661->46663 46664 4e6ca0 86 API calls 46662->46664 46666 485dda 46662->46666 46798 4339b3 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive SleepConditionVariableSRW 46663->46798 46669 484651 46664->46669 46799 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 46666->46799 46668 485ddf 46800 403330 RaiseException 46668->46800 46671 484a38 46669->46671 46674 4163b0 std::_Throw_Cpp_error 41 API calls 46669->46674 46678 485c79 46669->46678 46675 4163b0 std::_Throw_Cpp_error 41 API calls 46671->46675 46671->46678 46672 485de4 46679 438c70 std::_Throw_Cpp_error 41 API calls 46672->46679 46673 485ce9 46683 485d0c 46673->46683 46684 485d15 46673->46684 46676 4846b0 46674->46676 46677 484a58 46675->46677 46746 4c6000 46676->46746 46681 4c6000 45 API calls 46677->46681 46678->46673 46678->46678 46687 403040 std::_Throw_Cpp_error 41 API calls 46678->46687 46682 485dee 46679->46682 46737 484a6f std::ios_base::_Ios_base_dtor __fread_nolock std::_Locinfo::_Locinfo_ctor 46681->46737 46796 413340 41 API calls 2 library calls 46683->46796 46797 413340 41 API calls 2 library calls 46684->46797 46686 485c67 46693 4185d0 76 API calls 46686->46693 46691 485cc7 46687->46691 46688 484a26 46692 4185d0 76 API calls 46688->46692 46690 485d11 46695 402df0 std::_Throw_Cpp_error 41 API calls 46690->46695 46694 4e6770 93 API calls 46691->46694 46692->46671 46693->46678 46696 485cd7 46694->46696 46698 485d28 46695->46698 46699 402df0 std::_Throw_Cpp_error 41 API calls 46696->46699 46697 4163b0 std::_Throw_Cpp_error 41 API calls 46702 4846c7 46697->46702 46701 402df0 std::_Throw_Cpp_error 41 API calls 46698->46701 46699->46673 46703 485d34 46701->46703 46702->46688 46702->46697 46712 48474a 46702->46712 46769 415350 46702->46769 46792 485fa0 76 API calls std::_Throw_Cpp_error 46702->46792 46705 4185d0 76 API calls 46703->46705 46707 485d40 46705->46707 46708 4185d0 76 API calls 46707->46708 46709 485d4f 46708->46709 46709->46651 46710 433672 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 46710->46737 46711 41ab20 41 API calls 46711->46712 46712->46711 46713 41ad80 41 API calls 46712->46713 46715 402df0 std::_Throw_Cpp_error 41 API calls 46712->46715 46713->46712 46714 4163b0 41 API calls std::_Throw_Cpp_error 46714->46737 46716 484870 CreateDirectoryA 46715->46716 46718 41ab20 41 API calls 46716->46718 46717 41ad80 41 API calls 46717->46737 46725 484961 46718->46725 46719 4163b0 std::_Throw_Cpp_error 41 API calls 46719->46725 46720 41ad80 41 API calls 46720->46725 46721 415350 41 API calls 46721->46725 46722 415350 41 API calls 46722->46737 46723 41e8a0 41 API calls 46723->46737 46725->46719 46725->46720 46725->46721 46726 4845e0 133 API calls 46725->46726 46726->46702 46727 402df0 41 API calls std::_Throw_Cpp_error 46727->46737 46728 4e7220 79 API calls 46728->46737 46729 4032d0 41 API calls std::_Throw_Cpp_error 46729->46737 46730 485032 CreateDirectoryA 46730->46737 46731 485bbc CopyFileA 46732 485bdf 46731->46732 46731->46737 46732->46737 46734 4852f2 CoInitialize 46734->46737 46735 4188d0 41 API calls 46735->46737 46736 4854fe PathFindExtensionA 46736->46737 46737->46666 46737->46668 46737->46672 46737->46686 46737->46710 46737->46714 46737->46717 46737->46722 46737->46723 46737->46727 46737->46728 46737->46729 46737->46730 46737->46731 46737->46734 46737->46735 46737->46736 46738 403040 41 API calls std::_Throw_Cpp_error 46737->46738 46739 418b00 41 API calls 46737->46739 46793 485fa0 76 API calls std::_Throw_Cpp_error 46737->46793 46794 485df0 104 API calls std::_Throw_Cpp_error 46737->46794 46795 4d3320 43 API calls 46737->46795 46738->46737 46739->46737 46740->46651 46741->46614 46742->46596 46743->46611 46745->46606 46747 4c6082 46746->46747 46748 4c6072 46746->46748 46749 41ab20 41 API calls 46747->46749 46748->46747 46750 402df0 std::_Throw_Cpp_error 41 API calls 46748->46750 46751 4c6125 FindFirstFileA 46749->46751 46750->46748 46753 402df0 std::_Throw_Cpp_error 41 API calls 46751->46753 46764 4c6159 std::ios_base::_Ios_base_dtor 46753->46764 46754 4c6463 46755 402df0 std::_Throw_Cpp_error 41 API calls 46754->46755 46757 4c6479 46755->46757 46756 4c6437 FindNextFileA 46758 4c644d GetLastError 46756->46758 46756->46764 46757->46702 46759 4c645c FindClose 46758->46759 46758->46764 46759->46754 46760 41ab20 41 API calls 46760->46764 46761 403040 std::_Throw_Cpp_error 41 API calls 46761->46764 46762 418f00 std::_Throw_Cpp_error 41 API calls 46762->46764 46763 4c648e 46765 438c70 std::_Throw_Cpp_error 41 API calls 46763->46765 46764->46754 46764->46756 46764->46760 46764->46761 46764->46762 46764->46763 46766 4242a0 41 API calls 46764->46766 46768 402df0 std::_Throw_Cpp_error 41 API calls 46764->46768 46767 4c6493 46765->46767 46766->46764 46768->46764 46770 4153a0 46769->46770 46788 415439 46769->46788 46771 415469 46770->46771 46772 4153ab 46770->46772 46808 403330 RaiseException 46771->46808 46773 4153e2 46772->46773 46774 4153b9 46772->46774 46780 433672 std::_Facet_Register 3 API calls 46773->46780 46783 4153d7 46773->46783 46776 4153c4 46774->46776 46777 41546e 46774->46777 46778 433672 std::_Facet_Register 3 API calls 46776->46778 46809 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 46777->46809 46780->46783 46785 4163b0 std::_Throw_Cpp_error 41 API calls 46783->46785 46783->46788 46785->46783 46788->46702 46792->46702 46793->46737 46794->46737 46795->46737 46796->46690 46797->46690 46798->46662 46799->46668 49706 461e10 49707 461e60 49706->49707 49708 41ab20 41 API calls 49707->49708 49709 461f34 49708->49709 49710 4e6ca0 86 API calls 49709->49710 49711 461f5a 49710->49711 49712 4e6c10 85 API calls 49711->49712 49714 461f7d 49711->49714 49712->49714 49713 46299f 49716 4e6770 93 API calls 49713->49716 49717 4629be 49713->49717 49714->49713 49715 41b260 41 API calls 49714->49715 49714->49717 49748 461fad 49715->49748 49716->49717 49718 41ab20 41 API calls 49717->49718 49720 462aa3 49718->49720 49719 462990 49778 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49719->49778 49722 4e6ca0 86 API calls 49720->49722 49723 462ac9 49722->49723 49724 4e6c10 85 API calls 49723->49724 49727 462aec 49723->49727 49724->49727 49725 463529 49729 402df0 std::_Throw_Cpp_error 41 API calls 49725->49729 49726 46350e 49726->49725 49731 4e6770 93 API calls 49726->49731 49727->49725 49727->49726 49728 41b260 41 API calls 49727->49728 49743 462b1c 49728->49743 49730 46353b 49729->49730 49732 402df0 std::_Throw_Cpp_error 41 API calls 49730->49732 49731->49725 49734 46354a 49732->49734 49733 4634ff 49781 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49733->49781 49736 41b260 41 API calls 49736->49748 49738 4163b0 41 API calls std::_Throw_Cpp_error 49738->49748 49739 413200 41 API calls 49739->49743 49740 41b260 41 API calls 49740->49743 49741 41ac50 41 API calls 49741->49748 49743->49733 49743->49739 49743->49740 49744 4163b0 41 API calls std::_Throw_Cpp_error 49743->49744 49753 41ac50 41 API calls 49743->49753 49755 4e6ca0 86 API calls 49743->49755 49757 416240 41 API calls 49743->49757 49761 439820 43 API calls 49743->49761 49762 4e6c10 85 API calls 49743->49762 49763 41ae20 41 API calls 49743->49763 49764 41abb0 41 API calls 49743->49764 49766 4130f0 41 API calls 49743->49766 49767 43d0a8 78 API calls 49743->49767 49769 402cf0 41 API calls std::_Throw_Cpp_error 49743->49769 49772 41b400 41 API calls 49743->49772 49773 41af80 41 API calls 49743->49773 49774 403350 78 API calls 49743->49774 49775 402df0 41 API calls std::_Throw_Cpp_error 49743->49775 49779 416210 41 API calls std::_Throw_Cpp_error 49743->49779 49780 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49743->49780 49744->49743 49746 416240 41 API calls 49746->49748 49747 402cf0 41 API calls std::_Throw_Cpp_error 49747->49748 49748->49719 49748->49736 49748->49738 49748->49741 49748->49746 49748->49747 49749 4e6ca0 86 API calls 49748->49749 49750 439820 43 API calls 49748->49750 49751 4e6c10 85 API calls 49748->49751 49752 41ae20 41 API calls 49748->49752 49754 41abb0 41 API calls 49748->49754 49758 4130f0 41 API calls 49748->49758 49759 43d0a8 78 API calls 49748->49759 49760 413200 41 API calls 49748->49760 49765 402df0 41 API calls std::_Throw_Cpp_error 49748->49765 49768 41af80 41 API calls 49748->49768 49770 403350 78 API calls 49748->49770 49771 41b400 41 API calls 49748->49771 49776 416210 41 API calls std::_Throw_Cpp_error 49748->49776 49777 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49748->49777 49749->49748 49750->49748 49751->49748 49752->49748 49753->49743 49754->49748 49755->49743 49757->49743 49758->49748 49759->49748 49760->49748 49761->49743 49762->49743 49763->49743 49764->49743 49765->49748 49766->49743 49767->49743 49768->49748 49769->49743 49770->49748 49771->49748 49772->49743 49773->49743 49774->49743 49775->49743 49776->49748 49777->49748 49778->49713 49779->49743 49780->49743 49781->49726 45752 45f460 45753 45f4cc 45752->45753 45754 45f4ad 45752->45754 45758 4163b0 45754->45758 45756 45f4bf 45763 493f40 45756->45763 45760 4163d8 45758->45760 45759 4163e7 45759->45756 45760->45759 45900 4032d0 45760->45900 45762 41642a std::_Locinfo::_Locinfo_ctor 45762->45756 45927 4359b0 45763->45927 45766 494100 45766->45766 45929 403040 45766->45929 45768 49411c 45935 41fbf0 45768->45935 45771 495779 45774 438c70 std::_Throw_Cpp_error 41 API calls 45771->45774 45772 49414d std::ios_base::_Ios_base_dtor 45772->45771 45944 4e6ca0 45772->45944 45776 49577e 45774->45776 45959 417ef0 45776->45959 45784 4957dd 45978 4140c0 45784->45978 45789 4958bc 45791 417ef0 41 API calls 45791->45789 45901 4032e2 45900->45901 45905 403306 45900->45905 45902 4032e9 45901->45902 45903 40331f 45901->45903 45914 433672 45902->45914 45922 402b50 RaiseException Concurrency::cancel_current_task std::_Throw_Cpp_error ___std_exception_copy 45903->45922 45904 403318 45904->45762 45905->45904 45908 433672 std::_Facet_Register 3 API calls 45905->45908 45909 403310 45908->45909 45909->45762 45910 4032ef 45911 438c70 std::_Throw_Cpp_error 41 API calls 45910->45911 45912 4032f8 45910->45912 45913 403329 45911->45913 45912->45762 45916 433677 45914->45916 45915 433691 45915->45910 45916->45915 45919 402b50 Concurrency::cancel_current_task 45916->45919 45926 445a89 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45916->45926 45918 43369d 45918->45918 45919->45918 45923 4351fb 45919->45923 45921 402b6c ___std_exception_copy 45921->45910 45922->45910 45924 435242 RaiseException 45923->45924 45925 435215 45923->45925 45924->45921 45925->45924 45926->45916 45928 4359c7 SHGetFolderPathA 45927->45928 45928->45766 45930 4030c8 45929->45930 45932 403052 45929->45932 45931 403057 std::_Locinfo::_Locinfo_ctor 45931->45768 45932->45931 45933 4032d0 std::_Throw_Cpp_error 41 API calls 45932->45933 45934 4030a3 std::_Locinfo::_Locinfo_ctor 45933->45934 45934->45768 45936 41fc8d 45935->45936 45940 41fc12 std::_Locinfo::_Locinfo_ctor 45935->45940 45937 41fd5e 45936->45937 45938 4032d0 std::_Throw_Cpp_error 41 API calls 45936->45938 45939 41fce1 std::_Locinfo::_Locinfo_ctor 45938->45939 45941 41fd3a std::_Locinfo::_Locinfo_ctor 45939->45941 46144 402fe0 41 API calls 2 library calls 45939->46144 45940->45772 45941->45772 45943 41fd27 45943->45772 46145 432b99 45944->46145 45947 4e6d4d 46151 432534 45947->46151 45948 4e6cd7 45950 4e6d54 45948->45950 45951 4e6ce3 45948->45951 45952 432534 std::_Throw_Cpp_error 76 API calls 45950->45952 45955 4e6cfb GetFileAttributesA 45951->45955 45958 4e6d12 45951->45958 45953 4e6d65 45952->45953 45957 4e6d07 GetLastError 45955->45957 45955->45958 45957->45958 46148 432baa 45958->46148 45960 418034 45959->45960 45961 417f1d 45959->45961 45967 402cf0 std::_Throw_Cpp_error 41 API calls 45960->45967 45972 417f29 45960->45972 45962 417fcb 45961->45962 45963 417f83 45961->45963 45964 417f24 45961->45964 45965 417f2b 45961->45965 45966 417f7c 45961->45966 45962->45784 45969 433672 std::_Facet_Register 3 API calls 45963->45969 46283 41c3a0 RaiseException RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45964->46283 45971 433672 std::_Facet_Register 3 API calls 45965->45971 46284 41cf80 41 API calls 2 library calls 45966->46284 45973 41804f 45967->45973 45969->45972 45971->45972 45972->45784 46285 407f90 41 API calls 2 library calls 45973->46285 45975 418062 45976 4351fb std::_Throw_Cpp_error RaiseException 45975->45976 45977 418073 45976->45977 45979 4140ff 45978->45979 45980 433672 std::_Facet_Register 3 API calls 45979->45980 45981 41412e 45980->45981 45982 4141ac 45981->45982 46286 42bf30 41 API calls 3 library calls 45981->46286 45982->45789 45982->45791 45984 414171 45984->45982 46144->45943 46159 432bc8 GetCurrentThreadId 46145->46159 46149 432bb6 RtlReleaseSRWLockExclusive 46148->46149 46150 432bc4 46148->46150 46149->46150 46150->45776 46152 43254a std::_Throw_Cpp_error 46151->46152 46183 4324e7 46152->46183 46160 432bf2 46159->46160 46161 432c11 46159->46161 46162 432c07 46160->46162 46163 432bf7 RtlAcquireSRWLockExclusive 46160->46163 46164 432c1a 46161->46164 46169 432c31 46161->46169 46174 433d77 46162->46174 46163->46162 46164->46162 46165 432c25 RtlAcquireSRWLockExclusive 46164->46165 46165->46162 46166 432c90 46166->46162 46168 432c97 RtlTryAcquireSRWLockExclusive 46166->46168 46168->46162 46169->46166 46172 432c49 46169->46172 46170 432ba6 46170->45947 46170->45948 46172->46162 46173 432c80 RtlTryAcquireSRWLockExclusive 46172->46173 46181 43302b GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 46172->46181 46173->46162 46173->46172 46175 433d80 IsProcessorFeaturePresent 46174->46175 46176 433d7f 46174->46176 46178 43455a 46175->46178 46176->46170 46182 43451d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46178->46182 46180 43463d 46180->46170 46181->46172 46182->46180 46184 4324f3 __EH_prolog3_GS 46183->46184 46283->45972 46284->45972 46285->45975 46286->45984 53499 466d20 53500 466d6a 53499->53500 53502 468712 53500->53502 53503 41ab20 41 API calls 53500->53503 53506 46974b 53500->53506 53501 469b34 53616 492440 53501->53616 53507 41ab20 41 API calls 53502->53507 53505 466e01 53503->53505 53508 4e6ca0 86 API calls 53505->53508 53506->53501 53516 41ab20 41 API calls 53506->53516 53509 4687eb 53507->53509 53511 466e27 53508->53511 53513 439820 43 API calls 53509->53513 53510 469e50 53659 412c30 41 API calls 2 library calls 53510->53659 53515 4e6c10 85 API calls 53511->53515 53522 466e4a 53511->53522 53518 468813 53513->53518 53514 469b42 53514->53510 53524 41ab20 41 API calls 53514->53524 53515->53522 53519 469838 53516->53519 53517 469e62 53520 402df0 std::_Throw_Cpp_error 41 API calls 53518->53520 53523 439820 43 API calls 53519->53523 53532 46882a 53520->53532 53521 468700 53525 402df0 std::_Throw_Cpp_error 41 API calls 53521->53525 53522->53521 53526 41b260 41 API calls 53522->53526 53531 467b0b 53522->53531 53527 469860 53523->53527 53528 469c31 53524->53528 53525->53502 53610 466e79 53526->53610 53529 402df0 std::_Throw_Cpp_error 41 API calls 53527->53529 53534 439820 43 API calls 53528->53534 53541 46987a 53529->53541 53530 4686e5 53530->53521 53539 4e6770 93 API calls 53530->53539 53531->53530 53533 41b260 41 API calls 53531->53533 53532->53506 53537 403350 78 API calls 53532->53537 53614 467b2e 53533->53614 53538 469c59 53534->53538 53535 467afc 53654 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53535->53654 53545 4688bd 53537->53545 53540 402df0 std::_Throw_Cpp_error 41 API calls 53538->53540 53539->53521 53548 469c73 53540->53548 53541->53501 53543 403350 78 API calls 53541->53543 53542 4686d6 53656 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53542->53656 53565 469911 53543->53565 53547 41b260 41 API calls 53545->53547 53552 469003 53545->53552 53598 4688e3 53547->53598 53548->53510 53550 403350 78 API calls 53548->53550 53549 469b2e 53554 43d0a8 78 API calls 53549->53554 53566 469d0a 53550->53566 53551 413200 41 API calls 53551->53610 53553 469743 53552->53553 53557 41b260 41 API calls 53552->53557 53556 43d0a8 78 API calls 53553->53556 53554->53501 53555 4130f0 41 API calls 53555->53614 53556->53506 53600 469026 53557->53600 53558 468ff4 53657 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53558->53657 53559 469e4a 53562 43d0a8 78 API calls 53559->53562 53561 413200 41 API calls 53561->53614 53562->53510 53563 469734 53658 408ab0 41 API calls std::ios_base::_Ios_base_dtor 53563->53658 53565->53549 53567 403350 78 API calls 53565->53567 53566->53559 53570 403350 78 API calls 53566->53570 53567->53565 53568 4130f0 41 API calls 53568->53598 53569 402cf0 41 API calls std::_Throw_Cpp_error 53569->53614 53570->53566 53571 4130f0 41 API calls 53571->53600 53572 413200 41 API calls 53572->53598 53573 413200 41 API calls 53573->53600 53574 402cf0 41 API calls std::_Throw_Cpp_error 53574->53598 53575 41af80 41 API calls 53575->53610 53576 402cf0 41 API calls std::_Throw_Cpp_error 53576->53600 53577 41af80 41 API calls 53577->53598 53578 41b400 41 API calls 53578->53614 53579 41b400 41 API calls 53579->53610 53580 4163b0 41 API calls std::_Throw_Cpp_error 53580->53610 53581 4163b0 41 API calls std::_Throw_Cpp_error 53581->53614 53582 41af80 41 API calls 53582->53614 53583 41ac50 41 API calls 53583->53610 53584 402df0 41 API calls std::_Throw_Cpp_error 53584->53610 53585 416240 41 API calls 53585->53610 53586 41b400 41 API calls 53586->53598 53587 41af80 41 API calls 53587->53600 53588 416240 41 API calls 53588->53614 53589 4e6ca0 86 API calls 53589->53610 53590 4e6ca0 86 API calls 53590->53614 53591 403350 78 API calls 53591->53598 53592 4e6c10 85 API calls 53592->53610 53593 402df0 41 API calls std::_Throw_Cpp_error 53593->53598 53594 403350 78 API calls 53594->53600 53595 4e6c10 85 API calls 53595->53614 53596 402df0 41 API calls std::_Throw_Cpp_error 53596->53600 53597 41b400 41 API calls 53597->53600 53598->53558 53598->53568 53598->53572 53598->53574 53598->53577 53598->53586 53598->53591 53598->53593 53599 402cf0 41 API calls std::_Throw_Cpp_error 53599->53610 53600->53563 53600->53571 53600->53573 53600->53576 53600->53587 53600->53594 53600->53596 53600->53597 53602 41ac50 41 API calls 53602->53614 53604 4e6d70 78 API calls 53604->53610 53606 4e6d70 78 API calls 53606->53614 53607 439820 43 API calls 53607->53610 53608 439820 43 API calls 53608->53614 53609 403350 78 API calls 53609->53610 53610->53535 53610->53551 53610->53575 53610->53579 53610->53580 53610->53583 53610->53584 53610->53585 53610->53589 53610->53592 53610->53599 53610->53604 53610->53607 53610->53609 53611 43d0a8 78 API calls 53610->53611 53643 4130f0 53610->53643 53652 4e6470 41 API calls 53610->53652 53653 416210 41 API calls std::_Throw_Cpp_error 53610->53653 53611->53610 53612 402df0 41 API calls std::_Throw_Cpp_error 53612->53614 53613 403350 78 API calls 53613->53614 53614->53542 53614->53555 53614->53561 53614->53569 53614->53578 53614->53581 53614->53582 53614->53588 53614->53590 53614->53595 53614->53602 53614->53606 53614->53608 53614->53612 53614->53613 53615 43d0a8 78 API calls 53614->53615 53655 416210 41 API calls std::_Throw_Cpp_error 53614->53655 53615->53614 53660 493b60 53616->53660 53618 4924ad 53618->53514 53619 4924a7 53619->53618 53620 403040 std::_Throw_Cpp_error 41 API calls 53619->53620 53621 4924ee 53620->53621 53623 418f00 std::_Throw_Cpp_error 41 API calls 53621->53623 53624 4925a0 53623->53624 53678 4938d0 45 API calls 2 library calls 53624->53678 53626 492a33 53627 4185d0 76 API calls 53626->53627 53628 492a49 53627->53628 53630 402df0 std::_Throw_Cpp_error 41 API calls 53628->53630 53629 492a74 53632 438c70 std::_Throw_Cpp_error 41 API calls 53629->53632 53630->53618 53631 41e8a0 41 API calls 53642 4925c7 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 53631->53642 53634 492a7e 53632->53634 53633 41ad80 41 API calls 53633->53642 53635 402df0 41 API calls std::_Throw_Cpp_error 53635->53642 53636 41ab20 41 API calls 53636->53642 53639 4032d0 std::_Throw_Cpp_error 41 API calls 53639->53642 53640 4163b0 41 API calls std::_Throw_Cpp_error 53640->53642 53642->53626 53642->53629 53642->53631 53642->53633 53642->53635 53642->53636 53642->53639 53642->53640 53679 493080 46 API calls 4 library calls 53642->53679 53680 492a80 50 API calls 5 library calls 53642->53680 53681 422ac0 41 API calls 4 library calls 53642->53681 53644 413114 53643->53644 53645 41316c 53643->53645 53644->53610 53646 402cf0 std::_Throw_Cpp_error 41 API calls 53645->53646 53647 413179 53646->53647 53683 407b10 41 API calls 3 library calls 53647->53683 53649 413191 53650 4351fb std::_Throw_Cpp_error RaiseException 53649->53650 53651 4131a2 53650->53651 53652->53610 53653->53610 53654->53531 53655->53614 53656->53530 53657->53552 53658->53553 53659->53517 53661 493ba5 __fread_nolock 53660->53661 53662 493bd7 RegOpenKeyExA 53661->53662 53663 493f1b 53662->53663 53664 493d97 RegQueryValueExA RegCloseKey 53662->53664 53663->53619 53664->53663 53665 493dc5 53664->53665 53666 403040 std::_Throw_Cpp_error 41 API calls 53665->53666 53667 493dea 53666->53667 53668 493e19 53667->53668 53669 493f30 53667->53669 53671 403040 std::_Throw_Cpp_error 41 API calls 53668->53671 53682 419e60 RaiseException 53669->53682 53672 493e35 std::_Locinfo::_Locinfo_ctor 53671->53672 53673 438c70 std::_Throw_Cpp_error 41 API calls 53672->53673 53675 493e97 std::ios_base::_Ios_base_dtor 53672->53675 53673->53675 53674 438c70 std::_Throw_Cpp_error 41 API calls 53676 493f3f 53674->53676 53675->53674 53677 493ee9 std::ios_base::_Ios_base_dtor 53675->53677 53677->53619 53678->53642 53679->53642 53680->53642 53681->53642 53683->53649 49782 463830 49857 463879 49782->49857 49783 463891 49784 465b82 49783->49784 49785 402df0 std::_Throw_Cpp_error 41 API calls 49783->49785 49786 41ab20 41 API calls 49784->49786 49785->49783 49788 465c69 49786->49788 49787 41ab20 41 API calls 49787->49857 49789 4e6ca0 86 API calls 49788->49789 49790 465c8f 49789->49790 49791 465c93 CreateDirectoryA 49790->49791 49793 465cbe 49790->49793 49791->49793 49796 4667d7 49791->49796 49792 466a29 49795 402df0 std::_Throw_Cpp_error 41 API calls 49792->49795 49794 4667bc 49793->49794 49797 41b260 41 API calls 49793->49797 49794->49796 49800 4e6770 93 API calls 49794->49800 49798 466a3b 49795->49798 49796->49792 49802 41ab20 41 API calls 49796->49802 49850 465ce6 49797->49850 49799 4185d0 76 API calls 49798->49799 49801 466a47 49799->49801 49800->49796 49804 466922 49802->49804 49803 4667ad 49861 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49803->49861 49807 439820 43 API calls 49804->49807 49806 4e6770 93 API calls 49806->49857 49808 46694a 49807->49808 49809 402df0 std::_Throw_Cpp_error 41 API calls 49808->49809 49812 466964 49809->49812 49810 466a23 49811 43d0a8 78 API calls 49810->49811 49811->49792 49812->49792 49812->49810 49813 403350 78 API calls 49812->49813 49813->49812 49814 413200 41 API calls 49814->49857 49815 41b260 41 API calls 49815->49850 49816 41b260 41 API calls 49816->49857 49818 4163b0 41 API calls std::_Throw_Cpp_error 49818->49850 49819 408ab0 41 API calls 49819->49857 49820 4163b0 41 API calls std::_Throw_Cpp_error 49820->49857 49821 41ac50 41 API calls 49821->49857 49823 4e6ca0 86 API calls 49823->49850 49824 465ea9 CreateDirectoryA 49824->49850 49825 416210 41 API calls 49825->49857 49826 4e6ca0 86 API calls 49826->49857 49827 439820 43 API calls 49827->49850 49828 439820 43 API calls 49828->49857 49829 41ac50 41 API calls 49829->49850 49830 465fb8 CreateDirectoryA 49830->49850 49831 4e6c10 85 API calls 49831->49857 49832 41ae20 41 API calls 49832->49850 49833 402df0 41 API calls std::_Throw_Cpp_error 49833->49857 49834 41ae20 41 API calls 49834->49857 49835 41abb0 41 API calls 49835->49850 49836 41abb0 41 API calls 49836->49857 49837 416240 41 API calls 49837->49850 49838 4130f0 41 API calls 49838->49850 49839 4130f0 41 API calls 49839->49857 49840 402df0 41 API calls std::_Throw_Cpp_error 49840->49850 49841 43d0a8 78 API calls 49841->49850 49842 416240 41 API calls 49842->49857 49843 413200 41 API calls 49843->49850 49844 43d0a8 78 API calls 49844->49857 49845 402cf0 41 API calls std::_Throw_Cpp_error 49845->49850 49846 402cf0 41 API calls std::_Throw_Cpp_error 49846->49857 49847 41af80 41 API calls 49847->49850 49848 41b400 41 API calls 49848->49850 49849 403350 78 API calls 49849->49850 49850->49803 49850->49815 49850->49818 49850->49823 49850->49824 49850->49827 49850->49829 49850->49830 49850->49832 49850->49835 49850->49837 49850->49838 49850->49840 49850->49841 49850->49843 49850->49845 49850->49847 49850->49848 49850->49849 49858 416210 41 API calls std::_Throw_Cpp_error 49850->49858 49859 415310 44 API calls std::_Throw_Cpp_error 49850->49859 49860 408ab0 41 API calls std::ios_base::_Ios_base_dtor 49850->49860 49852 41af80 41 API calls 49852->49857 49853 41bae0 41 API calls 49853->49857 49854 41b400 41 API calls 49854->49857 49855 41b1e0 41 API calls 49855->49857 49856 403350 78 API calls 49856->49857 49857->49783 49857->49787 49857->49806 49857->49814 49857->49816 49857->49819 49857->49820 49857->49821 49857->49825 49857->49826 49857->49828 49857->49831 49857->49833 49857->49834 49857->49836 49857->49839 49857->49842 49857->49844 49857->49846 49857->49852 49857->49853 49857->49854 49857->49855 49857->49856 49858->49850 49859->49850 49860->49850 49861->49794

                                    Executed Functions

                                    Function 004DFF00 Relevance: 98.4, APIs: 50, Strings: 4, Instructions: 3939registrytimefileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                    • CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004E0556
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 004E056C
                                    • FindClose.KERNEL32(00000000), ref: 004E057C
                                    • GetLastError.KERNEL32 ref: 004E0582
                                    • GetLastError.KERNEL32 ref: 004E05A0
                                      • Part of subcall function 004E71E0: GetCurrentProcess.KERNEL32(004E0900), ref: 004E71EF
                                      • Part of subcall function 004E71E0: IsWow64Process.KERNEL32(00000000), ref: 004E71F6
                                      • Part of subcall function 0044196B: GetSystemTimeAsFileTime.KERNEL32(004E0A78,00000000,00000000,?,?,?,004E0A78,00000000), ref: 00441980
                                      • Part of subcall function 0044196B: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044199F
                                    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?,?,?), ref: 004E0D31
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 004E0DFD
                                    • RegCloseKey.ADVAPI32(?), ref: 004E0E32
                                    • GetCurrentHwProfileA.ADVAPI32(?), ref: 004E0FCA
                                    • GetModuleHandleExA.KERNEL32(00000004,004E5FC0,?,?,?,?,?,?,?,?,00000000), ref: 004E14CB
                                    • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,00000000), ref: 004E14E3
                                    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 004E1E96
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 004E1F62
                                    • RegCloseKey.ADVAPI32(?), ref: 004E21E1
                                    • GetComputerNameA.KERNEL32(?,?), ref: 004E2215
                                    • GetUserNameA.ADVAPI32(?,?), ref: 004E23B3
                                    • GetDesktopWindow.USER32 ref: 004E2456
                                    • GetWindowRect.USER32(00000000,?), ref: 004E2464
                                    • GetUserDefaultLocaleName.KERNEL32(?,00000200), ref: 004E25CF
                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 004E2A95
                                    • LocalAlloc.KERNEL32(00000040), ref: 004E2AA7
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 004E2AC2
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004E2AED
                                    • LocalFree.KERNEL32(?), ref: 004E2CB0
                                    • GetLocalTime.KERNEL32(?), ref: 004E2CC7
                                    • GetSystemTime.KERNEL32(?), ref: 004E2EDD
                                    • GetTimeZoneInformation.KERNELBASE(?), ref: 004E2F00
                                    • TzSpecificLocalTimeToSystemTime.KERNELBASE(?,?,?), ref: 004E2F25
                                    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 004E333F
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 004E3491
                                    • RegCloseKey.ADVAPI32(?), ref: 004E3542
                                    • GetSystemInfo.KERNELBASE(?), ref: 004E356A
                                    • GlobalMemoryStatusEx.KERNELBASE(?), ref: 004E361D
                                    • EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004E3731
                                    • EnumDisplayDevicesA.USER32(00000000,00000001,?,00000001), ref: 004E3B14
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004E3C53
                                    • Process32First.KERNEL32(00000000,?), ref: 004E3C6B
                                    • Process32Next.KERNEL32(00000000,?), ref: 004E3C81
                                    • Process32Next.KERNEL32(00000000,?), ref: 004E3D53
                                    • CloseHandle.KERNEL32(00000000), ref: 004E3D62
                                    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 004E40D6
                                    • RegEnumKeyExA.KERNELBASE(?,00000000,?,?), ref: 004E410D
                                    • wsprintfA.USER32 ref: 004E41F0
                                    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 004E4213
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 004E4312
                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 004E4409
                                    • RegCloseKey.ADVAPI32(?), ref: 004E44E5
                                    • RegCloseKey.ADVAPI32(?), ref: 004E4500
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: CloseTime$FileOpenQueryValue$LocalNameSystem$EnumFindNextProcess32$CreateCurrentDevicesDisplayErrorFirstHandleInfoKeyboardLastLayoutListLocaleModuleProcessUserWindow$AllocComputerCopyDefaultDesktopDirectoryFreeGlobalInformationMemoryProfileRectSnapshotSpecificStatusToolhelp32Unothrow_t@std@@@Wow64Zone__ehfuncinfo$??2@wsprintf
                                    • String ID: 2.0$3"A$;Yb.$fulka
                                    • API String ID: 3185416054-2087396335
                                    • Opcode ID: dff9da2274bc10b59d336168ad1365bd81f2a12a0388a4337a5d4b5432b3e917
                                    • Instruction ID: 762722eee12899a3fad9018c2ab51fc1fd94b4ba954c9d0aaa9e31c72487c533
                                    • Opcode Fuzzy Hash: dff9da2274bc10b59d336168ad1365bd81f2a12a0388a4337a5d4b5432b3e917
                                    • Instruction Fuzzy Hash: BFB3EFB4D0426D8BDB25CF99C981AEEBBB1FF48300F1041AAD949B7351DB345A81CFA5
                                    Function 0040B8E0 Relevance: 65.9, APIs: 40, Instructions: 5855fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BAD2
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040BF80
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C47A
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C575
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040C969
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040CD72
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D17B
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D29A
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040D6F8
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D9DC
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DAD7
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040DE41
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 0040E55A
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040ECF6
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040EEEA
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F45B
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F525
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 004101ED
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410580
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0041088D
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00410DC4
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 0041173C
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411904
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00411CD7
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411E6E
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00411FBE
                                    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410B14
                                      • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00410F12
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FEF1
                                      • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040FC55
                                      • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040F933
                                      • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                      • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                      • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                      • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                      • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040E6FA
                                      • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                      • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 0042910D
                                      • Part of subcall function 00429070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00429155
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040DF3C
                                      • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                      • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                                      • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                                      • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040D5FD
                                      • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BB07
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BD08
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040BD37
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C0CC
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040C196
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Directory$Create$File$Copy$Find$Cpp_errorThrow_std::_$AttributesErrorFirstLast$FolderPath___std_fs_convert_narrow_to_wide@20$CloseDeleteNextRemove
                                    • String ID:
                                    • API String ID: 1172780710-0
                                    • Opcode ID: 29938c2e1f67a8f7752316edec3deb9e51ef0fd2753200a526bf6a5ee63613ca
                                    • Instruction ID: 57087eddf2f8576e704702d152c9cc5b4e2b87ff67a8e07952ed474be97f1841
                                    • Opcode Fuzzy Hash: 29938c2e1f67a8f7752316edec3deb9e51ef0fd2753200a526bf6a5ee63613ca
                                    • Instruction Fuzzy Hash: 56F3E2B4D0425D8BDF25CF99C981AEEBBB1BF18304F1041AAD849B7341DB385A85CF69
                                    Function 004AA200 Relevance: 56.8, APIs: 10, Strings: 11, Instructions: 20001COMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 004AA277
                                      • Part of subcall function 004C6000: FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: FileFindFirstFolderPath
                                    • String ID: ;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$;Yb.$Jzv"$WUa5$X<b.$cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 2195519125-383699475
                                    • Opcode ID: dde1733d0f0c4abb1d430d70d7d4e41d52c16f70ef10a188c723f1ca88d9d5b1
                                    • Instruction ID: d5c29c46e18a526762dbfc7c8aed9f945ae13eab665394adbd88e65e82b678fb
                                    • Opcode Fuzzy Hash: dde1733d0f0c4abb1d430d70d7d4e41d52c16f70ef10a188c723f1ca88d9d5b1
                                    • Instruction Fuzzy Hash: 29B433B0D052698BDB25CF68C984BEEBBB1BF49304F1081DAD449A7281DB746F84CF95
                                    Function 004D7600 Relevance: 52.8, APIs: 31, Instructions: 6337fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,0055B192,000000FF), ref: 004D766C
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004D7693
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7959
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D7CBB
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004D8DF7
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D9992
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA31E
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DA3EF
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DA712
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAA7D
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DAB4E
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DAE39
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 004DB0C9
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB27C
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB556
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DB93C
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 004DBCF1
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DBEA4
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC17E
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC564
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9FB3
                                      • Part of subcall function 004DFF00: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004E0556
                                      • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E05A0
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DC99C
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DCAF3
                                      • Part of subcall function 004DE430: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D9C53
                                      • Part of subcall function 004E6770: SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                      • Part of subcall function 004E6770: DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                      • Part of subcall function 004E6770: RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                      • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                      • Part of subcall function 004E6770: std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                      • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6B20
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 004D9648
                                      • Part of subcall function 004DFF00: FindNextFileA.KERNEL32(00000000,?), ref: 004E056C
                                      • Part of subcall function 004DFF00: FindClose.KERNEL32(00000000), ref: 004E057C
                                      • Part of subcall function 004DFF00: GetLastError.KERNEL32 ref: 004E0582
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004D91DD
                                      • Part of subcall function 004E6770: FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                      • Part of subcall function 004E6770: FindClose.KERNEL32(?), ref: 004E6ACA
                                      • Part of subcall function 004E6770: GetLastError.KERNEL32 ref: 004E6AD0
                                      • Part of subcall function 004E6770: SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 004D896A
                                      • Part of subcall function 004DFF00: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00565B0C,00000001,0000002E,0000002F,?,0055B49C,3"A,0055B49C), ref: 004E03DB
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004D8B1D
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?), ref: 004D8362
                                      • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 004D8623
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004D801B
                                      • Part of subcall function 004DFF00: FindFirstFileA.KERNEL32(00000000,?), ref: 004E010B
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Directory$Create$File$Find$ErrorLast$CopyCpp_errorThrow_std::_$AttributesFolderPath$CloseFirstNext$DeleteRemove
                                    • String ID:
                                    • API String ID: 1140557632-0
                                    • Opcode ID: 5390f64dea3d9a6db721b8f9ffaf1a58166a76a045dce46671a256603e264793
                                    • Instruction ID: 6b404ecdfd53acb60f6cf5d734e717c5294ca690171ae70fa85b8f1a38f34a58
                                    • Opcode Fuzzy Hash: 5390f64dea3d9a6db721b8f9ffaf1a58166a76a045dce46671a256603e264793
                                    • Instruction Fuzzy Hash: 76F3F2B4D0525A8BCF15CFA9C9916EEBBB0BF18304F20419AD549B7341DB346B84CFA6
                                    Function 00490440 Relevance: 28.0, APIs: 13, Strings: 2, Instructions: 1749registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?), ref: 0049083B
                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0049086F
                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00490895
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490A2C
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490CB3
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490DA0
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490EE1
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 00490FCB
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 004910B5
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 0049119F
                                    • RegCloseKey.ADVAPI32(?), ref: 0049229B
                                    • RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 004922D1
                                    • RegCloseKey.ADVAPI32(?), ref: 004922E5
                                    Strings
                                    • cannot use push_back() with , xrefs: 00492345
                                    • cannot use operator[] with a string argument with , xrefs: 0049239E, 004923F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: QueryValue$CloseEnumOpen
                                    • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 2041898428-3306948993
                                    • Opcode ID: 5946746af7e7c4e0a5297f6e30476794f86a0940cb8ae31181f25244c3e8b2ed
                                    • Instruction ID: 6d5f253b48c5edfa20594e0b0a8a78ae050bf84d77acb07cc1b8e3b44561805a
                                    • Opcode Fuzzy Hash: 5946746af7e7c4e0a5297f6e30476794f86a0940cb8ae31181f25244c3e8b2ed
                                    • Instruction Fuzzy Hash: 511322B0C042698BDB25CF68CD84BEEBBB4BF49304F1042EAD549A7241EB756B85CF54
                                    Function 00493F40 Relevance: 26.5, APIs: 12, Strings: 2, Instructions: 1966fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00493FA7
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0049455F
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0049496C
                                    • FindClose.KERNEL32(00000000), ref: 0049497C
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494A53
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494B19
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00494C9D
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 00494E44
                                    • CopyFileA.KERNEL32(00000000,?,00000000), ref: 004950F8
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00495638
                                    • CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,00000004), ref: 004959FD
                                    • LocalFree.KERNELBASE(00000000,?,?,?,00000004), ref: 004962D7
                                      • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,0041ABA8,?,?,?,00431D09,0041ABA8,005799D8,00000000,0041ABA8), ref: 0043525B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: File$CopyCreateDirectoryFind$Cpp_errorThrow_std::_$AttributesCloseCredEnumerateErrorExceptionFirstFolderFreeLastLocalNextPathRaise
                                    • String ID: cannot use operator[] with a string argument with $tmX
                                    • API String ID: 3528249430-2011928656
                                    • Opcode ID: 93cc280b991213086fc3ba39d16c6f2f68f57f13cecc015aee9d1279f3e23cc5
                                    • Instruction ID: 1c5c2bc117abc336d538eb0f3ab0e4b698252c7f2e821ac10c87ad1798346723
                                    • Opcode Fuzzy Hash: 93cc280b991213086fc3ba39d16c6f2f68f57f13cecc015aee9d1279f3e23cc5
                                    • Instruction Fuzzy Hash: 0E3310B4C042698BDB25CFA8C994BEDBBB0BF18304F1041EAD849A7351EB346B85CF55
                                    Function 00481C10 Relevance: 21.5, APIs: 7, Strings: 4, Instructions: 2202COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 004827AB
                                    • SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00482AA7
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00482DA5
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00483105
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00483433
                                    • SHGetFolderPathA.SHELL32(00000000,00000008,00000000,00000000,?), ref: 00483737
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 004844E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: FolderPath$AttributesConcurrency::cancel_current_taskErrorFileLast
                                    • String ID: cannot compare iterators of different containers$cannot get value$type must be boolean, but is $type must be string, but is
                                    • API String ID: 1974481932-2698695959
                                    • Opcode ID: afeb7c343c3f2984b584d206bfe4fd743c362d36eb89660619f81b940cf26a6d
                                    • Instruction ID: 7d592af2553ac1c7978d8671279e796c0dcb22ab630186640302ddbce1f3b4fb
                                    • Opcode Fuzzy Hash: afeb7c343c3f2984b584d206bfe4fd743c362d36eb89660619f81b940cf26a6d
                                    • Instruction Fuzzy Hash: D74334B0C042698BDB25DF28C994BEEBBB5BF48304F1082DAD449A7281DB756F84CF55
                                    Function 004E6770 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 334fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 7670 4e6770-4e67c3 call 432b99 7673 4e67c9-4e67d3 7670->7673 7674 4e6be5-4e6be7 call 432534 7670->7674 7676 4e6bec-4e6bf8 call 432534 7673->7676 7677 4e67d9-4e6822 7673->7677 7674->7676 7678 4e6bfd call 402c60 7676->7678 7677->7678 7679 4e6828-4e682e 7677->7679 7684 4e6c02 call 438c70 7678->7684 7681 4e6832-4e6854 call 41e8a0 7679->7681 7682 4e6830 7679->7682 7689 4e6856-4e6862 7681->7689 7690 4e6882-4e68f1 call 402df0 FindFirstFileA 7681->7690 7682->7681 7688 4e6c07-4e6c0f call 438c70 7684->7688 7692 4e6878-4e687f call 4338f3 7689->7692 7693 4e6864-4e6872 7689->7693 7699 4e6b2a 7690->7699 7700 4e68f7 7690->7700 7692->7690 7693->7684 7693->7692 7701 4e6b2c-4e6b36 7699->7701 7702 4e6900-4e6909 7700->7702 7703 4e6b38-4e6b44 7701->7703 7704 4e6b64-4e6b80 7701->7704 7705 4e6910-4e6915 7702->7705 7709 4e6b5a-4e6b61 call 4338f3 7703->7709 7710 4e6b46-4e6b54 7703->7710 7707 4e6baa-4e6be4 call 432baa 7704->7707 7708 4e6b82-4e6b8e 7704->7708 7705->7705 7706 4e6917-4e6922 7705->7706 7711 4e692d-4e6930 7706->7711 7712 4e6924-4e6927 7706->7712 7713 4e6ba0-4e6ba7 call 4338f3 7708->7713 7714 4e6b90-4e6b9e 7708->7714 7709->7704 7710->7688 7710->7709 7719 4e6932-4e6935 7711->7719 7720 4e6943-4e6969 7711->7720 7712->7711 7718 4e6aae-4e6ac1 FindNextFileA 7712->7718 7713->7707 7714->7688 7714->7713 7718->7702 7726 4e6ac7-4e6adb FindClose GetLastError 7718->7726 7719->7720 7723 4e6937-4e693d 7719->7723 7720->7678 7724 4e696f-4e6975 7720->7724 7723->7718 7723->7720 7727 4e6979-4e69a1 call 41e8a0 7724->7727 7728 4e6977 7724->7728 7726->7701 7729 4e6add-4e6ae3 7726->7729 7738 4e69a4-4e69a9 7727->7738 7728->7727 7731 4e6ae7-4e6af5 SetFileAttributesA 7729->7731 7732 4e6ae5 7729->7732 7733 4e6af7-4e6b00 7731->7733 7734 4e6b02-4e6b06 7731->7734 7732->7731 7733->7701 7736 4e6b0a-4e6b13 RemoveDirectoryA 7734->7736 7737 4e6b08 7734->7737 7736->7699 7740 4e6b15-4e6b1e 7736->7740 7737->7736 7738->7738 7741 4e69ab-4e6a59 call 418f00 call 402df0 * 3 7738->7741 7740->7701 7751 4e6a5b-4e6a6e call 4e6770 7741->7751 7752 4e6a79-4e6a92 SetFileAttributesA 7741->7752 7751->7701 7757 4e6a74-4e6a77 7751->7757 7754 4e6a98-4e6aac DeleteFileA 7752->7754 7755 4e6b20-4e6b28 GetLastError 7752->7755 7754->7718 7754->7755 7755->7701 7757->7718
                                    APIs
                                    • FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,005894F8,?,?), ref: 004E6A8A
                                    • DeleteFileA.KERNEL32(?), ref: 004E6AA4
                                    • FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                    • FindClose.KERNEL32(?), ref: 004E6ACA
                                    • GetLastError.KERNEL32 ref: 004E6AD0
                                    • SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                    • RemoveDirectoryA.KERNELBASE(?), ref: 004E6B0B
                                    • GetLastError.KERNEL32 ref: 004E6B20
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: File$Find$AttributesCpp_errorErrorLastThrow_std::_$CloseDeleteDirectoryFirstNextRemove
                                    • String ID: \*.*
                                    • API String ID: 460640838-1173974218
                                    • Opcode ID: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                                    • Instruction ID: d809dff945c313677263d2cc5f51936a643c350294cf92fd29307912c56e1fe7
                                    • Opcode Fuzzy Hash: fa9544b1f4525edcf2a18f77abf6cc53c36d2fc4c8b78e4902afa25aa6e8371b
                                    • Instruction Fuzzy Hash: EDD11670C00288CFDB10DFA9C9487EEBBB1FF65305F20425AE454BB292D7786A89DB55
                                    Function 0049F0D0 Relevance: 20.7, APIs: 6, Strings: 4, Instructions: 3171stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049F224
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049F322
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049F515
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1C76
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004A1F5D
                                    • lstrlen.KERNEL32(?), ref: 004A348E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
                                    • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with $~]d
                                    • API String ID: 2833034228-1763774129
                                    • Opcode ID: af9c3ee160c083d87f8f0253d153ea2b5f0e5ccde48d4ac4de87b8facbafc8e3
                                    • Instruction ID: 3f98b5ef17dcfaa8f689e4fcb5a5d7fbbd5e2711f2842c60bb6495c93d0a2e70
                                    • Opcode Fuzzy Hash: af9c3ee160c083d87f8f0253d153ea2b5f0e5ccde48d4ac4de87b8facbafc8e3
                                    • Instruction Fuzzy Hash: 2793DCB4D052A98ADB65CF29C990BEDBBB1BF59304F0081EAD84DA7241DB742BC4CF45
                                    Function 004963B0 Relevance: 17.5, APIs: 5, Strings: 4, Instructions: 1775stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00496504
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00496602
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 004967F5
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498078
                                    • lstrlen.KERNEL32(?), ref: 0049854F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$FolderNamesPathSectionStringUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                    • String ID: ;Yb.$Tz}9$cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 3203477177-4100205650
                                    • Opcode ID: 235236c53e86f3e16a1bc5403e9e339844307a417c8b7751e49bf2abbf12d8ee
                                    • Instruction ID: 6b3be8cf9a559e92d133cc3b6572ed682d4dab2050fd03768d9c929fe5be15d2
                                    • Opcode Fuzzy Hash: 235236c53e86f3e16a1bc5403e9e339844307a417c8b7751e49bf2abbf12d8ee
                                    • Instruction Fuzzy Hash: 352300B0D052688BDB25CF28C9947EDBBB5BF49304F1082EAE449A7281DB746BC4CF55
                                    Function 004986B0 Relevance: 16.1, APIs: 4, Strings: 4, Instructions: 2129stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00498804
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00498902
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00498AF8
                                    • lstrlen.KERNEL32(?), ref: 0049AE11
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                    • String ID: ;Yb.$AN|5$cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 1311570089-1903585501
                                    • Opcode ID: d064d6bdb9a19864aecf9687ba338553f9dff80974f6e0a2c8f398cf11f7335e
                                    • Instruction ID: e112265f5291f7fbed9e5ebb381307dd27655726dfd0f1f0b2bb5fda635101ca
                                    • Opcode Fuzzy Hash: d064d6bdb9a19864aecf9687ba338553f9dff80974f6e0a2c8f398cf11f7335e
                                    • Instruction Fuzzy Hash: D44322B0D052688BDB25CF28C8947EEBBB5BF49304F1082EAD449A7242DB756BC4CF55
                                    Function 0049AF60 Relevance: 14.1, APIs: 4, Strings: 3, Instructions: 1876stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049B158
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049B265
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049B458
                                    • lstrlen.KERNEL32(?), ref: 0049D22D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                    • String ID: ;Yb.$cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 1311570089-747751661
                                    • Opcode ID: 90125a2b97778f8c0d5befefbf4df6ce49c2d9186877984ac78290b24fd30612
                                    • Instruction ID: b2dbe3f5757ef5304a2bca7f4d9e3a7c922558eb406562d1b13ccbd165419304
                                    • Opcode Fuzzy Hash: 90125a2b97778f8c0d5befefbf4df6ce49c2d9186877984ac78290b24fd30612
                                    • Instruction Fuzzy Hash: BF2321B0D042688BDB25CF28C9947EDBBB1BF59304F1082EAE449A7281DB746BC4CF55
                                    Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 9717 4c8590-4c85c2 WSAStartup 9718 4c85c8-4c85f2 call 4ea420 * 2 9717->9718 9719 4c8696-4c869f 9717->9719 9724 4c85fe-4c8644 getaddrinfo 9718->9724 9725 4c85f4-4c85f8 9718->9725 9726 4c8646-4c864c 9724->9726 9727 4c8690 WSACleanup 9724->9727 9725->9719 9725->9724 9728 4c864e 9726->9728 9729 4c86a4-4c86ae FreeAddrInfoW 9726->9729 9727->9719 9731 4c8654-4c8668 socket 9728->9731 9729->9727 9730 4c86b0-4c86b8 9729->9730 9731->9727 9732 4c866a-4c867a connect 9731->9732 9733 4c867c-4c8684 closesocket 9732->9733 9734 4c86a0 9732->9734 9733->9731 9735 4c8686-4c868a FreeAddrInfoW 9733->9735 9734->9729 9735->9727
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                    • String ID:
                                    • API String ID: 448659506-0
                                    • Opcode ID: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                    • Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
                                    • Opcode Fuzzy Hash: b89627014a15d46737fbc47111d25383b59242ed97850ca45924e6f99d10e442
                                    • Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7
                                    Function 0049D3A0 Relevance: 12.1, APIs: 4, Strings: 2, Instructions: 1570stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0049D4F4
                                    • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0049D5F2
                                    • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0049D7E5
                                    • lstrlen.KERNEL32(?), ref: 0049EF32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                    • String ID: cannot use operator[] with a string argument with $cannot use push_back() with
                                    • API String ID: 1311570089-3306948993
                                    • Opcode ID: 8073a6cadb049f861fca1bde0f205ce5b4311b50e7193c3126959926ef6b8582
                                    • Instruction ID: d38aed82ee4788d52106214de1412b854dd9129e0c255bb6c7140376d04d8967
                                    • Opcode Fuzzy Hash: 8073a6cadb049f861fca1bde0f205ce5b4311b50e7193c3126959926ef6b8582
                                    • Instruction Fuzzy Hash: 570334B0D042688BDB25CF28C9947EEBBB4BF59304F1042EED449A7281EB746B84CF55
                                    Function 004E67A8 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 279fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 10067 4e67a8-4e67c3 10068 4e67c9-4e67d3 10067->10068 10069 4e6be5-4e6be7 call 432534 10067->10069 10071 4e6bec-4e6bf8 call 432534 10068->10071 10072 4e67d9-4e6822 10068->10072 10069->10071 10073 4e6bfd call 402c60 10071->10073 10072->10073 10074 4e6828-4e682e 10072->10074 10079 4e6c02 call 438c70 10073->10079 10076 4e6832-4e6854 call 41e8a0 10074->10076 10077 4e6830 10074->10077 10084 4e6856-4e6862 10076->10084 10085 4e6882-4e68f1 call 402df0 FindFirstFileA 10076->10085 10077->10076 10083 4e6c07-4e6c0f call 438c70 10079->10083 10087 4e6878-4e687f call 4338f3 10084->10087 10088 4e6864-4e6872 10084->10088 10094 4e6b2a 10085->10094 10095 4e68f7 10085->10095 10087->10085 10088->10079 10088->10087 10096 4e6b2c-4e6b36 10094->10096 10097 4e6900-4e6909 10095->10097 10098 4e6b38-4e6b44 10096->10098 10099 4e6b64-4e6b80 10096->10099 10100 4e6910-4e6915 10097->10100 10104 4e6b5a-4e6b61 call 4338f3 10098->10104 10105 4e6b46-4e6b54 10098->10105 10102 4e6baa-4e6be4 call 432baa 10099->10102 10103 4e6b82-4e6b8e 10099->10103 10100->10100 10101 4e6917-4e6922 10100->10101 10106 4e692d-4e6930 10101->10106 10107 4e6924-4e6927 10101->10107 10108 4e6ba0-4e6ba7 call 4338f3 10103->10108 10109 4e6b90-4e6b9e 10103->10109 10104->10099 10105->10083 10105->10104 10114 4e6932-4e6935 10106->10114 10115 4e6943-4e6969 10106->10115 10107->10106 10113 4e6aae-4e6ac1 FindNextFileA 10107->10113 10108->10102 10109->10083 10109->10108 10113->10097 10121 4e6ac7-4e6adb FindClose GetLastError 10113->10121 10114->10115 10118 4e6937-4e693d 10114->10118 10115->10073 10119 4e696f-4e6975 10115->10119 10118->10113 10118->10115 10122 4e6979-4e69a1 call 41e8a0 10119->10122 10123 4e6977 10119->10123 10121->10096 10124 4e6add-4e6ae3 10121->10124 10133 4e69a4-4e69a9 10122->10133 10123->10122 10126 4e6ae7-4e6af5 SetFileAttributesA 10124->10126 10127 4e6ae5 10124->10127 10128 4e6af7-4e6b00 10126->10128 10129 4e6b02-4e6b06 10126->10129 10127->10126 10128->10096 10131 4e6b0a-4e6b13 RemoveDirectoryA 10129->10131 10132 4e6b08 10129->10132 10131->10094 10135 4e6b15-4e6b1e 10131->10135 10132->10131 10133->10133 10136 4e69ab-4e6a59 call 418f00 call 402df0 * 3 10133->10136 10135->10096 10146 4e6a5b-4e6a6e call 4e6770 10136->10146 10147 4e6a79-4e6a92 SetFileAttributesA 10136->10147 10146->10096 10152 4e6a74-4e6a77 10146->10152 10149 4e6a98-4e6aac DeleteFileA 10147->10149 10150 4e6b20-4e6b28 GetLastError 10147->10150 10149->10113 10149->10150 10150->10096 10152->10113
                                    APIs
                                    • FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                    • FindNextFileA.KERNELBASE(?,00000010), ref: 004E6AB8
                                    • FindClose.KERNEL32(?), ref: 004E6ACA
                                    • GetLastError.KERNEL32 ref: 004E6AD0
                                    • SetFileAttributesA.KERNELBASE(?,00000080), ref: 004E6AED
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BE7
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6BF8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: FileFind$Cpp_errorThrow_std::_$AttributesCloseErrorFirstLastNext
                                    • String ID: \*.*
                                    • API String ID: 3642911041-1173974218
                                    • Opcode ID: b34bb02bbd4737a1936eafd77543e85950f7ea410d0c34680fead3c7ff4e9d48
                                    • Instruction ID: cb57d063f75cc4f31d13588c1f8c9ab68587712d3c0effb04f73b5b126141290
                                    • Opcode Fuzzy Hash: b34bb02bbd4737a1936eafd77543e85950f7ea410d0c34680fead3c7ff4e9d48
                                    • Instruction Fuzzy Hash: D8C1F370C002888FDB14CFA8C9587EEBBB1BF61305F24825AE454AB292D7786A85DB55
                                    Function 004C6D80 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 535fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 12839 4c6d80-4c6ddc 12840 4c7004-4c7018 call 4339b3 12839->12840 12841 4c6de2-4c6df1 call 432b99 12839->12841 12840->12841 12848 4c701e-4c704a call 408710 call 4338de call 433962 12840->12848 12846 4c704f-4c7051 call 432534 12841->12846 12847 4c6df7-4c6e01 12841->12847 12850 4c7056-4c71ad call 432534 call 41ae80 call 4163b0 call 4e74c0 DeleteFileA call 4359b0 call 435270 call 4359b0 call 435270 call 4359b0 call 435270 12846->12850 12847->12850 12851 4c6e07-4c6eff call 4ea420 call 41ab20 call 41ad80 call 409280 call 402df0 12847->12851 12848->12841 12909 4c71af-4c71b6 12850->12909 12910 4c71c0-4c71c5 call 418dc0 12850->12910 12879 4c6fb5-4c7003 call 4163b0 call 432baa call 402df0 * 2 12851->12879 12880 4c6f05-4c6f0c 12851->12880 12880->12879 12883 4c6f12-4c6f1e GetPEB 12880->12883 12886 4c6f20-4c6f34 12883->12886 12889 4c6f36-4c6f3b 12886->12889 12890 4c6f87-4c6f89 12886->12890 12889->12890 12893 4c6f3d-4c6f43 12889->12893 12890->12886 12896 4c6f45-4c6f5a 12893->12896 12899 4c6f5c 12896->12899 12900 4c6f7d-4c6f85 12896->12900 12903 4c6f60-4c6f73 12899->12903 12900->12890 12900->12896 12903->12903 12906 4c6f75-4c6f7b 12903->12906 12906->12900 12908 4c6f8b-4c6faf 12906->12908 12908->12879 12908->12883 12911 4c71b8 12909->12911 12912 4c71ba-4c71be 12909->12912 12915 4c71ca-4c71d1 12910->12915 12911->12912 12912->12915 12916 4c71d5-4c71e9 12915->12916 12917 4c71d3 12915->12917 12918 4c71ed-4c7204 12916->12918 12919 4c71eb 12916->12919 12917->12916 12920 4c7208-4c7224 12918->12920 12921 4c7206 12918->12921 12919->12918 12922 4c7228-4c722f 12920->12922 12923 4c7226 12920->12923 12921->12920 12924 4c7231 12922->12924 12925 4c7233-4c72ef call 435270 call 4ea420 12922->12925 12923->12922 12924->12925 12930 4c72f2-4c72f7 12925->12930 12930->12930 12931 4c72f9-4c7347 call 403040 call 409280 call 4ea420 12930->12931 12938 4c734d-4c7413 call 408f20 call 4ea420 12931->12938 12939 4c7349 12931->12939 12944 4c7416-4c741b 12938->12944 12939->12938 12944->12944 12945 4c741d-4c7438 call 403040 call 409280 12944->12945 12949 4c743d-4c744c 12945->12949 12950 4c746d-4c7476 12949->12950 12951 4c744e-4c7455 12949->12951 12953 4c7478-4c747f 12950->12953 12954 4c7496-4c74c3 call 402df0 * 2 12950->12954 12951->12950 12952 4c7457-4c7464 12951->12952 12952->12950 12960 4c7466-4c7468 12952->12960 12953->12954 12956 4c7481-4c748d 12953->12956 12956->12954 12963 4c748f-4c7491 12956->12963 12960->12950 12963->12954
                                    APIs
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004C7051
                                      • Part of subcall function 00432534: __EH_prolog3.LIBCMT ref: 00432570
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004C7062
                                      • Part of subcall function 004E74C0: __fread_nolock.LIBCMT ref: 004E7609
                                    • DeleteFileA.KERNELBASE(?), ref: 004C70EB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_$DeleteFileH_prolog3__fread_nolock
                                    • String ID: 131$fulka
                                    • API String ID: 3880692912-4056579778
                                    • Opcode ID: b0dd5c29ad60d31b7a3c522a000278fd362b9cef014be5c22c03ef1b0ea937a4
                                    • Instruction ID: 7966019704e3fd473910eda9b3190c6326d4c2da0caac65bea49cbac806563d6
                                    • Opcode Fuzzy Hash: b0dd5c29ad60d31b7a3c522a000278fd362b9cef014be5c22c03ef1b0ea937a4
                                    • Instruction Fuzzy Hash: 1E32ACB4D04248CFCB04DFA8C985BAEBBB1BF58304F14419EE8056B392D779AA45CF95
                                    Function 004FAD00 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 12964 4fad00-4fad1e call 4fbf00 12967 4fb35e-4fb364 12964->12967 12968 4fad24-4fad2d 12964->12968 12969 4fad2f-4fad31 12968->12969 12970 4fad33-4fad39 12968->12970 12971 4fad53-4fad59 12969->12971 12972 4fad3f-4fad50 12970->12972 12973 4fad3b-4fad3d 12970->12973 12974 4fad5b-4fad61 12971->12974 12975 4fad63-4fad6a 12971->12975 12972->12971 12973->12971 12976 4fad72-4fad8f call 54a0f0 12974->12976 12975->12976 12977 4fad6c 12975->12977 12980 4fb348 12976->12980 12981 4fad95-4fada7 call 4359b0 12976->12981 12977->12976 12982 4fb34a 12980->12982 12987 4fadeb-4fadf0 12981->12987 12988 4fada9-4fadb0 12981->12988 12984 4fb34f-4fb354 call 54b110 12982->12984 12994 4fb356-4fb35b 12984->12994 12990 4fadfc-4faeb4 call 54a8c0 12987->12990 12991 4fadf2-4fadf9 12987->12991 12992 4fadc9-4fadd9 12988->12992 12993 4fadb2-4fadc4 call 549d90 12988->12993 13002 4faf19-4faf88 call 4fb370 * 4 12990->13002 13003 4faeb6-4faec4 call 5475d0 12990->13003 12991->12990 12992->12987 13001 4faddb-4fade6 call 549d90 12992->13001 12993->12982 12994->12967 13001->12982 13012 4faec9-4faece 13002->13012 13027 4faf8e 13002->13027 13010 4faec7 13003->13010 13010->13012 13014 4faeda-4faee2 13012->13014 13015 4faed0-4faed7 13012->13015 13018 4fb31b-4fb321 13014->13018 13019 4faee8-4faeed 13014->13019 13015->13014 13018->12982 13021 4fb323-4fb32c 13018->13021 13019->13018 13023 4faef3-4faef8 13019->13023 13021->12984 13025 4fb32e-4fb330 13021->13025 13023->13018 13026 4faefe-4faf18 13023->13026 13025->12994 13028 4fb332-4fb347 13025->13028 13029 4faf93-4faf97 13027->13029 13029->13029 13030 4faf99-4fafaf 13029->13030 13031 4fafb1-4fafbd 13030->13031 13032 4fb000 13030->13032 13033 4fafbf-4fafc1 13031->13033 13034 4faff0-4faffe 13031->13034 13035 4fb002-4fb015 call 5461b0 13032->13035 13036 4fafc3-4fafe2 13033->13036 13034->13035 13040 4fb01c 13035->13040 13041 4fb017-4fb01a 13035->13041 13036->13036 13038 4fafe4-4fafed 13036->13038 13038->13034 13042 4fb01e-4fb063 call 4fb370 call 4fb5d0 13040->13042 13041->13042 13047 4fb065-4fb07e call 5475d0 13042->13047 13048 4fb083-4fb0d1 call 51ba20 * 2 13042->13048 13047->13010 13048->13010 13055 4fb0d7-4fb102 call 5475d0 call 4fb710 13048->13055 13060 4fb108-4fb10d 13055->13060 13061 4fb1a4-4fb1b2 13055->13061 13062 4fb110-4fb114 13060->13062 13063 4fb1b8-4fb1bd 13061->13063 13064 4fb2c1-4fb2cb 13061->13064 13062->13062 13065 4fb116-4fb127 13062->13065 13068 4fb1c0-4fb1c7 13063->13068 13066 4fb2df-4fb2e3 13064->13066 13067 4fb2cd-4fb2d2 13064->13067 13069 4fb129-4fb130 13065->13069 13070 4fb133-4fb14b call 51bbd0 13065->13070 13066->13012 13072 4fb2e9-4fb2ef 13066->13072 13067->13066 13071 4fb2d4-4fb2d9 13067->13071 13073 4fb1cd-4fb1dc 13068->13073 13074 4fb1c9-4fb1cb 13068->13074 13069->13070 13086 4fb14d-4fb166 call 4fb710 13070->13086 13087 4fb169-4fb16e 13070->13087 13071->13012 13071->13066 13072->13012 13076 4fb2f5-4fb30e call 5475d0 call 4fbbd0 13072->13076 13077 4fb1e8-4fb1ee 13073->13077 13084 4fb1de-4fb1e5 13073->13084 13074->13077 13102 4fb313-4fb316 13076->13102 13078 4fb1f7-4fb1fc 13077->13078 13079 4fb1f0-4fb1f5 13077->13079 13085 4fb1ff-4fb201 13078->13085 13079->13085 13084->13077 13091 4fb20d-4fb214 13085->13091 13092 4fb203-4fb20a 13085->13092 13086->13087 13089 4fb185-4fb18f 13087->13089 13090 4fb170-4fb180 call 5475d0 13087->13090 13097 4fb19b-4fb19e 13089->13097 13098 4fb191-4fb198 13089->13098 13090->13089 13099 4fb216-4fb227 13091->13099 13100 4fb242-4fb244 13091->13100 13092->13091 13097->13061 13106 4fb1a0 13097->13106 13098->13097 13114 4fb23f 13099->13114 13115 4fb229-4fb23c call 5475d0 13099->13115 13104 4fb246-4fb24d 13100->13104 13105 4fb2b0-4fb2bb 13100->13105 13102->13012 13108 4fb24f-4fb256 13104->13108 13109 4fb2a6 13104->13109 13105->13064 13105->13068 13106->13061 13112 4fb258-4fb25f 13108->13112 13113 4fb262-4fb282 13108->13113 13116 4fb2ad 13109->13116 13112->13113 13121 4fb28a-4fb29b 13113->13121 13122 4fb284 13113->13122 13114->13100 13115->13114 13116->13105 13121->13105 13124 4fb29d-4fb2a4 13121->13124 13122->13121 13124->13116
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
                                    • API String ID: 0-1885142750
                                    • Opcode ID: 290526fdaeecb9b32a4886536e6308414190d977e0197cd1d2ee003efe7cabb0
                                    • Instruction ID: 5912c9be0b5fe0253428befa1510005b8e6d21b15bd6994098c8da1f87b2af15
                                    • Opcode Fuzzy Hash: 290526fdaeecb9b32a4886536e6308414190d977e0197cd1d2ee003efe7cabb0
                                    • Instruction Fuzzy Hash: 510258B0A007089BEB209F15DC4577B7BE4EF51304F14442EEA4A9B391EBB9E944CBC6
                                    Function 004DF030 Relevance: 8.4, APIs: 5, Instructions: 876COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 13796 4df030-4df14d call 4359b0 SHGetFolderPathA 13799 4df150-4df155 13796->13799 13799->13799 13800 4df157-4df179 call 403040 13799->13800 13803 4df180-4df185 13800->13803 13803->13803 13804 4df187-4df1e9 call 41fbf0 13803->13804 13807 4df1eb-4df1fa 13804->13807 13808 4df21a-4df247 call 4e6ca0 13804->13808 13810 4df1fc-4df20a 13807->13810 13811 4df210-4df217 call 4338f3 13807->13811 13816 4df24d-4df310 call 41ab20 call 4e6ca0 13808->13816 13817 4dfe6b-4dfe7b 13808->13817 13810->13811 13813 4dfed9 call 438c70 13810->13813 13811->13808 13820 4dfede call 402c60 13813->13820 13838 4df333-4df3c3 13816->13838 13839 4df312-4df32d CreateDirectoryA 13816->13839 13821 4dfe7d-4dfe89 13817->13821 13822 4dfea5-4dfed8 call 402df0 13817->13822 13832 4dfee3 call 402c60 13820->13832 13826 4dfe9b-4dfea2 call 4338f3 13821->13826 13827 4dfe8b-4dfe99 13821->13827 13826->13822 13827->13826 13828 4dfeed-4dfef2 call 438c70 13827->13828 13840 4dfee8 call 402c60 13832->13840 13842 4df3c6-4df3cb 13838->13842 13839->13838 13841 4dfe59 13839->13841 13840->13828 13844 4dfe5c-4dfe66 call 402df0 13841->13844 13842->13842 13845 4df3cd-4df3dd 13842->13845 13844->13817 13845->13820 13847 4df3e3-4df44b call 41e8a0 call 4e6ca0 call 402df0 13845->13847 13854 4df65e-4df6ee 13847->13854 13855 4df451-4df511 call 41ab20 call 4e6ca0 13847->13855 13857 4df6f1-4df6f6 13854->13857 13864 4df534-4df603 call 4163b0 call 41ab20 call 4dff00 13855->13864 13865 4df513-4df52e CreateDirectoryA 13855->13865 13857->13857 13859 4df6f8-4df703 13857->13859 13859->13832 13861 4df709-4df76b call 41e8a0 call 4e6ca0 call 402df0 13859->13861 13877 4df771-4df831 call 41ab20 call 4e6ca0 13861->13877 13878 4df982-4dfa9b 13861->13878 13883 4df60d-4df64a call 402cf0 call 4e6770 call 402df0 13864->13883 13884 4df605-4df60b 13864->13884 13865->13864 13868 4df64f-4df659 call 402df0 13865->13868 13868->13854 13894 4df858-4df927 call 4163b0 call 41ab20 call 4dff00 13877->13894 13895 4df833-4df852 CreateDirectoryA 13877->13895 13882 4dfaa0-4dfaa5 13878->13882 13882->13882 13886 4dfaa7-4dfab0 13882->13886 13883->13868 13884->13868 13886->13840 13889 4dfab6-4dfb18 call 41e8a0 call 4e6ca0 call 402df0 13886->13889 13889->13844 13909 4dfb1e-4dfc64 call 41ab20 call 4e6ca0 13889->13909 13913 4df929-4df92f 13894->13913 13914 4df931-4df96e call 402cf0 call 4e6770 call 402df0 13894->13914 13895->13894 13899 4df973-4df97d call 402df0 13895->13899 13899->13878 13921 4dfc8b-4dfdfe call 4163b0 call 41ab20 call 4dff00 13909->13921 13922 4dfc66-4dfc85 CreateDirectoryA 13909->13922 13913->13899 13914->13899 13933 4dfe08-4dfe45 call 402cf0 call 4e6770 call 402df0 13921->13933 13934 4dfe00-4dfe06 13921->13934 13922->13921 13924 4dfe4a-4dfe54 call 402df0 13922->13924 13924->13841 13933->13924 13934->13924
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DF09A
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF329
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF52A
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DF84A
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DFC7D
                                      • Part of subcall function 004E6770: FindFirstFileA.KERNELBASE(00000000,?,005894F8,?,?,?,\*.*,00000004), ref: 004E68E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesErrorFindFirstFolderLastPath
                                    • String ID:
                                    • API String ID: 2127212259-0
                                    • Opcode ID: 2482f94120ed5ea93039516545623d95f61e970846a000b1fcdf438d4bcd209a
                                    • Instruction ID: 8e27dc709fe3b7ff7b62f4d1f71842afe3ac2492894b6e8ccfd466f18f63ab33
                                    • Opcode Fuzzy Hash: 2482f94120ed5ea93039516545623d95f61e970846a000b1fcdf438d4bcd209a
                                    • Instruction Fuzzy Hash: DBA202B4D0425D8BDF25CFA8C995AEEBBB0BF18304F2041AAD949B7351D7341A84CFA5
                                    Function 004DE430 Relevance: 8.2, APIs: 5, Instructions: 731fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 13940 4de430-4de53b call 4359b0 SHGetFolderPathA 13943 4de540-4de545 13940->13943 13943->13943 13944 4de547-4de563 call 403040 13943->13944 13947 4de566-4de56b 13944->13947 13947->13947 13948 4de56d-4de64d call 41fbf0 call 418f00 13947->13948 13953 4de64f-4de65e 13948->13953 13954 4de67e-4de6a6 13948->13954 13955 4de674-4de67b call 4338f3 13953->13955 13956 4de660-4de66e 13953->13956 13957 4de6a8-4de6b7 13954->13957 13958 4de6d7-4de70a call 4e6ca0 13954->13958 13955->13954 13956->13955 13959 4df016 call 438c70 13956->13959 13961 4de6cd-4de6d4 call 4338f3 13957->13961 13962 4de6b9-4de6c7 13957->13962 13968 4def96-4defa6 13958->13968 13969 4de710-4de7ca call 41ab20 call 4e6d70 13958->13969 13970 4df01b call 402c60 13959->13970 13961->13958 13962->13959 13962->13961 13974 4defa8-4defb7 13968->13974 13975 4defd3-4df015 call 402df0 * 2 13968->13975 13992 4deb14-4deba4 13969->13992 13993 4de7d0-4de8b0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 13969->13993 13978 4df020 call 402c60 13970->13978 13979 4defc9-4defd0 call 4338f3 13974->13979 13980 4defb9-4defc7 13974->13980 13988 4df025 call 402c60 13978->13988 13979->13975 13980->13979 13984 4df02a-4df02f call 438c70 13980->13984 13988->13984 13997 4deba7-4debac 13992->13997 14013 4de8d7-4de982 call 41ab20 13993->14013 14014 4de8b2-4de8d1 CreateDirectoryA 13993->14014 13997->13997 13999 4debae-4debb9 13997->13999 13999->13978 14001 4debbf-4dec27 call 41e8a0 call 4e6ca0 call 402df0 13999->14001 14001->13968 14016 4dec2d-4ded01 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 14001->14016 14021 4de984 14013->14021 14022 4de986-4dea19 14013->14022 14014->14013 14017 4deb05-4deb0f call 402df0 14014->14017 14037 4ded1f-4dedaf 14016->14037 14038 4ded03-4ded19 CreateDirectoryA 14016->14038 14017->13992 14021->14022 14024 4dea20-4dea25 14022->14024 14024->14024 14026 4dea27-4dea32 14024->14026 14026->13970 14028 4dea38-4deab1 call 41e8a0 CopyFileA call 402df0 * 2 14026->14028 14046 4deabe-4deafb call 402cf0 call 4e6770 call 402df0 14028->14046 14047 4deab3-4deabc 14028->14047 14041 4dedb2-4dedb7 14037->14041 14038->14037 14040 4def87 14038->14040 14042 4def8a-4def91 call 402df0 14040->14042 14041->14041 14044 4dedb9-4dedc2 14041->14044 14042->13968 14044->13988 14048 4dedc8-4dee57 call 41e8a0 call 402df0 * 2 call 4e6ca0 14044->14048 14049 4deb00 14046->14049 14047->14049 14063 4dee59-4dee6f CreateDirectoryA 14048->14063 14064 4dee75-4def41 call 4163b0 call 41ab20 call 4dff00 14048->14064 14049->14017 14063->14042 14063->14064 14071 4def4e-4def82 call 402cf0 call 4e6770 call 402df0 14064->14071 14072 4def43-4def4c 14064->14072 14071->14040 14072->14040
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004DE49D
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DE8C9
                                    • CopyFileA.KERNEL32(?,00000000,00000000), ref: 004DEA83
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DED11
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 004DEE67
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$Cpp_errorFileThrow_std::_$AttributesCopyErrorFolderLastPath
                                    • String ID:
                                    • API String ID: 1001086254-0
                                    • Opcode ID: 26680b1becdb41978357c0f33f45d202fe4b356215f4adaeaf7733656648b968
                                    • Instruction ID: 4de69712ac24b7a09e9bc2c7d11d42553b755471a164b72fa8c1d2b7ead1c118
                                    • Opcode Fuzzy Hash: 26680b1becdb41978357c0f33f45d202fe4b356215f4adaeaf7733656648b968
                                    • Instruction Fuzzy Hash: 298225B0C042598BCB15CFA9C995BEEBBB0BF18304F10419ED549BB382DB745A85CFA5
                                    Function 004C6000 Relevance: 6.3, APIs: 4, Instructions: 310fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNELBASE(00000000,?,00000000), ref: 004C613F
                                    • FindNextFileA.KERNELBASE(00000000,00000010), ref: 004C643F
                                    • GetLastError.KERNEL32 ref: 004C644D
                                    • FindClose.KERNEL32(00000000), ref: 004C645D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 819619735-0
                                    • Opcode ID: 90cf4eca11af66bb089fdb4a1b4223e767fc84b405f6936ed3c5d03910aaf901
                                    • Instruction ID: afe6fe270f27518361ed143ef8865d869d8c660e8b4c9bb3a5978c93709ae348
                                    • Opcode Fuzzy Hash: 90cf4eca11af66bb089fdb4a1b4223e767fc84b405f6936ed3c5d03910aaf901
                                    • Instruction Fuzzy Hash: ACD17CB4C043488FDB24CF98C994BEEBBB1BF45314F14829ED4496B392D7785A84CB59
                                    Function 004C6B00 Relevance: 4.7, APIs: 3, Instructions: 206encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004C6B57
                                    • LocalFree.KERNEL32(?), ref: 004C6B86
                                    • LocalFree.KERNEL32(?), ref: 004C6C82
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: FreeLocal$CryptDataUnprotect
                                    • String ID:
                                    • API String ID: 2835072361-0
                                    • Opcode ID: 6647244c26512a52de21afd46b75caebb72f7fadd5b90fb549dccdfd3791c3cc
                                    • Instruction ID: 6019ec204b0dd747d4126109e6a4f8e7bf51aa55734569d67b400ef60c6c0d13
                                    • Opcode Fuzzy Hash: 6647244c26512a52de21afd46b75caebb72f7fadd5b90fb549dccdfd3791c3cc
                                    • Instruction Fuzzy Hash: 6171B171C002489BDB00DFA8C945BEEFBB4EF14314F10826EE851B3391EB786A44DBA5
                                    Function 0053F550 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053F705
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053FA07
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 885266447-0
                                    • Opcode ID: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                                    • Instruction ID: 1f76d2344d35fe0e13097961589cbfb84b6978ae6f877586e2245b879765d82e
                                    • Opcode Fuzzy Hash: 7cc4ef92f3a6051046a18418b77ea2a3a6de1ed4712a7747bb821a5c40650b69
                                    • Instruction Fuzzy Hash: E3029C71A04702AFDB18CF29C840B6ABBE4BF88318F14867DE859D7650D774ED94CB92
                                    Function 0044002D Relevance: .3, Instructions: 318COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                                    • Instruction ID: 127d1e6b524efbadbaaaff55744b8fab0cc6e196c82b7e7b6ae44d0b7ee8643f
                                    • Opcode Fuzzy Hash: b15aa9a463d604c256c669c29f6134746f95fa67f9ccc3a2b131056c85d33937
                                    • Instruction Fuzzy Hash: 3BB1F67090060A9BFB28CE68D855ABFBBB1AF04304F140A1FDA52A7791C77D9D21CB59
                                    Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279networksleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 8282 4c7b00-4c7b38 8283 4c7ecc-4c7ee0 8282->8283 8284 4c7b3e 8282->8284 8285 4c7b44-4c7b4c 8284->8285 8286 4c7b4e-4c7b74 call 4c8590 8285->8286 8287 4c7b87-4c7bd0 setsockopt recv WSAGetLastError 8285->8287 8290 4c7b79-4c7b81 8286->8290 8287->8283 8289 4c7bd6-4c7bd9 8287->8289 8291 4c7bdf-4c7be6 8289->8291 8292 4c7e2a-4c7e53 call 433069 call 458660 8289->8292 8290->8287 8293 4c7eb7-4c7ec6 Sleep 8290->8293 8294 4c7bec-4c7c48 call 418dc0 recv 8291->8294 8295 4c7e15-4c7e25 recv 8291->8295 8297 4c7eaf-4c7eb1 Sleep 8292->8297 8306 4c7e55 8292->8306 8293->8283 8293->8285 8302 4c7c4e-4c7c69 recv 8294->8302 8303 4c7dc3-4c7dd0 8294->8303 8295->8297 8297->8293 8302->8303 8305 4c7c6f-4c7caa 8302->8305 8307 4c7dfe-4c7e10 8303->8307 8308 4c7dd2-4c7dde 8303->8308 8309 4c7cac-4c7cb1 8305->8309 8310 4c7d1d-4c7d7d call 4163b0 call 408d50 call 4c7ef0 8305->8310 8311 4c7e5f-4c7e97 call 409280 8306->8311 8312 4c7e57-4c7e5d 8306->8312 8307->8297 8313 4c7df4-4c7dfb call 4338f3 8308->8313 8314 4c7de0-4c7dee 8308->8314 8315 4c7cc7-4c7cd1 call 418dc0 8309->8315 8316 4c7cb3-4c7cc5 8309->8316 8332 4c7d7f-4c7d8b 8310->8332 8333 4c7dab-4c7dbf 8310->8333 8323 4c7e9c-4c7eaa 8311->8323 8312->8297 8312->8311 8313->8307 8314->8313 8318 4c7ee1-4c7ee6 call 438c70 8314->8318 8321 4c7cd6-4c7d1b setsockopt recv 8315->8321 8316->8321 8321->8310 8323->8297 8334 4c7d8d-4c7d9b 8332->8334 8335 4c7da1-4c7da3 call 4338f3 8332->8335 8333->8303 8334->8318 8334->8335 8337 4c7da8 8335->8337 8337->8333
                                    APIs
                                    • setsockopt.WS2_32(00000388,0000FFFF,00001006,?,00000008), ref: 004C7BA6
                                    • recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
                                    • WSAGetLastError.WS2_32 ref: 004C7BC5
                                    • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
                                    • recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
                                    • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
                                    • recv.WS2_32(00000000,?,00000008), ref: 004C7D1B
                                      • Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
                                      • Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
                                      • Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
                                      • Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
                                      • Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
                                      • Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
                                      • Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690
                                    • recv.WS2_32(?,00000004,00000008), ref: 004C7E23
                                    • __Xtime_get_ticks.LIBCPMT ref: 004C7E2A
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
                                    • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
                                    • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
                                    • String ID:
                                    • API String ID: 3089209366-0
                                    • Opcode ID: f1428413fdaa7102f0b5d4268ab97f1f0576cb2b5ca2443ce43d56224d386408
                                    • Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
                                    • Opcode Fuzzy Hash: f1428413fdaa7102f0b5d4268ab97f1f0576cb2b5ca2443ce43d56224d386408
                                    • Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95
                                    Function 0045E140 Relevance: 17.4, APIs: 11, Instructions: 889COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 8667 45e140-45e246 call 40b8e0 call 4132d0 call 41ab20 CreateDirectoryA 8674 45e8e1-45e8e8 8667->8674 8675 45e24c-45e250 8667->8675 8676 45f16d-45f452 call 402df0 8674->8676 8677 45e8ee-45e98a call 4132d0 call 41ab20 CreateDirectoryA 8674->8677 8678 45e252-45e26d 8675->8678 8695 45e990-45e994 8677->8695 8696 45f15e-45f168 call 402df0 8677->8696 8681 45e8a5-45e8d0 call 4163b0 call 4df030 8678->8681 8682 45e273-45e3bd call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8678->8682 8681->8674 8701 45e8d2-45e8d9 call 4e6770 8681->8701 8739 45e3dd-45e4b0 call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8682->8739 8740 45e3bf-45e3d7 CreateDirectoryA 8682->8740 8698 45e996-45e9b1 8695->8698 8696->8676 8702 45e9b7-45eb07 call 4163b0 * 4 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8698->8702 8703 45f11f-45f14d call 4163b0 call 4d7600 8698->8703 8709 45e8de 8701->8709 8756 45eb27-45ebfa call 4132d0 call 41ab20 call 41ad80 call 4162c0 call 402df0 * 2 call 4e6ca0 8702->8756 8757 45eb09-45eb21 CreateDirectoryA 8702->8757 8703->8696 8721 45f14f-45f156 call 4e6770 8703->8721 8709->8674 8727 45f15b 8721->8727 8727->8696 8791 45e4d0-45e4d7 8739->8791 8792 45e4b2-45e4ca CreateDirectoryA 8739->8792 8740->8739 8743 45e854-45e8a0 call 402df0 * 5 8740->8743 8743->8678 8816 45ebfc-45ec14 CreateDirectoryA 8756->8816 8817 45ec1a-45ec21 8756->8817 8757->8756 8760 45f0ce-45f11a call 402df0 * 5 8757->8760 8760->8698 8793 45e5e0-45e5e4 8791->8793 8794 45e4dd-45e59d call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8791->8794 8792->8743 8792->8791 8798 45e5e6-45e649 call 4132d0 8793->8798 8799 45e64e-45e652 8793->8799 8853 45e5c2-45e5cc call 416290 8794->8853 8854 45e59f-45e5c0 CreateDirectoryA 8794->8854 8813 45e704-45e7f2 call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 4162c0 call 402df0 * 3 call 4e6ca0 8798->8813 8805 45e654-45e6b7 call 4132d0 8799->8805 8806 45e6b9-45e6ff call 4132d0 8799->8806 8805->8813 8806->8813 8905 45e7f4-45e80c CreateDirectoryA 8813->8905 8906 45e80e-45e84e call 4163b0 * 2 call 4dff00 8813->8906 8816->8760 8816->8817 8820 45ec27-45ece7 call 4132d0 call 41ab20 call 41ad80 call 402df0 call 4e6ca0 8817->8820 8821 45ed2a-45ed2e 8817->8821 8882 45ed0c-45ed16 call 416290 8820->8882 8883 45ece9-45ed0a CreateDirectoryA 8820->8883 8825 45ed34-45edce call 4132d0 call 41ab20 call 4e6ca0 8821->8825 8826 45ee43-45ee47 8821->8826 8870 45edd0-45edf1 CreateDirectoryA 8825->8870 8871 45edf3-45ee31 call 4163b0 * 2 call 4dff00 8825->8871 8831 45eeb1-45eeb5 8826->8831 8832 45ee49-45eeac call 4132d0 8826->8832 8839 45eeb7-45ef1a call 4132d0 8831->8839 8840 45ef1c-45ef7a call 4132d0 8831->8840 8849 45ef7f-45f04e call 402cf0 call 4132d0 call 41ab20 call 41ae20 call 402df0 * 2 call 4e6ca0 8832->8849 8839->8849 8840->8849 8911 45f050-45f071 CreateDirectoryA 8849->8911 8912 45f073-45f0b9 call 4163b0 * 2 call 4dff00 8849->8912 8860 45e5d1-45e5db call 402df0 8853->8860 8854->8853 8854->8860 8860->8793 8870->8871 8876 45ee34-45ee3e 8870->8876 8871->8876 8881 45f0c9 call 402df0 8876->8881 8881->8760 8888 45ed1b-45ed25 call 402df0 8882->8888 8883->8882 8883->8888 8888->8821 8905->8743 8905->8906 8906->8743 8922 45e850 8906->8922 8911->8912 8914 45f0bf-45f0c3 8911->8914 8912->8914 8925 45f0bb 8912->8925 8914->8881 8922->8743 8925->8914
                                    APIs
                                      • Part of subcall function 0040B8E0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 0040BA08
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E242
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045E3D3
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045E4C6
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045E5BC
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 0045E808
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045E986
                                    • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 0045EB1D
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 0045EC10
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045ED06
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045EDED
                                    • CreateDirectoryA.KERNEL32(?,00000000), ref: 0045F06D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                    • String ID:
                                    • API String ID: 453214671-0
                                    • Opcode ID: bd257381b72f24b865c35424aca81356a138dcccbec74b51b3f8208da1a3af36
                                    • Instruction ID: 0e418cf523baa0a35c0a910b93c4bb77d5942d6061cfe1063ad62b245a56bb8b
                                    • Opcode Fuzzy Hash: bd257381b72f24b865c35424aca81356a138dcccbec74b51b3f8208da1a3af36
                                    • Instruction Fuzzy Hash: 4FA226B0D012688BCB25DB65CD95BDDBBB4AF14304F0040EED44A67282EB785F88DF5A
                                    Function 004E4720 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 291registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 9337 4e4720-4e4a78 call 4359b0 RegGetValueA 9340 4e4a7a-4e4a89 9337->9340 9341 4e4aa8-4e4aac 9337->9341 9342 4e4a90-4e4a95 9340->9342 9343 4e4bad-4e4bc0 9341->9343 9344 4e4ab2-4e4ae4 call 4359b0 GetComputerNameExA 9341->9344 9342->9342 9345 4e4a97-4e4aa3 call 416130 9342->9345 9349 4e4b08-4e4b0c 9344->9349 9350 4e4ae6-4e4aef 9344->9350 9345->9341 9349->9343 9352 4e4b12-4e4b3d call 4359b0 LsaOpenPolicy 9349->9352 9351 4e4af0-4e4af5 9350->9351 9351->9351 9353 4e4af7-4e4b03 call 416130 9351->9353 9357 4e4b3f-4e4b50 LsaQueryInformationPolicy 9352->9357 9358 4e4b85-4e4b92 9352->9358 9353->9349 9360 4e4b7c-4e4b7f LsaClose 9357->9360 9361 4e4b52-4e4b59 9357->9361 9359 4e4b95-4e4b9a 9358->9359 9359->9359 9362 4e4b9c-4e4ba8 call 416130 9359->9362 9360->9358 9363 4e4b5e-4e4b76 call 403440 LsaFreeMemory 9361->9363 9364 4e4b5b 9361->9364 9362->9343 9363->9360 9364->9363
                                    APIs
                                    • RegGetValueA.KERNELBASE(80000002,?,?,0001FFFF,?,?,00000104), ref: 004E4A70
                                    • GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 004E4ADC
                                    • LsaOpenPolicy.ADVAPI32(00000000,00587684,00000001,?), ref: 004E4B35
                                    • LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 004E4B48
                                    • LsaFreeMemory.ADVAPI32(?), ref: 004E4B76
                                    • LsaClose.ADVAPI32(?), ref: 004E4B7F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
                                    • String ID: %wZ$&"N$;Yb.
                                    • API String ID: 762890658-4094109456
                                    • Opcode ID: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                                    • Instruction ID: db120a3af714b361d6db134a28a940fef9e0d4b71911d12d67c4190411436b99
                                    • Opcode Fuzzy Hash: 71ef275a8d6462c4c5fc6e537bb68741ac7498f384360e828531ccc0aa0ebddd
                                    • Instruction Fuzzy Hash: 1EE101B4D0425A8FDB14CF98C985BEEBBB4BF08304F2041AAE949B7341D7745A85CFA5
                                    Function 00448910 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 12731 448910-448920 12732 448922-448935 call 4416ec call 4416ff 12731->12732 12733 44893a-44893c 12731->12733 12750 448c94 12732->12750 12735 448942-448948 12733->12735 12736 448c7c-448c89 call 4416ec call 4416ff 12733->12736 12735->12736 12739 44894e-448977 12735->12739 12755 448c8f call 438c60 12736->12755 12739->12736 12740 44897d-448986 12739->12740 12743 4489a0-4489a2 12740->12743 12744 448988-44899b call 4416ec call 4416ff 12740->12744 12748 448c78-448c7a 12743->12748 12749 4489a8-4489ac 12743->12749 12744->12755 12752 448c97-448c9a 12748->12752 12749->12748 12754 4489b2-4489b6 12749->12754 12750->12752 12754->12744 12758 4489b8-4489cf 12754->12758 12755->12750 12760 448a04-448a0a 12758->12760 12761 4489d1-4489d4 12758->12761 12762 448a0c-448a13 12760->12762 12763 4489de-4489f5 call 4416ec call 4416ff call 438c60 12760->12763 12764 4489d6-4489dc 12761->12764 12765 4489fa-448a02 12761->12765 12767 448a15 12762->12767 12768 448a17-448a35 call 44b094 call 44b01a * 2 12762->12768 12794 448baf 12763->12794 12764->12763 12764->12765 12766 448a77-448a96 12765->12766 12770 448b52-448b5b call 453be3 12766->12770 12771 448a9c-448aa8 12766->12771 12767->12768 12804 448a37-448a4d call 4416ff call 4416ec 12768->12804 12805 448a52-448a75 call 4425fd 12768->12805 12783 448bcc 12770->12783 12784 448b5d-448b6f 12770->12784 12771->12770 12775 448aae-448ab0 12771->12775 12775->12770 12780 448ab6-448ad7 12775->12780 12780->12770 12785 448ad9-448aef 12780->12785 12787 448bd0-448be6 ReadFile 12783->12787 12784->12783 12789 448b71-448b80 GetConsoleMode 12784->12789 12785->12770 12790 448af1-448af3 12785->12790 12792 448c44-448c4f GetLastError 12787->12792 12793 448be8-448bee 12787->12793 12789->12783 12795 448b82-448b86 12789->12795 12790->12770 12796 448af5-448b18 12790->12796 12798 448c51-448c63 call 4416ff call 4416ec 12792->12798 12799 448c68-448c6b 12792->12799 12793->12792 12800 448bf0 12793->12800 12802 448bb2-448bbc call 44b01a 12794->12802 12795->12787 12801 448b88-448ba0 ReadConsoleW 12795->12801 12796->12770 12803 448b1a-448b30 12796->12803 12798->12794 12811 448c71-448c73 12799->12811 12812 448ba8-448bae call 4416a5 12799->12812 12807 448bf3-448c05 12800->12807 12809 448bc1-448bca 12801->12809 12810 448ba2 GetLastError 12801->12810 12802->12752 12803->12770 12814 448b32-448b34 12803->12814 12804->12794 12805->12766 12807->12802 12818 448c07-448c0b 12807->12818 12809->12807 12810->12812 12811->12802 12812->12794 12814->12770 12822 448b36-448b4d 12814->12822 12825 448c24-448c31 12818->12825 12826 448c0d-448c1d call 448622 12818->12826 12822->12770 12831 448c33 call 448779 12825->12831 12832 448c3d-448c42 call 448468 12825->12832 12837 448c20-448c22 12826->12837 12838 448c38-448c3b 12831->12838 12832->12838 12837->12802 12838->12837
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f0ebc92e5ca6f275d4bbb75147d6ad3a24cc47560e82a7b4de6b8652cd53fa6b
                                    • Instruction ID: d4d7462daa34083545f9d93f0c5ebf53bf58a01a885379ada905c47cec286c1a
                                    • Opcode Fuzzy Hash: f0ebc92e5ca6f275d4bbb75147d6ad3a24cc47560e82a7b4de6b8652cd53fa6b
                                    • Instruction Fuzzy Hash: E2B1F4B0A00245AFFB11DF99C881BAE7BB1FF55304F14015EE414AB392CB78AD81CB69
                                    Function 004D6BA0 Relevance: 9.2, APIs: 6, Instructions: 164fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 13126 4d6ba0-4d6bd8 GetLastError 13127 4d6bde-4d6bf1 13126->13127 13128 4d6d19-4d6d31 CopyFileA 13126->13128 13131 4d6bf4-4d6bf9 13127->13131 13129 4d6d73-4d6d85 13128->13129 13130 4d6d33-4d6d38 GetLastError 13128->13130 13132 4d6d5f-4d6d72 13130->13132 13133 4d6d3a-4d6d3c call 4e77e0 13130->13133 13131->13131 13134 4d6bfb-4d6c5a call 429070 call 4359b0 6CE37CF0 13131->13134 13137 4d6d41-4d6d5e CopyFileA 13133->13137 13141 4d6cf4-4d6d13 SetLastError call 4188d0 13134->13141 13142 4d6c60-4d6c9b call 415eb0 13134->13142 13141->13128 13149 4d6c9d-4d6cc3 13142->13149 13150 4d6ce2-4d6cef call 4188d0 13142->13150 13153 4d6ccd-4d6cd1 13149->13153 13154 4d6cc5-4d6ccb 13149->13154 13150->13141 13153->13150 13155 4d6cd3-4d6ce0 13153->13155 13154->13150 13154->13153 13155->13150
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                    • 6CE37CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                    • SetLastError.KERNEL32(00000000), ref: 004D6CFE
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D25
                                    • GetLastError.KERNEL32(?,?,00000000), ref: 004D6D33
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CopyFile
                                    • String ID:
                                    • API String ID: 936320341-0
                                    • Opcode ID: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                    • Instruction ID: cca443e56f4e81c83c2dc89493b37bcb85ee1d7da0cfa031959f485395bd6110
                                    • Opcode Fuzzy Hash: 2f0097d69676047ed723569c17c067a4a1f2d969b86affe3f6592f517df160a8
                                    • Instruction Fuzzy Hash: 6051C172D01219ABCB21CF94DC55BEEBBB8EB04320F10026AE804B3390D7396E05CBA4
                                    Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382libraryloadernetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 14078 409280-4092dd call 4163b0 14081 409413-409521 call 402df0 call 4ea420 14078->14081 14082 4092e3-4092e9 14078->14082 14098 409523-409535 14081->14098 14099 409537-40953f call 418dc0 14081->14099 14083 4092f0-409313 14082->14083 14085 409324-409331 14083->14085 14086 409315-40931f 14083->14086 14089 409342-40934f 14085->14089 14090 409333-40933d 14085->14090 14088 409403-409406 14086->14088 14092 409409-40940d 14088->14092 14093 409360-40936d 14089->14093 14094 409351-40935b 14089->14094 14090->14088 14092->14081 14092->14083 14096 40937e-40938b 14093->14096 14097 40936f-409379 14093->14097 14094->14088 14100 409399-4093a6 14096->14100 14101 40938d-409397 14096->14101 14097->14088 14102 409544-409597 call 4ea420 * 2 14098->14102 14099->14102 14104 4093b4-4093c1 14100->14104 14105 4093a8-4093b2 14100->14105 14101->14088 14115 409599-4095c8 call 4ea420 call 435270 14102->14115 14116 4095cb-4095e1 call 4ea420 14102->14116 14108 4093c3-4093cd 14104->14108 14109 4093cf-4093dc 14104->14109 14105->14088 14108->14088 14111 4093ea-4093f4 14109->14111 14112 4093de-4093e8 14109->14112 14111->14092 14114 4093f6-4093ff 14111->14114 14112->14088 14114->14088 14115->14116 14122 4096e2 14116->14122 14123 4095e7-4095ed 14116->14123 14126 4096e6-4096f0 14122->14126 14125 4095f0-4096ce GetModuleHandleA GetProcAddress WSASend 14123->14125 14129 4096d4-4096dc 14125->14129 14130 40975f-409763 14125->14130 14127 4096f2-4096fe 14126->14127 14128 40971e-40973d 14126->14128 14131 409700-40970e 14127->14131 14132 409714-40971b call 4338f3 14127->14132 14133 40976f-409796 14128->14133 14134 40973f-40974b 14128->14134 14129->14122 14129->14125 14130->14126 14131->14132 14135 409797-4097fe call 438c70 call 402df0 * 2 14131->14135 14132->14128 14137 409765-40976c call 4338f3 14134->14137 14138 40974d-40975b 14134->14138 14137->14133 14138->14135 14140 40975d 14138->14140 14140->14137
                                    APIs
                                    • GetModuleHandleA.KERNEL32(Ws2_32.dll), ref: 004096A6
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
                                    • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 004096C9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProcSend
                                    • String ID: Ws2_32.dll
                                    • API String ID: 2819740048-3093949381
                                    • Opcode ID: e3988772e46cc4ee45d499e5fc4178a2abfbb0fdd693764c9218998b18a73415
                                    • Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
                                    • Opcode Fuzzy Hash: e3988772e46cc4ee45d499e5fc4178a2abfbb0fdd693764c9218998b18a73415
                                    • Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96
                                    Function 00463830 Relevance: 6.9, APIs: 3, Instructions: 2365COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004E6CA0: GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                      • Part of subcall function 004E6CA0: GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                      • Part of subcall function 004E6C10: CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                                    • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00465CB0
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465FD5
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                      • Part of subcall function 004E6CA0: std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00465EC6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                    • String ID:
                                    • API String ID: 453214671-0
                                    • Opcode ID: a6f74c4fb681bad4fff6eebfe3dcca055a714b6454d6401ad70e278b8326c920
                                    • Instruction ID: bdb7de5e538d98cc2bc1e856d074b668cb5d4ba5ca64421d2565693f44b24664
                                    • Opcode Fuzzy Hash: a6f74c4fb681bad4fff6eebfe3dcca055a714b6454d6401ad70e278b8326c920
                                    • Instruction Fuzzy Hash: 8053CFB0D052688FDB65DF55C994BDDBBB0BB58304F0041EAD44AA7292EB382F84DF49
                                    Function 004E6CA0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesA.KERNELBASE(?,?,?,00460404), ref: 004E6CFC
                                    • GetLastError.KERNEL32(?,?,00460404), ref: 004E6D07
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D4F
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6D60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                    • String ID:
                                    • API String ID: 995686243-0
                                    • Opcode ID: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                                    • Instruction ID: 241e2f942859b358e1133ab4bf22632851a161ac9c5554c12c2f2fb0b7350d8e
                                    • Opcode Fuzzy Hash: 65662f257d92aefc3507c5f8cb9ddc555297535a90f0ce1970463870aaf9e219
                                    • Instruction Fuzzy Hash: DF11CE71A0028496DB205F6A5C08F6A7F60EB22772F64031BD8359B3D4DB3948058759
                                    Function 004D6790 Relevance: 4.8, APIs: 3, Instructions: 278fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CopyFileA.KERNEL32(?,?,00000000), ref: 004D6A20
                                      • Part of subcall function 004D6BA0: GetLastError.KERNEL32(?,00000000), ref: 004D6BD3
                                      • Part of subcall function 004D6BA0: 6CE37CF0.RSTRTMGR(?,00000000,?), ref: 004D6C50
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B84
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004D6B95
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_$CopyErrorFileLast
                                    • String ID:
                                    • API String ID: 1723067277-0
                                    • Opcode ID: 9fad268e1b32fb5342daa8b04bbb0199fc585924ca8808c03fe502974afbaa59
                                    • Instruction ID: af59b977606615079acd7a310a8afa41bd250120d803ccb4a837ad8b48953fd5
                                    • Opcode Fuzzy Hash: 9fad268e1b32fb5342daa8b04bbb0199fc585924ca8808c03fe502974afbaa59
                                    • Instruction Fuzzy Hash: 5BD18BB0C00249DBDB04DFA9C9557EEBBB1BF54304F14419ED80577382EB785A45CBA6
                                    Function 00493B60 Relevance: 4.8, APIs: 3, Instructions: 264registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 00493D89
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?), ref: 00493DAC
                                    • RegCloseKey.ADVAPI32(?), ref: 00493DB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                                    • Instruction ID: c2861601c7c989816088ca7cd521e7ac3defefe444e22908af63c5fcea44e6b0
                                    • Opcode Fuzzy Hash: 77d91e2ffbc41f4e718118182c7f4e60994b52f51d4fd49462c42fe523481256
                                    • Instruction Fuzzy Hash: C8C136B1D042499FDB14CFA8D986BAEBBB0EF09314F204169E905B7391E7345A84CFA5
                                    Function 004E6C10 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004E6C55
                                      • Part of subcall function 00432BAA: RtlReleaseSRWLockExclusive.NTDLL(004E6D30), ref: 00432BBE
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C84
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004E6C95
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_$CreateDirectoryExclusiveLockRelease
                                    • String ID:
                                    • API String ID: 1881651058-0
                                    • Opcode ID: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                                    • Instruction ID: b54f6e02dbe68d52aaf8ce57ceccae370b453a77f91dfdb3bbc81736346272f4
                                    • Opcode Fuzzy Hash: 1369faf54573f1097b34743c1b99fafbb3d15d6b7359fe2f2678d7eae3eda35f
                                    • Instruction Fuzzy Hash: B2F049B1500640FBD7109F999D06B6ABBA8FB05731F14031AFC35A63D0D7B5190087AA
                                    Function 0044B9D0 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNELBASE(?,?,0043D2B1,?), ref: 0044B9D8
                                    • GetLastError.KERNEL32(?,0043D2B1,?), ref: 0044B9E2
                                    • __dosmaperr.LIBCMT ref: 0044B9E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: DeleteErrorFileLast__dosmaperr
                                    • String ID:
                                    • API String ID: 1545401867-0
                                    • Opcode ID: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                                    • Instruction ID: 29a5b21677c8caf908dcad016bfb5ae84cbfd6cad116b975ceede8be2d8f2443
                                    • Opcode Fuzzy Hash: 09b3d7d03d43d7566e94fc4839c3f2f0e9d57db1a11ed26f70a1bc8201ac59e9
                                    • Instruction Fuzzy Hash: 00D0C9321146086BEA106BB6BC089163B6D9A913797140616F52CC52A0EE25C895A665
                                    Function 004E57F0 Relevance: 3.4, APIs: 2, Instructions: 350COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004E588F
                                    • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004E5B9B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: DirectoryInformationVolumeWindows
                                    • String ID:
                                    • API String ID: 3487004747-0
                                    • Opcode ID: 0a0dcd09eef47cc32d5847b2942677d40245ae2126d3bdebcd0edae20a9bad6e
                                    • Instruction ID: 009fea26e280c08ebde66711631a2368a09a7ac58c7b38572a32fddf838a6e16
                                    • Opcode Fuzzy Hash: 0a0dcd09eef47cc32d5847b2942677d40245ae2126d3bdebcd0edae20a9bad6e
                                    • Instruction Fuzzy Hash: 81F157B0D002499BDB14CFA8C9957EEBBB1FF08304F24425EE545BB381DB756A84CBA5
                                    Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(E0126DEB,00000000,00000000,0043D0C7), ref: 00448F02
                                    • WriteFile.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,?,004E6E3C,?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7), ref: 0044990E
                                    • GetLastError.KERNEL32(?,0043CFE7,004E6E3C,?,00579E10,00000010,0043D0C7,004E6E3C,?,00000000,?), ref: 00449918
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: ConsoleErrorFileLastOutputWrite
                                    • String ID:
                                    • API String ID: 2915228174-0
                                    • Opcode ID: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                                    • Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
                                    • Opcode Fuzzy Hash: 31457cb41688bf9267a4d34aaba0591c787e78cc82baf2098e7bb743f7a0da0b
                                    • Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65
                                    Function 004D65F0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004D676A
                                    • std::_Throw_Cpp_error.LIBCPMT ref: 004D677B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Cpp_errorThrow_std::_
                                    • String ID:
                                    • API String ID: 2134207285-0
                                    • Opcode ID: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                                    • Instruction ID: 177bb7d1701b8dda1f5a90c4ee3be826f8175b366ab48e47effb054e9b4aa952
                                    • Opcode Fuzzy Hash: ee00d86a89ee62715d60b896044e90f690cda42d917c0ef1e64fc9d0a964cb8a
                                    • Instruction Fuzzy Hash: 6441F2B1E002058BC720DF68995136EBBA1BB94314F19072FE815673D1EB79EA04C795
                                    Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E55
                                    • GetLastError.KERNEL32(?,00448CE6,00000000,CF830579,0057A178,0000000C,00448DA2,0043D07D,?), ref: 00448E5F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: ChangeCloseErrorFindLastNotification
                                    • String ID:
                                    • API String ID: 1687624791-0
                                    • Opcode ID: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                                    • Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
                                    • Opcode Fuzzy Hash: b06bb773f2e3691ac59e29f36838d983fea0542ad72171c0b67bdc6ed3fb0d12
                                    • Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D
                                    Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(00000000,00000000,0043D0C7,00000000,00000002,00000000,00000000,00000000,00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000), ref: 00442558
                                    • GetLastError.KERNEL32(00000000,?,00442656,00000000,00000000,0043D0C7,00000002,00000000,?,0044982E,00000000,00000000,00000000,00000002,0043D0C7,00000000), ref: 00442565
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastPointer
                                    • String ID:
                                    • API String ID: 2976181284-0
                                    • Opcode ID: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                                    • Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
                                    • Opcode Fuzzy Hash: 68e58f652f7d6d636abaf7dbd87b622c8ec0f619f1e8a4c00f9091375e275125
                                    • Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4
                                    Function 0044B01A Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B030
                                    • GetLastError.KERNEL32(?,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B03B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 485612231-0
                                    • Opcode ID: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                    • Instruction ID: f233056e1464041c82b2d36bf1c88bdb576215b3e64377b8de55bab97aefa9e3
                                    • Opcode Fuzzy Hash: 99a1dad4488ae4134b0b86126f226bb7eaf0feb81a688c838a9a99aa0a8ec9ba
                                    • Instruction Fuzzy Hash: 66E08C32100204ABEB212FA5AC0CB9A3B69EF00756F15802AF608971B0DB38C894D798
                                    Function 004C7EF0 Relevance: 1.9, APIs: 1, Instructions: 399COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 98ad1d256c0ddfb69c72597b5609d37edd2aee79e43187298c3c7066527089eb
                                    • Instruction ID: 65307ecbef6fb9e01e3d4ad067897c34c173f6a72c2a6aa1ef5fcaa49911cde8
                                    • Opcode Fuzzy Hash: 98ad1d256c0ddfb69c72597b5609d37edd2aee79e43187298c3c7066527089eb
                                    • Instruction Fuzzy Hash: 0E02A070D04248DFDB14DF68C945BDDBBB0AB14308F14419ED8057B386EBB95E88DB9A
                                    Function 00415350 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0041546E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: 8aec340eac8f6639e061003becede4450c39dec382dbace38c3082cae3886c36
                                    • Instruction ID: bd448271620100f3a1b1b6e8090fbb17c8ec551eb96fe3ea9a7077eb077db61a
                                    • Opcode Fuzzy Hash: 8aec340eac8f6639e061003becede4450c39dec382dbace38c3082cae3886c36
                                    • Instruction Fuzzy Hash: AF6199B1A00614DFCB10CF59C984B9ABBF5FF88310F24816EE8199B391C778EA41CB95
                                    Function 00438E02 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                                    • Instruction ID: 9663080612542d3e5f9b84a36c3ecf1ef98ea00319430370267f097460dfd66c
                                    • Opcode Fuzzy Hash: e0750673b6008633cc79045623eaeb207d83782e0e9d8302f40567207ba640ce
                                    • Instruction Fuzzy Hash: 2651C670A00204AFDF14DF59C881AAABBA2EF8D328F24915EF8089B352D775DD41CB55
                                    Function 004E7640 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 09dbeedca0382fe83fa6e64ccb476af2fb42ace462cdada0f63a81bd75d016a3
                                    • Instruction ID: 028c77ef4637c0ac0bfd58be9ca2c186fed01019b569c5d695070078eed700b9
                                    • Opcode Fuzzy Hash: 09dbeedca0382fe83fa6e64ccb476af2fb42ace462cdada0f63a81bd75d016a3
                                    • Instruction Fuzzy Hash: A8517FB0D043499BDB10DF99D986BAEFBB4FF44714F10012EE8416B381D7796A44CBA5
                                    Function 004E74C0 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 018f489811a338dcef82faead4130839585db85a1beb9436eeefc27b6700566d
                                    • Instruction ID: 959dba962c579710b3c8227977385e6342f185642bc3a86ace1f34c607c4467c
                                    • Opcode Fuzzy Hash: 018f489811a338dcef82faead4130839585db85a1beb9436eeefc27b6700566d
                                    • Instruction Fuzzy Hash: 78416CB0D04248EBDB14DF99D985BEEBBB4FF48714F10416EE801AB381D7799901CBA5
                                    Function 00406870 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 00406908
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: ___std_fs_directory_iterator_open@12
                                    • String ID:
                                    • API String ID: 29801545-0
                                    • Opcode ID: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                                    • Instruction ID: 382a6ddcba4688358f9e0a4ad0208e6a3358ad319658d54a7c18dfc33c73484c
                                    • Opcode Fuzzy Hash: c3b8b3600ed0ad07f9a4110fed077291c3700e835e34d0cb827fcc3074b6ad22
                                    • Instruction Fuzzy Hash: AB21AE76E00619ABCB14EF49D841BAAB7B4FB84324F00466EED1663780DB396D10CB94
                                    Function 004E5D00 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetupDiGetClassDevsA.SETUPAPI(0055D560,00000000,00000000), ref: 004E5D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: ClassDevsSetup
                                    • String ID:
                                    • API String ID: 2330331845-0
                                    • Opcode ID: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                                    • Instruction ID: 3af1858aaf6aa964ebdd9f4359c5c99147492c850a3065a18f0c0dee6211d041
                                    • Opcode Fuzzy Hash: 3d8916a0f3a5560b99d21513aef90176b581373bb7b6b0032725707bac5390a9
                                    • Instruction Fuzzy Hash: A0110EB1D04B449BE3208F28DD0A757BBF0EB00B28F10471EE850573C1E3BA6A4887E2
                                    Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0040331F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: 4c9de15bf43b7906aab7ed6efc04c82af185101d7b74466eda9590404471e6f8
                                    • Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
                                    • Opcode Fuzzy Hash: 4c9de15bf43b7906aab7ed6efc04c82af185101d7b74466eda9590404471e6f8
                                    • Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788
                                    Function 0044A65A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,000000FF,00000000), ref: 0044A69B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 44fe68ec2fca24d705c4288583a30094579fd4d4051ae38cb78614132530c581
                                    • Instruction ID: 9689b7dccde3e7d2c1426315cc49502dff6dd5535dcc2f3da2dc3831567fdc71
                                    • Opcode Fuzzy Hash: 44fe68ec2fca24d705c4288583a30094579fd4d4051ae38cb78614132530c581
                                    • Instruction Fuzzy Hash: 4CF0E0311905246BFB216A66DC05B5B375CAF41760F1E8117EC84EB190CA3CDC3146EE
                                    Function 00406840 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406853
                                      • Part of subcall function 00431F7B: FindNextFileW.KERNELBASE(?,?,?,00406858,?,?,?,?,0040691A,?,?,?,00000000,?,?), ref: 00431F84
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                                    • String ID:
                                    • API String ID: 3878998205-0
                                    • Opcode ID: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                                    • Instruction ID: f155dccb83496c4d8f98fbb14974b26749813e83e467fdfa34ea523ab42003ff
                                    • Opcode Fuzzy Hash: 0b9b7a2be4556d67719362d67afe6131e98dc99b1db50658bd5de953d38406f0
                                    • Instruction Fuzzy Hash: 63D05E22701520118D24752738085AF06498DC66A8A42447FB84AB32C2EA2D8C0311AD
                                    Function 004466D5 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3555854942.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.3555834614.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3555956165.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556022871.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556066131.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556096402.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.000000000079A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556132255.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.3556863154.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                    Similarity
                                    • API ID: H_prolog3
                                    • String ID:
                                    • API String ID: 431132790-0
                                    • Opcode ID: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                                    • Instruction ID: ccf5b3b5ee64302dd7184922bc8d264c22512182c10063c293431932d1ea205a
                                    • Opcode Fuzzy Hash: f97e20be6f9967ed6d0bdb0fc59c364b82bb9609628a7e062ab6fec8fc85ac89
                                    • Instruction Fuzzy Hash: 13E09AB2C0020D9ADB00DFD5C452BEFBBB8AB08315F50446BA205E6181EB789748CBE5