Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BqqQh4Jr7L.exe

Overview

General Information

Sample name:BqqQh4Jr7L.exe
renamed because original name is a hash value
Original sample name:112de57b8288c1c154f6725f421046fc.exe
Analysis ID:1461138
MD5:112de57b8288c1c154f6725f421046fc
SHA1:f9feb02d8666090b7d284eaa2821244309d8f9fa
SHA256:fa918289433c703e2df9e0094bc05c67fdb2259603ae24a44b02edb0cc7ec62c
Tags:32exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • BqqQh4Jr7L.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\BqqQh4Jr7L.exe" MD5: 112DE57B8288C1C154F6725F421046FC)
    • schtasks.exe (PID: 8152 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7212 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 2032 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 112DE57B8288C1C154F6725F421046FC)
  • MPGPH131.exe (PID: 6828 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 112DE57B8288C1C154F6725F421046FC)
  • RageMP131.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 112DE57B8288C1C154F6725F421046FC)
    • WerFault.exe (PID: 5376 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 2416 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 112DE57B8288C1C154F6725F421046FC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Oh3LlYeM6Hc4fU6JG8kBRXb.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000003.4050437795.00000000057C6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      0000000B.00000003.4050337195.00000000057C6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        0000000B.00000003.4081389464.00000000057C7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          0000000B.00000003.4050509626.00000000057B8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            0000000B.00000003.4081149352.00000000057C7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              Click to see the 10 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\BqqQh4Jr7L.exe, ProcessId: 7460, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

              Snort Signatures

              Timestamp:06/22/24-23:40:12.531730
              SID:2046269
              Source Port:49738
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-23:41:56.985827
              SID:2046269
              Source Port:49741
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-23:41:57.447707
              SID:2046266
              Source Port:58709
              Destination Port:49744
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-23:39:38.120794
              SID:2049060
              Source Port:49738
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-23:41:50.767964
              SID:2046267
              Source Port:58709
              Destination Port:49741
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-23:41:50.550981
              SID:2046266
              Source Port:58709
              Destination Port:49741
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-23:39:53.611025
              SID:2046267
              Source Port:58709
              Destination Port:49738
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-23:42:03.642272
              SID:2046269
              Source Port:49744
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/22/24-23:39:38.731728
              SID:2046266
              Source Port:58709
              Destination Port:49738
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://77.91.77.81/mine/amadka.exe.comAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: malware
              Source: http://77.91.77.81/cost/go.exeqAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/mine/amadka.exeYAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/lenin.exe00.1Avira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/lenin.exectrumAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: http://77.91.77.81/mine/amadka.exeVirustotal: Detection: 23%Perma Link
              Source: http://77.91.77.81/cost/go.exeVirustotal: Detection: 23%Perma Link
              Source: http://77.91.77.81/mine/amadka.exeYVirustotal: Detection: 20%Perma Link
              Source: http://77.91.77.81/cost/lenin.exe00.1Virustotal: Detection: 20%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 52%
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 52%
              Multi AV Scanner detection for submitted file
              Source: BqqQh4Jr7L.exeVirustotal: Detection: 54%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: BqqQh4Jr7L.exeJoe Sandbox ML: detected
              Source: BqqQh4Jr7L.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49746 version: TLS 1.2
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49738 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49738
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49738
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49741
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49741
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49741 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49744
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49744 -> 77.91.77.66:58709
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
              Source: global trafficTCP traffic: 192.168.2.4:49738 -> 77.91.77.66:58709
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
              Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
              Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: unknownDNS query: name: ipinfo.io
              Source: unknownDNS query: name: ipinfo.io
              Source: unknownDNS query: name: ipinfo.io
              Source: unknownDNS query: name: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_00409280 recv,GetProcAddress,GetModuleHandleA,GetProcAddress,WSASend,0_2_00409280
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficDNS traffic detected: DNS query: ipinfo.io
              Source: global trafficDNS traffic detected: DNS query: db-ip.com
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000F04000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4081504895.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4140177336.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
              Source: RageMP131.exe, 0000000B.00000003.4081504895.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4140177336.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exeq
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe00.1
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exectrum
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe.com
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exeY
              Source: BqqQh4Jr7L.exe, 00000000.00000003.1662865982.0000000002860000.00000004.00001000.00020000.00000000.sdmp, BqqQh4Jr7L.exe, 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2685540823.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4136208721.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.4136258719.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2685908666.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4136229541.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.2771125165.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2851504591.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4119625472.000000000055D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
              Source: RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/Exb
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/S
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33t
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/g
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000EA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33d
              Source: RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000E63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/0
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Q
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/d
              Source: BqqQh4Jr7L.exe, 00000000.00000003.1662865982.0000000002860000.00000004.00001000.00020000.00000000.sdmp, BqqQh4Jr7L.exe, 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2685540823.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4136208721.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.4136258719.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2685908666.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4136229541.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.2771125165.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2851504591.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4119625472.000000000055D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.338
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000E8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33K
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33y6
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
              Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://support.mozilla.org
              Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: RageMP131.exe, 0000000B.00000003.4043785797.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, aeDD7pYnP_3THistory.11.dr, n6RXdwyEVS1qHistory.11.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: aeDD7pYnP_3THistory.11.dr, n6RXdwyEVS1qHistory.11.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: RageMP131.exe, 0000000B.00000003.4043785797.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, aeDD7pYnP_3THistory.11.dr, n6RXdwyEVS1qHistory.11.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: aeDD7pYnP_3THistory.11.dr, n6RXdwyEVS1qHistory.11.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.O
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050437795.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050509626.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050337195.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4081389464.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050393181.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4140948069.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050298214.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050659408.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Oh3LlYeM6Hc4fU6JG8kBRXb.zip.11.drString found in binary or memory: https://t.me/RiseProSUPPORT
              Source: RageMP131.exe, 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTl
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.11.drString found in binary or memory: https://t.me/risepro_bot
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botU
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlater
              Source: RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org
              Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: RageMP131.exe, 0000000B.00000002.4140714950.00000000057AA000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.11.dr, 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/o
              Source: 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/axx
              Source: RageMP131.exe, 0000000B.00000002.4140714950.00000000057AA000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.11.dr, 3b6N2Xdh3CYwplaces.sqlite.11.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49746 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: BqqQh4Jr7L.exeStatic PE information: section name:
              Source: BqqQh4Jr7L.exeStatic PE information: section name:
              Source: BqqQh4Jr7L.exeStatic PE information: section name:
              Source: BqqQh4Jr7L.exeStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_0043C9600_2_0043C960
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_0043A9280_2_0043A928
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_004371A00_2_004371A0
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_0044DA860_2_0044DA86
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_0044036F0_2_0044036F
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_00458BB00_2_00458BB0
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_004EFC400_2_004EFC40
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_0042F5800_2_0042F580
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_004526100_2_00452610
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_004F2FD00_2_004F2FD0
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_004547BF0_2_004547BF
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1912
              Source: BqqQh4Jr7L.exeBinary or memory string: OriginalFilename vs BqqQh4Jr7L.exe
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs BqqQh4Jr7L.exe
              Source: BqqQh4Jr7L.exe, 00000000.00000000.1660790758.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs BqqQh4Jr7L.exe
              Source: BqqQh4Jr7L.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs BqqQh4Jr7L.exe
              Source: BqqQh4Jr7L.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: BqqQh4Jr7L.exeStatic PE information: Section: ZLIB complexity 0.998071735779634
              Source: BqqQh4Jr7L.exeStatic PE information: Section: ZLIB complexity 0.9895441729323309
              Source: BqqQh4Jr7L.exeStatic PE information: Section: ZLIB complexity 0.9912109375
              Source: BqqQh4Jr7L.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.998071735779634
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9895441729323309
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9912109375
              Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.998071735779634
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9895441729323309
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9912109375
              Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/29@4/3
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4296
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: BqqQh4Jr7L.exe, 00000000.00000003.1662865982.0000000002860000.00000004.00001000.00020000.00000000.sdmp, BqqQh4Jr7L.exe, 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2685540823.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4136208721.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.4136258719.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2685908666.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4136229541.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.2771125165.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2851504591.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4119625472.000000000055D000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: BqqQh4Jr7L.exe, 00000000.00000003.1662865982.0000000002860000.00000004.00001000.00020000.00000000.sdmp, BqqQh4Jr7L.exe, 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2685540823.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4136208721.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.4136258719.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2685908666.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4136229541.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.2771125165.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2851504591.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4119625472.000000000055D000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: RageMP131.exe, 0000000B.00000003.4043100008.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043390049.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp, bzE_GuQuX4wzLogin Data.11.dr, Vw4BVaQyHMhtLogin Data For Account.11.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: BqqQh4Jr7L.exeVirustotal: Detection: 54%
              Source: BqqQh4Jr7L.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeFile read: C:\Users\user\Desktop\BqqQh4Jr7L.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\BqqQh4Jr7L.exe "C:\Users\user\Desktop\BqqQh4Jr7L.exe"
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1912
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: BqqQh4Jr7L.exeStatic file information: File size 3251216 > 1048576
              Source: BqqQh4Jr7L.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x262400
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
              Source: BqqQh4Jr7L.exeStatic PE information: section name:
              Source: BqqQh4Jr7L.exeStatic PE information: section name:
              Source: BqqQh4Jr7L.exeStatic PE information: section name:
              Source: BqqQh4Jr7L.exeStatic PE information: section name:
              Source: BqqQh4Jr7L.exeStatic PE information: section name: .themida
              Source: BqqQh4Jr7L.exeStatic PE information: section name: .boot
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name: .themida
              Source: RageMP131.exe.0.drStatic PE information: section name: .boot
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
              Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_005F5D96 push 07A5D1FFh; mov dword ptr [esp], eax0_2_008E0823
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_005F5D96 push 6826BE75h; mov dword ptr [esp], ebx0_2_008E0853
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
              Source: BqqQh4Jr7L.exeStatic PE information: section name: entropy: 7.970058974416475
              Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.970058974416475
              Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.970058974416475
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found stalling execution ending in API Sleep call
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeStalling execution: Execution stalls by calling Sleepgraph_0-13662
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeWindow / User API: threadDelayed 394Jump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-16264
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exe TID: 7464Thread sleep count: 128 > 30Jump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exe TID: 4884Thread sleep count: 394 > 30Jump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exe TID: 7464Thread sleep count: 160 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5472Thread sleep count: 104 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2080Thread sleep count: 67 > 30Jump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
              Source: MPGPH131.exe, 0000000A.00000002.4139612465.0000000000E17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: RageMP131.exe, 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000E89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
              Source: RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWea
              Source: BqqQh4Jr7L.exe, 00000000.00000003.2663655121.0000000000CA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}D
              Source: MPGPH131.exe, 00000009.00000002.4139462897.0000000000FAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__m
              Source: RageMP131.exe, 0000000C.00000003.4050980981.0000000000E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: RageMP131.exe, 0000000B.00000003.4050298214.00000000057B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}`
              Source: MPGPH131.exe, 00000009.00000002.4139353354.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4139393683.0000000000C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
              Source: BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_45A855E6
              Source: RageMP131.exe, 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}S
              Source: RageMP131.exe, 0000000C.00000003.4050980981.0000000000E97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWEi/
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Contains functionality to inject threads in other processes
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: GetLocaleInfoW,0_2_004531CA
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: GetLocaleInfoW,0_2_004533F9
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: GetLocaleInfoW,0_2_00452D5F
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: EnumSystemLocalesW,0_2_00452E51
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: EnumSystemLocalesW,0_2_00452E06
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: EnumSystemLocalesW,0_2_00452EEC
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: GetLocaleInfoW,0_2_0044B734
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeCode function: 0_2_0043361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_0043361D
              Source: C:\Users\user\Desktop\BqqQh4Jr7L.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 0000000B.00000003.4050437795.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050337195.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4081389464.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050509626.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4081149352.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050393181.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.4139560551.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.4140948069.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050298214.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050659408.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BqqQh4Jr7L.exe PID: 7460, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4296, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 2416, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Oh3LlYeM6Hc4fU6JG8kBRXb.zip, type: DROPPED
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: RageMP131.exe, 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
              Source: RageMP131.exe, 0000000B.00000003.4050337195.00000000057C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storaget
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: RageMP131.exe, 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: RageMP131.exe, 0000000B.00000003.4050437795.00000000057C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.jsons
              Source: RageMP131.exe, 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
              Source: RageMP131.exe, 0000000B.00000003.4050437795.00000000057C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets*m
              Source: RageMP131.exe, 0000000B.00000003.4081504895.0000000000F10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
              Source: RageMP131.exe, 0000000B.00000002.4139560551.0000000000E8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqliteJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqliteJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqliteJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqliteJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.jsonJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4296, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 0000000B.00000003.4050437795.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050337195.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4081389464.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050509626.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4081149352.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050393181.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.4139560551.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.4140948069.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050298214.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000003.4050659408.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BqqQh4Jr7L.exe PID: 7460, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4296, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 2416, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Oh3LlYeM6Hc4fU6JG8kBRXb.zip, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		2
              Obfuscated Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		11
              Process Injection              		2
              Software Packing              		LSASS Memory2
              File and Directory Discovery              		Remote Desktop Protocol2
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		1
              DLL Side-Loading              		Security Account Manager34
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		1
              Masquerading              		NTDS331
              Security Software Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script13
              Virtualization/Sandbox Evasion              		LSA Secrets13
              Virtualization/Sandbox Evasion              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Process Injection              		Cached Domain Credentials1
              Process Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1461138 Sample: BqqQh4Jr7L.exe Startdate: 22/06/2024 Architecture: WINDOWS Score: 100 39 ipinfo.io 2->39 41 db-ip.com 2->41 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 6 other signatures 2->55 8 BqqQh4Jr7L.exe 1 9 2->8         started        13 RageMP131.exe 55 2->13         started        15 MPGPH131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 43 77.91.77.66, 49738, 49741, 49744 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->43 45 ipinfo.io 34.117.186.192, 443, 49739, 49742 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->45 47 db-ip.com 104.26.4.15, 443, 49740, 49743 CLOUDFLARENETUS United States 8->47 29 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->29 dropped 31 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->31 dropped 33 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 8->33 dropped 35 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 8->35 dropped 57 Query firmware table information (likely to detect VMs) 8->57 59 Found stalling execution ending in API Sleep call 8->59 61 Contains functionality to inject threads in other processes 8->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 8->63 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        37 C:\Users\user\...\Oh3LlYeM6Hc4fU6JG8kBRXb.zip, Zip 13->37 dropped 65 Multi AV Scanner detection for dropped file 13->65 67 Tries to steal Mail credentials (via file / registry access) 13->67 69 Machine Learning detection for dropped file 13->69 73 2 other signatures 13->73 23 WerFault.exe 16 13->23         started        71 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->71 file6 signatures7 process8 process9 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              BqqQh4Jr7L.exe55%VirustotalBrowse
              BqqQh4Jr7L.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
              C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
              C:\ProgramData\MPGPH131\MPGPH131.exe53%ReversingLabsWin32.Trojan.RiseProStealer
              C:\Users\user\AppData\Local\RageMP131\RageMP131.exe53%ReversingLabsWin32.Trojan.RiseProStealer

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              ipinfo.io0%VirustotalBrowse
              db-ip.com0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://ipinfo.io/0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%Avira URL Cloudsafe
              http://77.91.77.81/mine/amadka.exe.com100%Avira URL Cloudphishing
              http://77.91.77.81/mine/amadka.exe100%Avira URL Cloudphishing
              https://ipinfo.io:443/widget/demo/8.46.123.330%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              http://77.91.77.81/cost/go.exe100%Avira URL Cloudmalware
              https://ipinfo.io/widget/demo/8.46.123.33K0%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORTl0%Avira URL Cloudsafe
              https://db-ip.com/0%Avira URL Cloudsafe
              https://db-ip.com/Exb0%Avira URL Cloudsafe
              http://77.91.77.81/mine/amadka.exe23%VirustotalBrowse
              https://ipinfo.io/widget/demo/8.46.123.3380%Avira URL Cloudsafe
              https://t.me/RiseProSUPPORTl1%VirustotalBrowse
              https://duckduckgo.com/ac/?q=0%VirustotalBrowse
              https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%Avira URL Cloudsafe
              https://t.me/risepro0%Avira URL Cloudsafe
              https://t.me/risepro_botU0%Avira URL Cloudsafe
              https://db-ip.com/0%VirustotalBrowse
              https://ipinfo.io/widget/demo/8.46.123.330%Avira URL Cloudsafe
              http://77.91.77.81/cost/go.exe23%VirustotalBrowse
              https://db-ip.com:443/demo/home.php?s=8.46.123.33d0%Avira URL Cloudsafe
              https://t.me/risepro_botU0%VirustotalBrowse
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%Avira URL Cloudsafe
              https://db-ip.com:443/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
              https://t.me/risepro_botisepro_bot0%Avira URL Cloudsafe
              https://db-ip.com/S0%Avira URL Cloudsafe
              https://t.me/risepro0%VirustotalBrowse
              https://ipinfo.io/d0%Avira URL Cloudsafe
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
              https://ipinfo.io/Q0%Avira URL Cloudsafe
              https://t.me/risepro_botisepro_bot0%VirustotalBrowse
              http://77.91.77.81/cost/go.exeq100%Avira URL Cloudphishing
              https://db-ip.com/S0%VirustotalBrowse
              https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
              https://ipinfo.io/d0%VirustotalBrowse
              https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%Avira URL Cloudsafe
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
              http://77.91.77.81/mine/amadka.exeY100%Avira URL Cloudphishing
              https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%VirustotalBrowse
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
              https://ipinfo.io/Mozilla/5.00%Avira URL Cloudsafe
              https://ipinfo.io/Q0%VirustotalBrowse
              https://db-ip.com/g0%Avira URL Cloudsafe
              https://t.me/risepro_bot0%Avira URL Cloudsafe
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%VirustotalBrowse
              http://77.91.77.81/mine/amadka.exeY20%VirustotalBrowse
              https://t.me/risepro_botlater0%Avira URL Cloudsafe
              https://ipinfo.io/Mozilla/5.00%VirustotalBrowse
              https://t.me/RiseProSUPPORT0%VirustotalBrowse
              http://77.91.77.81/cost/lenin.exe00.1100%Avira URL Cloudphishing
              https://t.me/risepro_bot0%VirustotalBrowse
              https://ipinfo.io/00%Avira URL Cloudsafe
              https://db-ip.com/g0%VirustotalBrowse
              https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
              https://t.O0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.33t0%Avira URL Cloudsafe
              https://t.me/risepro_botlater0%VirustotalBrowse
              http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
              http://77.91.77.81/cost/lenin.exectrum100%Avira URL Cloudphishing
              https://www.maxmind.com/en/locate-my-ip-address0%VirustotalBrowse
              https://support.mozilla.org0%Avira URL Cloudsafe
              https://t.O0%VirustotalBrowse
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe
              https://db-ip.com/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
              https://ipinfo.io/00%VirustotalBrowse
              https://ipinfo.io/widget/demo/8.46.123.33y60%Avira URL Cloudsafe
              http://77.91.77.81/cost/lenin.exe100%Avira URL Cloudmalware
              http://77.91.77.81/cost/lenin.exe00.120%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ipinfo.io
              		34.117.186.192
              		truefalseunknown
              db-ip.com
              		104.26.4.15
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://ipinfo.io/widget/demo/8.46.123.33false
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/false
              • URL Reputation: safe
              		unknown
              https://db-ip.com/demo/home.php?s=8.46.123.33false
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://77.91.77.81/mine/amadka.exeRageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
              • 23%, Virustotal, Browse
              • Avira URL Cloud: phishing
              		unknown
              https://duckduckgo.com/chrome_newtabRageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io:443/widget/demo/8.46.123.33BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF3b6N2Xdh3CYwplaces.sqlite.11.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://77.91.77.81/mine/amadka.exe.comRageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://duckduckgo.com/ac/?q=RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://77.91.77.81/cost/go.exeRageMP131.exe, 0000000B.00000002.4139560551.0000000000F04000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4081504895.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4140177336.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
              • 23%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              https://ipinfo.io/widget/demo/8.46.123.33KRageMP131.exe, 0000000C.00000002.4121676146.0000000000E8C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/RiseProSUPPORTlRageMP131.exe, 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drfalse
              • URL Reputation: safe
              		unknown
              https://db-ip.com/ExbBqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/widget/demo/8.46.123.338BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RageMP131.exe, 0000000B.00000003.4043785797.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, aeDD7pYnP_3THistory.11.dr, n6RXdwyEVS1qHistory.11.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/riseproRageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/risepro_botURageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com:443/demo/home.php?s=8.46.123.33dRageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallaeDD7pYnP_3THistory.11.dr, n6RXdwyEVS1qHistory.11.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drfalse
              • URL Reputation: safe
              		unknown
              https://db-ip.com:443/demo/home.php?s=8.46.123.33BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000EA7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/risepro_botisepro_botBqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/SRageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/dRageMP131.exe, 0000000C.00000002.4121676146.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/images/branding/product/ico/googleg_lodp.icoRageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ipinfo.io/QBqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CA9000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://77.91.77.81/cost/go.exeqRageMP131.exe, 0000000B.00000003.4081504895.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4140177336.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllBqqQh4Jr7L.exe, 00000000.00000003.1662865982.0000000002860000.00000004.00001000.00020000.00000000.sdmp, BqqQh4Jr7L.exe, 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2685540823.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4136208721.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.4136258719.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2685908666.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4136229541.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.2771125165.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2851504591.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4119625472.000000000055D000.00000002.00000001.01000000.00000006.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/RiseProSUPPORTBqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050437795.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050509626.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050337195.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4081389464.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050393181.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4140948069.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050298214.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4050659408.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Oh3LlYeM6Hc4fU6JG8kBRXb.zip.11.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RageMP131.exe, 0000000B.00000003.4043785797.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, aeDD7pYnP_3THistory.11.dr, n6RXdwyEVS1qHistory.11.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.ecosia.org/newtab/RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drfalse
              • URL Reputation: safe
              		unknown
              http://77.91.77.81/mine/amadka.exeYRageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
              • 20%, Virustotal, Browse
              • Avira URL Cloud: phishing
              		unknown
              https://ipinfo.io/Mozilla/5.0BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4139560551.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br3b6N2Xdh3CYwplaces.sqlite.11.drfalse
              • URL Reputation: safe
              		unknown
              https://db-ip.com/gRageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ac.ecosia.org/autocomplete?q=RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drfalse
              • URL Reputation: safe
              		unknown
              https://t.me/risepro_botRageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.11.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://t.me/risepro_botlaterRageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://77.91.77.81/cost/lenin.exe00.1RageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
              • 20%, Virustotal, Browse
              • Avira URL Cloud: phishing
              		unknown
              https://ipinfo.io/0RageMP131.exe, 0000000B.00000002.4139560551.0000000000E63000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.maxmind.com/en/locate-my-ip-addressMPGPH131.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://t.ORageMP131.exe, 0000000C.00000002.4121676146.0000000000EAB000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://db-ip.com/demo/home.php?s=8.46.123.33tRageMP131.exe, 0000000B.00000002.4139560551.0000000000EA7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.winimage.com/zLibDllBqqQh4Jr7L.exe, 00000000.00000003.1662865982.0000000002860000.00000004.00001000.00020000.00000000.sdmp, BqqQh4Jr7L.exe, 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000003.2685540823.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4136208721.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.4136258719.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2685908666.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4136229541.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.2771125165.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2851504591.0000000000DB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4119625472.000000000055D000.00000002.00000001.01000000.00000006.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://77.91.77.81/cost/lenin.exectrumRageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://support.mozilla.org3b6N2Xdh3CYwplaces.sqlite.11.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesaeDD7pYnP_3THistory.11.dr, n6RXdwyEVS1qHistory.11.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RageMP131.exe, 0000000B.00000003.4045165877.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4043893756.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.4046397307.00000000057EC000.00000004.00000020.00020000.00000000.sdmp, tcATMc9tGZ4JWeb Data.11.dr, 0KkfNlrcRm1qWeb Data.11.dr, WG8uD7f7bdsYWeb Data.11.drfalse
              • URL Reputation: safe
              		unknown
              https://ipinfo.io/widget/demo/8.46.123.33y6BqqQh4Jr7L.exe, 00000000.00000002.4139340786.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://77.91.77.81/cost/lenin.exeRageMP131.exe, 0000000B.00000002.4139560551.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              34.117.186.192
              		ipinfo.ioUnited States
              		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
              104.26.4.15
              		db-ip.comUnited States
              		13335CLOUDFLARENETUSfalse
              77.91.77.66
              		unknownRussian Federation
              		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1461138
              Start date and time:2024-06-22 23:37:07 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 10m 11s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:17
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:BqqQh4Jr7L.exe
              renamed because original name is a hash value
              Original Sample Name:112de57b8288c1c154f6725f421046fc.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@12/29@4/3
              EGA Information:
              • Successful, ratio: 33.3%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target MPGPH131.exe, PID 2032 because there are no executed function
              • Execution Graph export aborted for target MPGPH131.exe, PID 6828 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtCreateFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              17:40:59API Interceptor246087x Sleep call for process: BqqQh4Jr7L.exe modified
              22:39:39Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
              22:39:39Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
              22:39:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
              22:39:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              34.117.186.192HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/
              HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/
              HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/
              SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/json
              SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
              • ipinfo.io/json
              Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
              • ipinfo.io/ip
              Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
              • ipinfo.io/
              Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
              • ipinfo.io/
              w.shGet hashmaliciousXmrigBrowse
              • /ip
              Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
              • ipinfo.io/ip
              104.26.4.15#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exeGet hashmaliciousNemty, XmrigBrowse
              • api.db-ip.com/v2/free/102.129.152.212/countryName
              77.91.77.66file.exeGet hashmaliciousRisePro StealerBrowse
                file.exeGet hashmaliciousRisePro StealerBrowse
                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                    7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                      PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                        YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                          AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                            setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                              D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ipinfo.iofile.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 34.117.186.192
                                  D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  db-ip.comfile.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  http://feedbackreview-id0284892389423.d1o0pnrgaue9g2.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                                  • 104.26.4.15
                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                  • 172.67.75.166
                                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.5.15
                                  7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 172.67.75.166
                                  setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                  • 104.26.5.15
                                  D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                  • 104.26.4.15

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUfile.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                  • 77.91.77.81
                                  setup.exeGet hashmaliciousAmadeyBrowse
                                  • 77.91.77.81
                                  It5068xROy.dllGet hashmaliciousRedLineBrowse
                                  • 77.91.77.6
                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                                  • 77.91.77.66
                                  GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfile.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  https://peringatanfb772.wixsite.com/mysiteGet hashmaliciousUnknownBrowse
                                  • 34.117.60.144
                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  plTAoSCew2.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  7rA1iX60wh.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  PsHQsuTG0H.dllGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  PNO3otPYOa.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  YnsEArPlqx.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                  • 34.117.239.71
                                  CLOUDFLARENETUSfile.exeGet hashmaliciousRisePro StealerBrowse
                                  • 104.26.4.15
                                  MT STENA IMPRESSION Vessel Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 188.114.96.3
                                  omgsoft.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.138.40
                                  Zahlung.docx.docGet hashmaliciousUnknownBrowse
                                  • 172.67.135.214
                                  Zahlung.docx.docGet hashmaliciousUnknownBrowse
                                  • 172.67.135.214
                                  https://havenhostelbremerhaven.eu/4659080558Get hashmaliciousUnknownBrowse
                                  • 104.17.25.14
                                  Baltic questionnaire.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 188.114.97.3
                                  TS-240622-BlankGrabber3.exeGet hashmaliciousBlank GrabberBrowse
                                  • 162.159.136.232
                                  TS-240622-Creal2.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                  • 104.26.3.16
                                  TS-240622-Lumma4.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.49.90

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousRisePro StealerBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  omgsoft.exeGet hashmaliciousLummaCBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  Zahlung.docx.docGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  TS-240622-Lumma4.exeGet hashmaliciousLummaCBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  NEW ORDER.docx.docGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  https://bcr.serviciul.com/Get hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  SecuriteInfo.com.Script.SNH-gen.23298.6936.xlsxGet hashmaliciousUnknownBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  SecuriteInfo.com.FileRepMalware.3625.5069.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15
                                  Form_Ver-13-59-03 (1).jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                  • 34.117.186.192
                                  • 104.26.4.15

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\MPGPH131\MPGPH131.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\BqqQh4Jr7L.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3251216
                                  Entropy (8bit):7.967934456708274
                                  Encrypted:false
                                  SSDEEP:98304:owbi+g33t3xUt7a48cvEHX86yzdgjTbCTyb:oDnhx3tQQ7lCTyb
                                  MD5:112DE57B8288C1C154F6725F421046FC
                                  SHA1:F9FEB02D8666090B7D284EAA2821244309D8F9FA
                                  SHA-256:FA918289433C703E2DF9E0094BC05C67FDB2259603AE24A44B02EDB0CC7EC62C
                                  SHA-512:7BB82912DEA6255F68B693DD227B9E9F5E3D48D24B2ED1425AA8666D38D72D0E62206F94B205868A2DE608E3B1935419A2A24FA42ABBA9C9FB476AAB07BD74D0
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 53%
                                  Reputation:low
                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@..........................@~.....>o2......................................a..........8....................0~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....$&...X..$&..x..............`..`.reloc.......0~.......1................@................................................................

                                  C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\BqqQh4Jr7L.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER464C.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Sat Jun 22 21:42:00 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):104482
                                  Entropy (8bit):2.0465064576935625
                                  Encrypted:false
                                  SSDEEP:384:WSep8dMlFtvvwBo1dfgwPiwh5jWK+y9JuJ2yP4St2y1F:/+plFtvF0well1
                                  MD5:DCA01066825FF611C9F5D5B2D57693CB
                                  SHA1:8F9BD972E00B67D3DD67CF84F268815A95891469
                                  SHA-256:0C97E0FC59980BD11A07D9E21640F49C16EF01F1E2A116A9296D8A542E298862
                                  SHA-512:7F556168B7DCC35E782D3C07EFA68FFCE83907A6A0F35C1E0769D991EE34BE21C29177AB09D2A55FDAF2FEFC90A8824F3F408184E803FC8997454DCA1E7708BF
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP..a..... .......(Ewf....................................l....#...........L..........`.......8...........T............J..:M...........#...........%..............................................................................eJ.......&......GenuineIntel............T............Dwfe............................ ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4803.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8396
                                  Entropy (8bit):3.6975382896142612
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJPK6llmUO6Y9MSUIgmfBJJWRprr89bN9sf+ITPm:R6lXJy6lAUO6YmSUIgmfBJJ5N2f+p
                                  MD5:67BA44046F815D1ED28E7CC7ECB9FF16
                                  SHA1:E6D27C876322AB4EE520A61F281E0118693AB6B1
                                  SHA-256:EA1A31086F10F40C9C737520B67F39D38427E3A1C16A4FD96DE7E8A748D2A878
                                  SHA-512:47827F609669128A9D6DC93C0ADA61B7EE3B0B9FA68C030A7840D547DF5971B35E580CB9B546D0105613170248154DE9B70373E9EB0757A47606F75EC4433F1D
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.9.6.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4852.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4708
                                  Entropy (8bit):4.508185219787914
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zs5Jg77aI99KWpW8VYbYm8M4JlqFM0+q8Jzn8fnceAd:uIjfLI7Dr7VjJqA8fncDd
                                  MD5:61B0CD201DA326FCE32BE5748605543A
                                  SHA1:1337115AA59DC29078C402220416AA4E8015F931
                                  SHA-256:0D23538622A17F892ABE2A5A1CC0DB2A3D83AF69682C1C5BBC2CE86185E7233D
                                  SHA-512:2A1A588B48D9D2F531A22C892C8DFF09545EF02A0B4170A1F0619286186F59DA7DE43C3E506CB35EE89F9BA15C7EB7DAED1987D4D2E0258BDA4255C0067813F7
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="379484" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\BqqQh4Jr7L.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3251216
                                  Entropy (8bit):7.967934456708274
                                  Encrypted:false
                                  SSDEEP:98304:owbi+g33t3xUt7a48cvEHX86yzdgjTbCTyb:oDnhx3tQQ7lCTyb
                                  MD5:112DE57B8288C1C154F6725F421046FC
                                  SHA1:F9FEB02D8666090B7D284EAA2821244309D8F9FA
                                  SHA-256:FA918289433C703E2DF9E0094BC05C67FDB2259603AE24A44B02EDB0CC7EC62C
                                  SHA-512:7BB82912DEA6255F68B693DD227B9E9F5E3D48D24B2ED1425AA8666D38D72D0E62206F94B205868A2DE608E3B1935419A2A24FA42ABBA9C9FB476AAB07BD74D0
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 53%
                                  Reputation:low
                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@..........................@~.....>o2......................................a..........8....................0~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....$&...X..$&..x..............`..`.reloc.......0~.......1................@................................................................

                                  C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\BqqQh4Jr7L.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\Users\user\AppData\Local\Temp\Oh3LlYeM6Hc4fU6JG8kBRXb.zip

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                  Category:dropped
                                  Size (bytes):5533
                                  Entropy (8bit):7.8965573815896875
                                  Encrypted:false
                                  SSDEEP:96:tWGzqeAoMq+YK0KF8cAJiI2i+u/c7KtkbUudTGB9kSyzS3KJVV:hqASpF8wFlRNTe9kSX6Jn
                                  MD5:3568F853644E4EF228D7EDB16BA92C1A
                                  SHA1:320A0F410E5F7DAC2AA413B2F19C5EF21C3FF2CD
                                  SHA-256:AB688A71190EFCBD0E44D9C73AB1C913C72381C29975DC6CB2C0181AD4A6096B
                                  SHA-512:295D6C1868B55034010D8CECBD879C5E2F09C32A8AB6370BB03F83DF1CC378237B2BDDD7CB4CD15BEAA6C4B26B1C8BD09B7CCEC63CF58914D2E821416B0967FD
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\Oh3LlYeM6Hc4fU6JG8kBRXb.zip, Author: Joe Security
                                  Preview:PK........<..X................Cookies\..PK........<..XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                  C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\BqqQh4Jr7L.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:modified
                                  Size (bytes):13
                                  Entropy (8bit):2.6612262562697895
                                  Encrypted:false
                                  SSDEEP:3:LEkYA:I9A
                                  MD5:615DE61321ED589B76B3F5AEBBD9ABC1
                                  SHA1:CFCBB68739E599E43B29E845B545AF605F9BFD75
                                  SHA-256:2830F7A60B6412C16AF667B04857DD2C45B0434BCF3B945D18830695BF8D04D3
                                  SHA-512:83B4BF0074856FC260D42C06E2EE356D0F00AEC7E4A01B2144056F64EFE283335A6BD84107596274AF7CAF764EEE638C0CA1438478957131D295579C532EEF84
                                  Malicious:false
                                  Preview:1719099072450

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\02zdBXl47cvzcookies.sqlite

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):98304
                                  Entropy (8bit):0.08235737944063153
                                  Encrypted:false
                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\0KkfNlrcRm1qWeb Data

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.1358696453229276
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\3b6N2Xdh3CYwplaces.sqlite

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):5242880
                                  Entropy (8bit):0.037963276276857943
                                  Encrypted:false
                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                  Malicious:false
                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\D87fZN3R3jFeplaces.sqlite

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):5242880
                                  Entropy (8bit):0.037963276276857943
                                  Encrypted:false
                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                  Malicious:false
                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\O7KE8nvUodlUWeb Data

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):114688
                                  Entropy (8bit):0.9746603542602881
                                  Encrypted:false
                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\OD5iAVeDXtaqWeb Data

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):114688
                                  Entropy (8bit):0.9746603542602881
                                  Encrypted:false
                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\RPeiaMgqE3WHWeb Data

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):114688
                                  Entropy (8bit):0.9746603542602881
                                  Encrypted:false
                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\Vw4BVaQyHMhtLogin Data For Account

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):40960
                                  Entropy (8bit):0.8553638852307782
                                  Encrypted:false
                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\Vx_X0jnKJEwoCookies

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                  Category:dropped
                                  Size (bytes):28672
                                  Entropy (8bit):2.5793180405395284
                                  Encrypted:false
                                  SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                  MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                  SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                  SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                  SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\WG8uD7f7bdsYWeb Data

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.1358696453229276
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\WLZTFMBUMZWbHistory

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):126976
                                  Entropy (8bit):0.47147045728725767
                                  Encrypted:false
                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\aeDD7pYnP_3THistory

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                  Category:dropped
                                  Size (bytes):159744
                                  Entropy (8bit):0.7873599747470391
                                  Encrypted:false
                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\bzE_GuQuX4wzLogin Data

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):40960
                                  Entropy (8bit):0.8553638852307782
                                  Encrypted:false
                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\gCOPRjU6mlYqLogin Data

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                  Category:dropped
                                  Size (bytes):49152
                                  Entropy (8bit):0.8180424350137764
                                  Encrypted:false
                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                  MD5:349E6EB110E34A08924D92F6B334801D
                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\gLk3dE9_lXR1History

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                  Category:dropped
                                  Size (bytes):126976
                                  Entropy (8bit):0.47147045728725767
                                  Encrypted:false
                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                  Malicious:false
                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\n6RXdwyEVS1qHistory

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                  Category:dropped
                                  Size (bytes):159744
                                  Entropy (8bit):0.7873599747470391
                                  Encrypted:false
                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\tcATMc9tGZ4JWeb Data

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):1.1358696453229276
                                  Encrypted:false
                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1\Cookies\Chrome_Default.txt

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):6085
                                  Entropy (8bit):6.038274200863744
                                  Encrypted:false
                                  SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                  MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                  SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                  SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                  SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                  Malicious:false
                                  Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                  C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1\information.txt

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:ASCII text, with CRLF, LF line terminators
                                  Category:dropped
                                  Size (bytes):7361
                                  Entropy (8bit):5.469332433440987
                                  Encrypted:false
                                  SSDEEP:96:xRwffORfFcT4AisphstDc+MnVBsdANUbg3x:xLVFvAtphQoVB
                                  MD5:35EE3958173A54E83C55811B6C16F36E
                                  SHA1:57952C41AE3DDF6258E2CB32FD4DDDF17AA9BC84
                                  SHA-256:0FFEE98684F92358134ADB5D5A90146F7E11DA4B3F5227356F5DECA17492E035
                                  SHA-512:0249E6D1B91AC465B3017F45934A77614817BB008CCE1A6F775B970E76DA5F13D0D83E748315EEA242266186806EC52E4732BB2AC07A154EAE233E36298C9D62
                                  Malicious:false
                                  Preview:Build: demon..Version: 2.0....Date: Sat Jun 22 17:41:56 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: a90be93aae5f3498f3be6813c9ea1a57....Path: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1....IP: 8.46.123.33..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 103386 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 22/6/2024 17:41:56..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776].

                                  C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1\passwords.txt

                                  Download File
                                  Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                  Category:dropped
                                  Size (bytes):4897
                                  Entropy (8bit):2.518316437186352
                                  Encrypted:false
                                  SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                  MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                  SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                  SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                  SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.967934456708274
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:BqqQh4Jr7L.exe
                                  File size:3'251'216 bytes
                                  MD5:112de57b8288c1c154f6725f421046fc
                                  SHA1:f9feb02d8666090b7d284eaa2821244309d8f9fa
                                  SHA256:fa918289433c703e2df9e0094bc05c67fdb2259603ae24a44b02edb0cc7ec62c
                                  SHA512:7bb82912dea6255f68b693dd227b9e9f5e3d48d24b2ed1425aa8666d38d72d0e62206f94b205868a2de608e3b1935419a2a24fa42abba9c9fb476aab07bd74d0
                                  SSDEEP:98304:owbi+g33t3xUt7a48cvEHX86yzdgjTbCTyb:oDnhx3tQQ7lCTyb
                                  TLSH:DCE53330DED9AF37C5F195F0E64099452069A5BC89A283B9701F3E3F61983CDEF5A224
                                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                  File Icon

                                  Icon Hash:8596a1a0a1a1b171

                                  Static PE Info

                                  General

                                  Entrypoint:0x980058
                                  Entrypoint Section:.boot
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x664C6914 [Tue May 21 09:27:48 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                                  Entrypoint Preview

                                  Instruction
                                  call 00007FC294B3EB60h
                                  push ebx
                                  mov ebx, esp
                                  push ebx
                                  mov esi, dword ptr [ebx+08h]
                                  mov edi, dword ptr [ebx+10h]
                                  cld
                                  mov dl, 80h
                                  mov al, byte ptr [esi]
                                  inc esi
                                  mov byte ptr [edi], al
                                  inc edi
                                  mov ebx, 00000002h
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jnc 00007FC294B3E9FCh
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jnc 00007FC294B3EA63h
                                  xor eax, eax
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jnc 00007FC294B3EAF7h
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  je 00007FC294B3EA1Ah
                                  push edi
                                  mov eax, eax
                                  sub edi, eax
                                  mov al, byte ptr [edi]
                                  pop edi
                                  mov byte ptr [edi], al
                                  inc edi
                                  mov ebx, 00000002h
                                  jmp 00007FC294B3E9ABh
                                  mov eax, 00000001h
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc eax, eax
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jc 00007FC294B3E9FCh
                                  sub eax, ebx
                                  mov ebx, 00000001h
                                  jne 00007FC294B3EA3Ah
                                  mov ecx, 00000001h
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  adc ecx, ecx
                                  add dl, dl
                                  jne 00007FC294B3EA17h
                                  mov dl, byte ptr [esi]
                                  inc esi
                                  adc dl, dl
                                  jc 00007FC294B3E9FCh
                                  push esi
                                  mov esi, edi
                                  sub esi, ebp

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x19618b0x184.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000x1638.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e30000x10.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x1970180x18.tls
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x15bbc80x9d200960c050582d9eee5fe6e94e6876b5594False0.998071735779634data7.970058974416475IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  0x15d0000x27e320x10a00110fa39d444d43e3c4a39a5a5025b341False0.9895441729323309data7.914044647503778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  0x1850000x49300x800f9b1c87f4e75f06d08de83975350ca86False0.9912109375data7.753446461702969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x18a0000x16380x1800fe6f3fdb9e7e97cba92d8ce4e4fcc95bFalse0.7220052083333334data6.54017046361188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  0x18c0000x98580x7200ffbddcf207029ca1d7f173c46f3dd8dbFalse0.9775904605263158data7.918356724249394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  .idata0x1960000x10000x4001b20e07443fa333ff9692026d1e6c6c2False0.3984375data3.42439969016873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tls0x1970000x10000x20054a50a058e0f3b6aa2fe1b22e2033106False0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .themida0x1980000x3e80000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .boot0x5800000x2624000x26240090e13b8fe3b71d13905e9305dcdfe220unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .reloc0x7e30000x10000x10f5bc99b71bad9e8a775cc32747e3ca58False1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x18a4400x1060PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.8838263358778626
                                  RT_GROUP_ICON0x18b4a00x14dataRussianRussia1.05
                                  RT_VERSION0x18a1300x310dataRussianRussia0.45408163265306123
                                  RT_MANIFEST0x18b4b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                  Imports

                                  DLLImport
                                  kernel32.dllGetModuleHandleA
                                  USER32.dllwsprintfA
                                  GDI32.dllCreateCompatibleBitmap
                                  ADVAPI32.dllRegQueryValueExA
                                  SHELL32.dllShellExecuteA
                                  ole32.dllCoInitialize
                                  WS2_32.dllWSAStartup
                                  CRYPT32.dllCryptUnprotectData
                                  SHLWAPI.dllPathFindExtensionA
                                  gdiplus.dllGdipGetImageEncoders
                                  SETUPAPI.dllSetupDiEnumDeviceInfo
                                  ntdll.dllRtlUnicodeStringToAnsiString
                                  RstrtMgr.DLLRmStartSession

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  RussianRussia
                                  EnglishUnited States

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  06/22/24-23:40:12.531730TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973858709192.168.2.477.91.77.66
                                  06/22/24-23:41:56.985827TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974158709192.168.2.477.91.77.66
                                  06/22/24-23:41:57.447707TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094974477.91.77.66192.168.2.4
                                  06/22/24-23:39:38.120794TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973858709192.168.2.477.91.77.66
                                  06/22/24-23:41:50.767964TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094974177.91.77.66192.168.2.4
                                  06/22/24-23:41:50.550981TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094974177.91.77.66192.168.2.4
                                  06/22/24-23:39:53.611025TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973877.91.77.66192.168.2.4
                                  06/22/24-23:42:03.642272TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974458709192.168.2.477.91.77.66
                                  06/22/24-23:39:38.731728TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973877.91.77.66192.168.2.4

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 22, 2024 23:39:38.103771925 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:39:38.108870983 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:39:38.108968973 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:39:38.120794058 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:39:38.125713110 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:39:38.731728077 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:39:38.781172037 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:39:41.844007969 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:39:41.849154949 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:39:53.611025095 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:39:53.781408072 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:39:54.672338963 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:39:54.672420025 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:54.672528028 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:39:54.677382946 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:39:54.677422047 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:55.140414000 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:55.140616894 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:39:55.142314911 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:39:55.142335892 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:55.143393040 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:55.189234018 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:39:55.232541084 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:55.315692902 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:55.316020966 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:55.316157103 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:39:55.318985939 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:39:55.319030046 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:55.319062948 CEST49739443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:39:55.319077969 CEST4434973934.117.186.192192.168.2.4
                                  Jun 22, 2024 23:39:55.332026958 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:39:55.332117081 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:55.332257032 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:39:55.332554102 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:39:55.332588911 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:55.895174980 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:55.895343065 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:39:55.896702051 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:39:55.896724939 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:55.897073984 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:55.898310900 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:39:55.940521955 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:56.062951088 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:56.063164949 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:56.063299894 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:39:56.063929081 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:39:56.063961029 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:56.063987970 CEST49740443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:39:56.064006090 CEST44349740104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:39:56.064326048 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:39:56.069142103 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:40:09.417752028 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:40:09.578594923 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:40:12.531729937 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:40:12.536797047 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:40:15.853502989 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:40:15.906843901 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:40:15.914050102 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:40:24.993652105 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:40:25.094379902 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:40:27.102807999 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:40:27.141515017 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:40:27.146646976 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:40:40.716033936 CEST587094973877.91.77.66192.168.2.4
                                  Jun 22, 2024 23:40:40.716278076 CEST4973858709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:49.939882994 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:49.945116043 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:49.945200920 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:49.962928057 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:49.967813015 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:50.550981045 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:50.681294918 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:50.682147980 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:50.686079979 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:50.690875053 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:50.767963886 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:50.878798962 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:50.878911972 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:50.879045963 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:50.880130053 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:50.880172968 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:50.954454899 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:51.347398996 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:51.347623110 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:51.348792076 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:51.348824978 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:51.349181890 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:51.391968012 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:51.411119938 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:51.452533007 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:51.541851997 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:51.542207956 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:51.542289019 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:51.542712927 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:51.542763948 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:51.542817116 CEST49742443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:51.542834997 CEST4434974234.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:51.555946112 CEST49743443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:51.556035042 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:51.556117058 CEST49743443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:51.556675911 CEST49743443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:51.556715012 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:52.030004025 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:52.030174017 CEST49743443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:52.031794071 CEST49743443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:52.031829119 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:52.032248020 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:52.034006119 CEST49743443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:52.076520920 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:52.208033085 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:52.208292007 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:52.208508968 CEST49743443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:52.208585978 CEST49743443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:52.208635092 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:52.208662987 CEST49743443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:52.208679914 CEST44349743104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:52.209041119 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:52.213983059 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:52.491918087 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:52.532898903 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:52.539887905 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:52.771084070 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:52.860892057 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:52.865814924 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.111557007 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.111615896 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.111654997 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.111689091 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.111728907 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.111881971 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.111893892 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.111917019 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.111932993 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.111970901 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.112029076 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.112164021 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.112272024 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.112407923 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.112468004 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.112495899 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.112557888 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.112611055 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.112665892 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.112699986 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.112759113 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.237186909 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.237227917 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.237319946 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.237376928 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.237394094 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.237413883 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.237427950 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.237438917 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.237477064 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.298603058 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.303814888 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.525651932 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.626621008 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:53.631612062 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.857743025 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:53.954566002 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:56.775130033 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:56.775244951 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:56.780405998 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:56.780448914 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:56.780473948 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:56.780478001 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:56.780548096 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:56.780581951 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:56.780608892 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:56.786300898 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:56.829288006 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:56.834652901 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:56.835031033 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:56.852495909 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:56.857510090 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:56.985826969 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:56.991177082 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:57.447706938 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:57.577003002 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:57.577156067 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:57.577198029 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:57.582137108 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:57.830164909 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:57.893444061 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:57.893515110 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:58.501759052 CEST49745443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:58.501805067 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:58.501869917 CEST49745443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:58.579325914 CEST49745443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:58.579344988 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:59.050604105 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:59.050703049 CEST49745443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:59.099373102 CEST49745443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:59.099390984 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:59.100305080 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:59.195190907 CEST49745443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:59.236509085 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:59.323668003 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:59.323986053 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:59.324049950 CEST49745443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:59.325160027 CEST49745443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:59.325185061 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:59.325196981 CEST49745443192.168.2.434.117.186.192
                                  Jun 22, 2024 23:41:59.325201988 CEST4434974534.117.186.192192.168.2.4
                                  Jun 22, 2024 23:41:59.329489946 CEST49746443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:59.329577923 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.329710007 CEST49746443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:59.330264091 CEST49746443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:59.330303907 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.566848040 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:59.767103910 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:59.795597076 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.795749903 CEST49746443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:59.796967030 CEST49746443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:59.796996117 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.798084974 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.799568892 CEST49746443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:59.829713106 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:59.835166931 CEST587094974177.91.77.66192.168.2.4
                                  Jun 22, 2024 23:41:59.835407972 CEST4974158709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:59.840536118 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.968698025 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.968950987 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.969173908 CEST49746443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:59.969305038 CEST49746443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:59.969321012 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.969336987 CEST49746443192.168.2.4104.26.4.15
                                  Jun 22, 2024 23:41:59.969343901 CEST44349746104.26.4.15192.168.2.4
                                  Jun 22, 2024 23:41:59.969537020 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:41:59.974359989 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:42:00.243357897 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:42:00.298511982 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:42:00.303452015 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:42:00.531047106 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:42:00.595293999 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:42:03.642271996 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:42:03.642271996 CEST4974458709192.168.2.477.91.77.66
                                  Jun 22, 2024 23:42:03.647335052 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:42:03.647617102 CEST587094974477.91.77.66192.168.2.4
                                  Jun 22, 2024 23:42:03.647799015 CEST4974458709192.168.2.477.91.77.66

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 22, 2024 23:39:54.108755112 CEST5712353192.168.2.41.1.1.1
                                  Jun 22, 2024 23:39:54.115875959 CEST53571231.1.1.1192.168.2.4
                                  Jun 22, 2024 23:39:55.321269035 CEST6241753192.168.2.41.1.1.1
                                  Jun 22, 2024 23:39:55.331325054 CEST53624171.1.1.1192.168.2.4
                                  Jun 22, 2024 23:41:50.865078926 CEST6157053192.168.2.41.1.1.1
                                  Jun 22, 2024 23:41:50.872375011 CEST53615701.1.1.1192.168.2.4
                                  Jun 22, 2024 23:41:51.546282053 CEST5246253192.168.2.41.1.1.1
                                  Jun 22, 2024 23:41:51.554910898 CEST53524621.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jun 22, 2024 23:39:54.108755112 CEST192.168.2.41.1.1.10x4f78Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:39:55.321269035 CEST192.168.2.41.1.1.10xa580Standard query (0)db-ip.comA (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:41:50.865078926 CEST192.168.2.41.1.1.10xef77Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:41:51.546282053 CEST192.168.2.41.1.1.10x17Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jun 22, 2024 23:39:54.115875959 CEST1.1.1.1192.168.2.40x4f78No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:39:55.331325054 CEST1.1.1.1192.168.2.40xa580No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:39:55.331325054 CEST1.1.1.1192.168.2.40xa580No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:39:55.331325054 CEST1.1.1.1192.168.2.40xa580No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:41:50.872375011 CEST1.1.1.1192.168.2.40xef77No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:41:51.554910898 CEST1.1.1.1192.168.2.40x17No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:41:51.554910898 CEST1.1.1.1192.168.2.40x17No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                  Jun 22, 2024 23:41:51.554910898 CEST1.1.1.1192.168.2.40x17No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • ipinfo.io
                                  • https:
                                  • db-ip.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination Port
                                  0192.168.2.44973034.117.186.192443
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 21:37:51 UTC59OUTGET / HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  2024-06-22 21:37:51 UTC513INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Sat, 22 Jun 2024 21:37:51 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 319
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 1
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-22 21:37:51 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                                  Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.44973934.117.186.1924437460C:\Users\user\Desktop\BqqQh4Jr7L.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 21:39:55 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-22 21:39:55 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Sat, 22 Jun 2024 21:39:55 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 2
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-22 21:39:55 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-22 21:39:55 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.449740104.26.4.154437460C:\Users\user\Desktop\BqqQh4Jr7L.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 21:39:55 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-22 21:39:56 UTC655INHTTP/1.1 200 OK
                                  Date: Sat, 22 Jun 2024 21:39:56 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: AC4672B0:CB5C_93878F2E:0050_667744AC_152123F0:7B63
                                  x-iplb-instance: 59128
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ahs60WgJtPNggKCHP8%2Fw47xQSSsv34ZcUUuijTVqkyj5%2B9JVScazlVErbRJO0xokBXaoaiyLAFoRXfcafXExNOWQJVRBMAGPmEfFYQyDhHJIly%2BQNJRrAcVb3Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 897f64d2d86f8cec-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-22 21:39:56 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                  Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                  2024-06-22 21:39:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.44974234.117.186.1924434296C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 21:41:51 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-22 21:41:51 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Sat, 22 Jun 2024 21:41:51 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 3
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-22 21:41:51 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-22 21:41:51 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.449743104.26.4.154434296C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 21:41:52 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-22 21:41:52 UTC661INHTTP/1.1 200 OK
                                  Date: Sat, 22 Jun 2024 21:41:52 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: A29E9AA1:927A_93878F2E:0050_66774520_153486EE:4F34
                                  x-iplb-instance: 59215
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oxwt%2BFvd30Hm30j9lXCcwZRtZkPIpkpruYqHjW4BRnrBr9tLGleWu%2FUlaf1vi36OPsmosFOT36eEWWjTNu%2BL2jaHpeSz7GwAnSQ%2FJYm6UZn2ZMI%2FykEwUWU%2FJg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 897f67a8bfdf43f3-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-22 21:41:52 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                  Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                  2024-06-22 21:41:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.44974534.117.186.1924432416C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 21:41:59 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Referer: https://ipinfo.io/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: ipinfo.io
                                  2024-06-22 21:41:59 UTC514INHTTP/1.1 200 OK
                                  server: nginx/1.24.0
                                  date: Sat, 22 Jun 2024 21:41:59 GMT
                                  content-type: application/json; charset=utf-8
                                  Content-Length: 1025
                                  access-control-allow-origin: *
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  referrer-policy: strict-origin-when-cross-origin
                                  x-envoy-upstream-service-time: 2
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close
                                  2024-06-22 21:41:59 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                  Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                  2024-06-22 21:41:59 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                  Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.449746104.26.4.154432416C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  TimestampBytes transferredDirectionData
                                  2024-06-22 21:41:59 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                  Host: db-ip.com
                                  2024-06-22 21:41:59 UTC651INHTTP/1.1 200 OK
                                  Date: Sat, 22 Jun 2024 21:41:59 GMT
                                  Content-Type: application/json
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  x-iplb-request-id: AC467225:5154_93878F2E:0050_66774527_15213306:7B63
                                  x-iplb-instance: 59128
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lDYrMoHvk7x0Xhoy2SoQZwSjubewsV9uXvjR7pcdeDvjKHw9qzLUgR%2BqDtF63BGlpQQzbOO2oFcHlKWyLbxc6MnHNSwjEgNCvwoiVFzVPadjqhdkKbBSCUnU7w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 897f67d94bec7cf3-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-06-22 21:41:59 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                  Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                  2024-06-22 21:41:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:17:37:57
                                  Start date:22/06/2024
                                  Path:C:\Users\user\Desktop\BqqQh4Jr7L.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\BqqQh4Jr7L.exe"
                                  Imagebase:0x400000
                                  File size:3'251'216 bytes
                                  MD5 hash:112DE57B8288C1C154F6725F421046FC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:5
                                  Start time:17:39:37
                                  Start date:22/06/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                  Imagebase:0x530000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:17:39:37
                                  Start date:22/06/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:17:39:37
                                  Start date:22/06/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                  Imagebase:0x530000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:17:39:37
                                  Start date:22/06/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:17:39:39
                                  Start date:22/06/2024
                                  Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Imagebase:0x400000
                                  File size:3'251'216 bytes
                                  MD5 hash:112DE57B8288C1C154F6725F421046FC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 53%, ReversingLabs
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:10
                                  Start time:17:39:39
                                  Start date:22/06/2024
                                  Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                  Imagebase:0x400000
                                  File size:3'251'216 bytes
                                  MD5 hash:112DE57B8288C1C154F6725F421046FC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:11
                                  Start time:17:39:48
                                  Start date:22/06/2024
                                  Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                  Imagebase:0x400000
                                  File size:3'251'216 bytes
                                  MD5 hash:112DE57B8288C1C154F6725F421046FC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.4050437795.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.4050337195.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.4081389464.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.4050509626.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.4081149352.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.4050393181.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000002.4139560551.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000002.4140948069.00000000057C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.4050298214.00000000057B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000002.4140714950.0000000005760000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.4050659408.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 53%, ReversingLabs
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:12
                                  Start time:17:39:56
                                  Start date:22/06/2024
                                  Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                  Imagebase:0x400000
                                  File size:3'251'216 bytes
                                  MD5 hash:112DE57B8288C1C154F6725F421046FC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:15
                                  Start time:17:41:59
                                  Start date:22/06/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1912
                                  Imagebase:0x990000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4.4%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:4.5%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:34
                                    execution_graph 13657 4c7b00 13658 4c7ecc 13657->13658 13660 4c7b3e std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 13657->13660 13659 4c7b87 setsockopt recv WSAGetLastError 13659->13658 13659->13660 13660->13659 13662 4c7eb7 Sleep 13660->13662 13663 4c7e15 recv 13660->13663 13665 4c7eaf Sleep 13660->13665 13670 4c7ee1 13660->13670 13673 4c7cd6 setsockopt recv 13660->13673 13674 418dc0 42 API calls 13660->13674 13677 4c8590 WSAStartup 13660->13677 13690 418dc0 13660->13690 13699 4163b0 13660->13699 13704 4c7ef0 13660->13704 13776 433069 13660->13776 13779 409280 13660->13779 13662->13658 13662->13660 13663->13665 13665->13662 13667 4c7c2d recv 13667->13660 13668 4c7c4e recv 13667->13668 13668->13660 13795 438c70 13670->13795 13673->13660 13674->13673 13678 4c8696 13677->13678 13679 4c85c8 13677->13679 13678->13660 13679->13678 13680 4c85fe getaddrinfo 13679->13680 13681 4c8646 13680->13681 13682 4c8690 WSACleanup 13680->13682 13683 4c86a4 FreeAddrInfoW 13681->13683 13685 4c8654 socket 13681->13685 13682->13678 13683->13682 13684 4c86b0 13683->13684 13684->13660 13685->13682 13686 4c866a connect 13685->13686 13687 4c867c closesocket 13686->13687 13688 4c86a0 13686->13688 13687->13685 13689 4c8686 FreeAddrInfoW 13687->13689 13688->13683 13689->13682 13692 418e11 13690->13692 13693 418de2 std::locale::_Setgloballocale 13690->13693 13691 418ef8 13692->13691 13800 4032d0 13692->13800 13693->13667 13695 418e66 std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 13696 418ecb std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 13695->13696 13814 402fe0 13695->13814 13696->13667 13698 418eb8 13698->13667 13701 4163d8 13699->13701 13700 4163e7 13700->13660 13701->13700 13702 4032d0 std::_Throw_Cpp_error 42 API calls 13701->13702 13703 41642a std::_Locinfo::_Locinfo_ctor 13702->13703 13703->13660 13705 4c7f6c 13704->13705 13706 4c7f3e 13704->13706 13708 4c7f8e 13705->13708 13709 4c7f74 13705->13709 13707 402cf0 std::_Throw_Cpp_error 42 API calls 13706->13707 13712 4c7f50 13707->13712 13710 4c7f96 13708->13710 13711 4c7fb0 13708->13711 14139 416290 13709->14139 13714 416290 42 API calls 13710->13714 13715 4c7fb8 13711->13715 13716 4c7fd5 13711->13716 13717 409280 45 API calls 13712->13717 13734 4c7f64 13714->13734 13720 416290 42 API calls 13715->13720 13715->13734 13718 4c7fdd 13716->13718 13719 4c7ffb 13716->13719 13717->13734 14143 4412b7 13718->14143 13723 4c801b 13719->13723 13724 4c82c0 13719->13724 13719->13734 13720->13734 13722 402df0 std::_Throw_Cpp_error 42 API calls 13725 4c84f1 13722->13725 14091 405400 13723->14091 13727 4c82c8 13724->13727 13728 4c831b 13724->13728 13725->13660 14191 41b430 13727->14191 13730 4c8376 13728->13730 13731 4c8323 13728->13731 13732 4c837e 13730->13732 13733 4c83d1 13730->13733 13735 41b430 55 API calls 13731->13735 13736 41b430 55 API calls 13732->13736 13738 4c842c 13733->13738 13739 4c83d9 13733->13739 13734->13722 13735->13734 13736->13734 13737 4c82a5 14188 432baa 13737->14188 13743 4c8484 13738->13743 13744 4c8434 13738->13744 13742 41b430 55 API calls 13739->13742 13742->13734 13743->13734 14200 458b00 13743->14200 13745 41b430 55 API calls 13744->13745 13745->13734 13747 4c849a 14205 4162c0 13747->14205 13751 402df0 std::_Throw_Cpp_error 42 API calls 13751->13734 13752 402df0 42 API calls std::_Throw_Cpp_error 13754 4c8040 13752->13754 13753 4c810b 14108 402d30 13753->14108 13754->13737 13754->13752 13754->13753 14101 402cf0 13754->14101 14105 41ace0 13754->14105 13758 4c8140 14125 402df0 13758->14125 13760 4c814f 13761 4c81b2 GetCurrentProcess 13760->13761 13764 4c81e5 13760->13764 13762 4163b0 std::_Throw_Cpp_error 42 API calls 13761->13762 13763 4c81ce 13762->13763 14149 4cf280 VirtualAllocEx WriteProcessMemory 13763->14149 14136 439820 13764->14136 13766 4c81dd 13768 4c8279 13766->13768 14182 415230 13768->14182 13773 402df0 std::_Throw_Cpp_error 42 API calls 13773->13737 16263 43361d 13776->16263 13780 4163b0 std::_Throw_Cpp_error 42 API calls 13779->13780 13783 4092d4 13780->13783 13781 402df0 std::_Throw_Cpp_error 42 API calls 13782 409482 13781->13782 13784 418dc0 42 API calls 13782->13784 13786 409523 std::_Locinfo::_Locinfo_ctor 13782->13786 13783->13781 13784->13786 13785 4095f0 GetModuleHandleA GetProcAddress WSASend 13785->13786 13787 4096e2 std::ios_base::_Ios_base_dtor 13785->13787 13786->13785 13786->13787 13788 40975d std::ios_base::_Ios_base_dtor 13787->13788 13789 438c70 std::_Throw_Cpp_error 40 API calls 13787->13789 13788->13660 13790 40979c 13789->13790 13791 402df0 std::_Throw_Cpp_error 42 API calls 13790->13791 13792 4097d7 13791->13792 13793 402df0 std::_Throw_Cpp_error 42 API calls 13792->13793 13794 4097f0 13793->13794 13794->13660 13796 438bac ___std_exception_copy 40 API calls 13795->13796 13797 438c7f 13796->13797 13798 438c8d __Getctype 11 API calls 13797->13798 13799 438c8c 13798->13799 13801 4032e2 13800->13801 13802 403306 13800->13802 13804 4032e9 13801->13804 13805 40331f 13801->13805 13803 403318 13802->13803 13806 433672 std::_Facet_Register 42 API calls 13802->13806 13803->13695 13819 433672 13804->13819 13830 402b50 13805->13830 13809 403310 13806->13809 13809->13695 13810 4032ef 13811 4032f8 13810->13811 13812 438c70 std::_Throw_Cpp_error 40 API calls 13810->13812 13811->13695 13813 403329 13812->13813 13815 403007 13814->13815 13816 403017 std::ios_base::_Ios_base_dtor 13814->13816 13815->13816 13817 438c70 std::_Throw_Cpp_error 40 API calls 13815->13817 13816->13698 13818 403036 13817->13818 13820 433677 13819->13820 13822 433691 13820->13822 13825 402b50 Concurrency::cancel_current_task 13820->13825 13836 4423ec 13820->13836 13854 445a89 13820->13854 13822->13810 13824 43369d 13824->13824 13825->13824 13843 4351fb 13825->13843 13827 402b6c 13846 434b15 13827->13846 13831 402b5e Concurrency::cancel_current_task 13830->13831 13832 4351fb Concurrency::cancel_current_task RaiseException 13831->13832 13833 402b6c 13832->13833 13834 434b15 ___std_exception_copy 41 API calls 13833->13834 13835 402bac 13834->13835 13835->13810 13842 44b094 __Getctype 13836->13842 13837 44b0d2 13857 4416ff 13837->13857 13838 44b0bd RtlAllocateHeap 13840 44b0d0 13838->13840 13838->13842 13840->13820 13841 445a89 std::_Facet_Register 2 API calls 13841->13842 13842->13837 13842->13838 13842->13841 13844 435242 RaiseException 13843->13844 13845 435215 13843->13845 13844->13827 13845->13844 13847 434b22 13846->13847 13853 402bac 13846->13853 13848 4423ec ___std_exception_copy 15 API calls 13847->13848 13847->13853 13849 434b3f 13848->13849 13852 434b4f 13849->13852 13981 4499a5 13849->13981 13990 441c96 13852->13990 13853->13810 14080 445ab5 13854->14080 13860 449f93 GetLastError 13857->13860 13859 441704 13859->13840 13861 449faf 13860->13861 13862 449fa9 13860->13862 13881 449fb3 SetLastError 13861->13881 13888 44b69b 13861->13888 13883 44b65c 13862->13883 13869 449fe8 13871 44b69b __Getctype 6 API calls 13869->13871 13870 449ff9 13872 44b69b __Getctype 6 API calls 13870->13872 13873 449ff6 13871->13873 13874 44a005 13872->13874 13900 44b01a 13873->13900 13875 44a020 13874->13875 13876 44a009 13874->13876 13906 449c70 13875->13906 13877 44b69b __Getctype 6 API calls 13876->13877 13877->13873 13881->13859 13882 44b01a ___std_exception_destroy 12 API calls 13882->13881 13911 44b449 13883->13911 13885 44b678 13886 44b693 TlsGetValue 13885->13886 13887 44b681 13885->13887 13887->13861 13889 44b449 std::locale::_Setgloballocale 5 API calls 13888->13889 13890 44b6b7 13889->13890 13891 44b6d5 TlsSetValue 13890->13891 13892 449fcb 13890->13892 13892->13881 13893 44a65a 13892->13893 13898 44a667 __Getctype 13893->13898 13894 44a6a7 13896 4416ff ___std_exception_copy 13 API calls 13894->13896 13895 44a692 RtlAllocateHeap 13897 449fe0 13895->13897 13895->13898 13896->13897 13897->13869 13897->13870 13898->13894 13898->13895 13899 445a89 std::_Facet_Register 2 API calls 13898->13899 13899->13898 13901 44b025 HeapFree 13900->13901 13902 44b04f 13900->13902 13901->13902 13903 44b03a GetLastError 13901->13903 13902->13881 13904 44b047 ___std_exception_destroy 13903->13904 13905 4416ff ___std_exception_copy 12 API calls 13904->13905 13905->13902 13925 449b04 13906->13925 13912 44b479 13911->13912 13915 44b475 std::locale::_Setgloballocale 13911->13915 13912->13915 13917 44b37e 13912->13917 13915->13885 13916 44b493 GetProcAddress 13916->13915 13918 44b38f std::locale::_Setgloballocale 13917->13918 13919 44b425 13918->13919 13920 44b3ad LoadLibraryExW 13918->13920 13924 44b3fb LoadLibraryExW 13918->13924 13919->13915 13919->13916 13921 44b42c 13920->13921 13922 44b3c8 GetLastError 13920->13922 13921->13919 13923 44b43e FreeLibrary 13921->13923 13922->13918 13923->13919 13924->13918 13924->13921 13926 449b10 std::locale::_Setgloballocale 13925->13926 13939 44424b RtlEnterCriticalSection 13926->13939 13928 449b1a 13940 449b4a 13928->13940 13931 449c16 13932 449c22 std::locale::_Setgloballocale 13931->13932 13944 44424b RtlEnterCriticalSection 13932->13944 13934 449c2c 13945 449df7 13934->13945 13936 449c44 13949 449c64 13936->13949 13939->13928 13943 444293 RtlLeaveCriticalSection 13940->13943 13942 449b38 13942->13931 13943->13942 13944->13934 13946 449e06 __Getctype 13945->13946 13948 449e2d __Getctype 13945->13948 13946->13948 13952 452146 13946->13952 13948->13936 13980 444293 RtlLeaveCriticalSection 13949->13980 13951 449c52 13951->13882 13954 4521c6 13952->13954 13955 45215c 13952->13955 13953 4522b7 __Getctype 14 API calls 13967 452222 13953->13967 13956 44b01a ___std_exception_destroy 14 API calls 13954->13956 13979 452214 13954->13979 13955->13954 13960 44b01a ___std_exception_destroy 14 API calls 13955->13960 13975 45218f 13955->13975 13957 4521e8 13956->13957 13958 44b01a ___std_exception_destroy 14 API calls 13957->13958 13961 4521fb 13958->13961 13959 44b01a ___std_exception_destroy 14 API calls 13962 4521bb 13959->13962 13964 452184 13960->13964 13966 44b01a ___std_exception_destroy 14 API calls 13961->13966 13968 44b01a ___std_exception_destroy 14 API calls 13962->13968 13963 452282 13969 44b01a ___std_exception_destroy 14 API calls 13963->13969 13970 45144a __Getctype 14 API calls 13964->13970 13965 44b01a ___std_exception_destroy 14 API calls 13972 4521a6 13965->13972 13973 452209 13966->13973 13967->13963 13971 44b01a 14 API calls ___std_exception_destroy 13967->13971 13968->13954 13974 452288 13969->13974 13970->13975 13971->13967 13976 4518a9 __Getctype 14 API calls 13972->13976 13977 44b01a ___std_exception_destroy 14 API calls 13973->13977 13974->13948 13975->13965 13978 4521b1 13975->13978 13976->13978 13977->13979 13978->13959 13979->13953 13980->13951 13982 4499b3 13981->13982 13985 4499c1 13981->13985 13982->13985 13988 4499d9 13982->13988 13983 4416ff ___std_exception_copy 14 API calls 13984 4499c9 13983->13984 13993 438c60 13984->13993 13985->13983 13987 4499d3 13987->13852 13988->13987 13989 4416ff ___std_exception_copy 14 API calls 13988->13989 13989->13984 13991 44b01a ___std_exception_destroy 14 API calls 13990->13991 13992 441cae 13991->13992 13992->13853 13996 438bac 13993->13996 13997 438bbe ___std_exception_copy 13996->13997 14002 438be3 13997->14002 13999 438bd6 14013 43899c 13999->14013 14003 438bf3 14002->14003 14004 438bfa 14002->14004 14019 438a01 GetLastError 14003->14019 14009 438c08 14004->14009 14023 4389d8 14004->14023 14007 438c2f 14007->14009 14026 438c8d IsProcessorFeaturePresent 14007->14026 14009->13999 14010 438c5f 14011 438bac ___std_exception_copy 40 API calls 14010->14011 14012 438c6c 14011->14012 14012->13999 14014 4389a8 14013->14014 14015 4389bf 14014->14015 14058 438a47 14014->14058 14017 4389d2 14015->14017 14018 438a47 ___std_exception_copy 40 API calls 14015->14018 14017->13987 14018->14017 14020 438a1a 14019->14020 14030 44a044 14020->14030 14024 4389e3 GetLastError SetLastError 14023->14024 14025 4389fc 14023->14025 14024->14007 14025->14007 14027 438c99 14026->14027 14052 438a64 14027->14052 14031 44a057 14030->14031 14035 44a05d 14030->14035 14033 44b65c __Getctype 6 API calls 14031->14033 14032 44b69b __Getctype 6 API calls 14034 44a077 14032->14034 14033->14035 14036 438a32 SetLastError 14034->14036 14037 44a65a __Getctype 14 API calls 14034->14037 14035->14032 14035->14036 14036->14004 14038 44a087 14037->14038 14039 44a0a4 14038->14039 14040 44a08f 14038->14040 14042 44b69b __Getctype 6 API calls 14039->14042 14041 44b69b __Getctype 6 API calls 14040->14041 14044 44a09b 14041->14044 14043 44a0b0 14042->14043 14045 44a0b4 14043->14045 14046 44a0c3 14043->14046 14049 44b01a ___std_exception_destroy 14 API calls 14044->14049 14047 44b69b __Getctype 6 API calls 14045->14047 14048 449c70 __Getctype 14 API calls 14046->14048 14047->14044 14050 44a0ce 14048->14050 14049->14036 14051 44b01a ___std_exception_destroy 14 API calls 14050->14051 14051->14036 14053 438a80 std::locale::_Setgloballocale 14052->14053 14054 438aac IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14053->14054 14055 438b7d std::locale::_Setgloballocale 14054->14055 14056 433d77 _ValidateLocalCookies 5 API calls 14055->14056 14057 438b9b GetCurrentProcess TerminateProcess 14056->14057 14057->14010 14059 438a51 14058->14059 14060 438a5a 14058->14060 14061 438a01 ___std_exception_copy 16 API calls 14059->14061 14060->14015 14062 438a56 14061->14062 14062->14060 14065 4441c6 14062->14065 14066 44f620 std::locale::_Setgloballocale RtlEnterCriticalSection RtlLeaveCriticalSection 14065->14066 14067 4441cb 14066->14067 14068 4441d6 14067->14068 14071 44f665 std::locale::_Setgloballocale 39 API calls 14067->14071 14069 4441e0 IsProcessorFeaturePresent 14068->14069 14070 4441ff 14068->14070 14072 4441ec 14069->14072 14073 4436e2 std::locale::_Setgloballocale 20 API calls 14070->14073 14071->14068 14074 438a64 std::locale::_Setgloballocale 8 API calls 14072->14074 14076 444209 14073->14076 14074->14070 14075 44b7f4 std::locale::_Setgloballocale 6 API calls 14075->14076 14076->14075 14077 44423e 14076->14077 14078 438a63 14076->14078 14079 444262 __Getctype RtlDeleteCriticalSection 14077->14079 14079->14078 14081 445ac1 std::locale::_Setgloballocale 14080->14081 14086 44424b RtlEnterCriticalSection 14081->14086 14083 445acc std::locale::_Setgloballocale 14087 445b03 14083->14087 14086->14083 14090 444293 RtlLeaveCriticalSection 14087->14090 14089 445a94 14089->13820 14090->14089 14209 432b99 14091->14209 14094 405410 14095 405419 14094->14095 14097 432534 std::_Throw_Cpp_error 78 API calls 14094->14097 14095->13754 14098 405430 14097->14098 14220 43953c 14098->14220 14102 402d13 14101->14102 14102->14102 14103 403040 std::_Throw_Cpp_error 42 API calls 14102->14103 14104 402d25 14103->14104 14104->13754 14106 41ad10 14105->14106 14106->14106 14786 41fbf0 14106->14786 14109 403040 std::_Throw_Cpp_error 42 API calls 14108->14109 14110 402d55 14109->14110 14111 4d62c0 14110->14111 14112 4d6358 14111->14112 14124 4d6361 std::locale::_Setgloballocale 14111->14124 14795 41e4b0 14112->14795 14115 4d654f 14118 4d6553 14115->14118 14899 416130 14115->14899 14119 4d6580 std::ios_base::_Ios_base_dtor 14118->14119 14120 438c70 std::_Throw_Cpp_error 40 API calls 14118->14120 14119->13758 14121 4d65ce 14120->14121 14122 433069 __Xtime_get_ticks 2 API calls 14121->14122 14123 4d65d6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 14122->14123 14123->13758 14124->14115 14124->14118 14818 4f4760 14124->14818 14829 424160 14124->14829 14126 402e13 14125->14126 14127 402e2e std::ios_base::_Ios_base_dtor 14125->14127 14126->14127 14128 438c70 std::_Throw_Cpp_error 40 API calls 14126->14128 14127->13760 14129 402e5f 14128->14129 14130 402e88 14129->14130 14131 4032d0 std::_Throw_Cpp_error 42 API calls 14129->14131 14130->13760 14133 402eee std::_Locinfo::_Locinfo_ctor 14131->14133 14132 402f3c std::_Locinfo::_Locinfo_ctor 14132->13760 14133->14132 14134 402fe0 std::_Throw_Cpp_error 40 API calls 14133->14134 14135 402f2b 14134->14135 14135->13760 14997 43975e 14136->14997 14140 4162b1 14139->14140 14141 41629d 14139->14141 14140->13734 14142 416130 42 API calls 14141->14142 14142->14140 14144 4412ca ___std_exception_copy 14143->14144 15048 43d6a5 14144->15048 14146 4412e4 14147 43899c ___std_exception_copy 40 API calls 14146->14147 14148 4412f1 14147->14148 14148->13734 14150 4cf31d 14149->14150 14151 4cf35a VirtualAllocEx 14149->14151 14152 4cf323 WriteProcessMemory 14150->14152 14153 4cf3cf std::locale::_Setgloballocale 14151->14153 14152->14152 14154 4cf357 14152->14154 15264 41ab20 14153->15264 14154->14151 14157 418f00 std::_Throw_Cpp_error 42 API calls 14158 4cf47f 14157->14158 14159 402df0 std::_Throw_Cpp_error 42 API calls 14158->14159 14160 4cf4c9 14159->14160 15269 403440 14160->15269 14163 4cf56d 14164 4cf58b std::ios_base::_Ios_base_dtor 14163->14164 14166 4cf5c9 14163->14166 14165 402df0 std::_Throw_Cpp_error 42 API calls 14164->14165 14167 4cf5b6 14165->14167 14168 438c70 std::_Throw_Cpp_error 40 API calls 14166->14168 14167->13766 14169 4cf5ce 14168->14169 14169->13766 14170 441628 14171 44163b ___std_exception_copy 14170->14171 15526 44140a 14171->15526 14173 441650 14174 43899c ___std_exception_copy 40 API calls 14173->14174 14175 44165d 14174->14175 14176 43d0a8 14175->14176 14177 43d0bb ___std_exception_copy 14176->14177 15696 43cf83 14177->15696 14179 43d0c7 14180 43899c ___std_exception_copy 40 API calls 14179->14180 14181 43d0d3 14180->14181 14181->13768 14183 41524c 14182->14183 14186 415286 14182->14186 14183->14186 14187 402df0 std::_Throw_Cpp_error 42 API calls 14183->14187 14184 402df0 std::_Throw_Cpp_error 42 API calls 14185 415294 14184->14185 14185->13773 14186->14184 14187->14183 14189 432bb6 RtlReleaseSRWLockExclusive 14188->14189 14190 432bc4 14188->14190 14189->14190 14190->13734 15788 417ef0 14191->15788 14193 41b48d 15807 422100 14193->15807 14197 41b503 15877 41d490 14197->15877 14199 41b512 14199->13734 16232 458bb0 14200->16232 14202 458b31 std::_Locinfo::_Locinfo_ctor 14203 403040 std::_Throw_Cpp_error 42 API calls 14202->14203 14204 458b7c 14203->14204 14204->13747 14206 4162ce 14205->14206 14208 4162d3 14205->14208 14207 402df0 std::_Throw_Cpp_error 42 API calls 14206->14207 14207->14208 14208->13751 14226 432bc8 GetCurrentThreadId 14209->14226 14212 432534 14213 43254a std::_Throw_Cpp_error 14212->14213 14252 4324e7 14213->14252 14221 43954f ___std_exception_copy 14220->14221 14760 4393db 14221->14760 14223 43955e 14224 43899c ___std_exception_copy 40 API calls 14223->14224 14225 405450 14224->14225 14225->13754 14227 432bf2 14226->14227 14228 432c11 14226->14228 14231 432bf7 RtlAcquireSRWLockExclusive 14227->14231 14237 432c07 14227->14237 14229 432c31 14228->14229 14230 432c1a 14228->14230 14233 432c90 14229->14233 14239 432c49 14229->14239 14232 432c25 RtlAcquireSRWLockExclusive 14230->14232 14230->14237 14231->14237 14232->14237 14235 432c97 RtlTryAcquireSRWLockExclusive 14233->14235 14233->14237 14235->14237 14236 405409 14236->14094 14236->14212 14244 433d77 14237->14244 14239->14237 14240 432c80 RtlTryAcquireSRWLockExclusive 14239->14240 14241 43302b 14239->14241 14240->14237 14240->14239 14242 433069 __Xtime_get_ticks 2 API calls 14241->14242 14243 433036 __aulldiv __aullrem 14242->14243 14243->14239 14245 433d80 IsProcessorFeaturePresent 14244->14245 14246 433d7f 14244->14246 14248 43455a 14245->14248 14246->14236 14251 43451d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14248->14251 14250 43463d 14250->14236 14251->14250 14253 4324f3 __EH_prolog3_GS 14252->14253 14254 402cf0 std::_Throw_Cpp_error 42 API calls 14253->14254 14255 432507 14254->14255 14275 4036e0 14255->14275 14257 43251c 14258 402df0 std::_Throw_Cpp_error 42 API calls 14257->14258 14259 432524 14258->14259 14291 433f6d 14259->14291 14276 4163b0 std::_Throw_Cpp_error 42 API calls 14275->14276 14277 403731 14276->14277 14278 40375a 14277->14278 14294 418f00 14277->14294 14280 418f00 std::_Throw_Cpp_error 42 API calls 14278->14280 14281 40378a 14280->14281 14282 402df0 std::_Throw_Cpp_error 42 API calls 14281->14282 14283 4037a4 14282->14283 14284 434b15 ___std_exception_copy 41 API calls 14283->14284 14286 40381e 14284->14286 14285 40385f std::ios_base::_Ios_base_dtor 14285->14257 14286->14285 14287 438c70 std::_Throw_Cpp_error 40 API calls 14286->14287 14288 4038b0 14287->14288 14303 434b78 14288->14303 14290 4038f5 std::ios_base::_Ios_base_dtor 14290->14257 14292 433d77 _ValidateLocalCookies 5 API calls 14291->14292 14293 433f77 14292->14293 14293->14293 14295 418f22 std::_Locinfo::_Locinfo_ctor 14294->14295 14296 418f4f 14294->14296 14295->14278 14297 4032d0 std::_Throw_Cpp_error 42 API calls 14296->14297 14298 41902f std::ios_base::_Ios_base_dtor 14296->14298 14299 418fa4 std::_Locinfo::_Locinfo_ctor 14297->14299 14298->14278 14300 419002 std::_Locinfo::_Locinfo_ctor 14299->14300 14301 402fe0 std::_Throw_Cpp_error 40 API calls 14299->14301 14300->14278 14302 418fef 14301->14302 14302->14278 14304 434b85 14303->14304 14305 434b8c 14303->14305 14306 441c96 ___std_exception_destroy 14 API calls 14304->14306 14305->14290 14306->14305 14761 4393e7 std::locale::_Setgloballocale 14760->14761 14762 4393f0 14761->14762 14763 439414 14761->14763 14765 438be3 ___std_exception_copy 40 API calls 14762->14765 14774 441250 RtlEnterCriticalSection 14763->14774 14773 439409 14765->14773 14766 43941d 14767 439432 14766->14767 14775 44a1e9 14766->14775 14769 4394cf 14767->14769 14770 43949e 14767->14770 14782 439507 14769->14782 14771 438be3 ___std_exception_copy 40 API calls 14770->14771 14771->14773 14773->14223 14774->14766 14776 44a1f5 14775->14776 14777 44a20a 14775->14777 14778 4416ff ___std_exception_copy 14 API calls 14776->14778 14777->14767 14779 44a1fa 14778->14779 14780 438c60 ___std_exception_copy 40 API calls 14779->14780 14781 44a205 14780->14781 14781->14767 14785 441264 RtlLeaveCriticalSection 14782->14785 14784 43950d 14784->14773 14785->14784 14787 41fc12 std::_Locinfo::_Locinfo_ctor 14786->14787 14789 41fc8d 14786->14789 14788 41fd5e 14789->14788 14790 4032d0 std::_Throw_Cpp_error 42 API calls 14789->14790 14791 41fce1 std::_Locinfo::_Locinfo_ctor 14790->14791 14792 41fd3a std::_Locinfo::_Locinfo_ctor 14791->14792 14793 402fe0 std::_Throw_Cpp_error 40 API calls 14791->14793 14794 41fd27 14793->14794 14796 41e4c2 14795->14796 14797 41e528 14795->14797 14799 41e4f9 14796->14799 14800 41e4ca 14796->14800 14910 403330 14797->14910 14803 41e516 14799->14803 14806 433672 std::_Facet_Register 42 API calls 14799->14806 14801 41e52d 14800->14801 14802 41e4d1 14800->14802 14804 402b50 Concurrency::cancel_current_task 42 API calls 14801->14804 14805 433672 std::_Facet_Register 42 API calls 14802->14805 14803->14124 14807 41e4d7 14804->14807 14805->14807 14808 41e503 14806->14808 14809 438c70 std::_Throw_Cpp_error 40 API calls 14807->14809 14810 41e4e0 14807->14810 14808->14124 14811 41e537 14809->14811 14810->14124 14913 416ad0 14811->14913 14813 41e574 14814 404900 std::_Throw_Cpp_error 42 API calls 14813->14814 14816 41e5fb 14814->14816 14815 41e613 14815->14124 14816->14815 14917 419b60 14816->14917 14819 4f4767 14818->14819 14820 4f476c 14818->14820 14819->14124 14821 4423ec ___std_exception_copy 15 API calls 14820->14821 14827 4f47af 14820->14827 14821->14827 14822 4f47c2 14822->14124 14823 4f4877 14823->14124 14824 441c96 ___std_exception_destroy 14 API calls 14825 4f4867 14824->14825 14825->14124 14826 4f4821 14826->14823 14826->14824 14827->14822 14827->14826 14828 441c96 ___std_exception_destroy 14 API calls 14827->14828 14828->14826 14830 424195 14829->14830 14831 424288 14829->14831 14833 4241b1 14830->14833 14834 424202 14830->14834 14835 4241f2 14830->14835 14832 403330 42 API calls 14831->14832 14836 42428d 14832->14836 14838 433672 std::_Facet_Register 42 API calls 14833->14838 14841 433672 std::_Facet_Register 42 API calls 14834->14841 14846 4241cf std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 14834->14846 14835->14833 14835->14836 14837 402b50 Concurrency::cancel_current_task 42 API calls 14836->14837 14840 424292 14837->14840 14839 4241c4 14838->14839 14839->14840 14839->14846 14842 438c70 std::_Throw_Cpp_error 40 API calls 14840->14842 14841->14846 14843 424297 14842->14843 14844 4242fa 14843->14844 14845 4243e9 14843->14845 14963 426ff0 14844->14963 14847 403330 42 API calls 14845->14847 14958 4277d0 14846->14958 14848 4243ee 14847->14848 14851 42445a 14848->14851 14852 424549 14848->14852 14855 426ff0 42 API calls 14851->14855 14854 403330 42 API calls 14852->14854 14853 42425e 14853->14124 14862 42454e 14854->14862 14857 424496 14855->14857 14856 42470b 14859 403330 42 API calls 14856->14859 14861 4163b0 std::_Throw_Cpp_error 42 API calls 14857->14861 14858 424706 14863 402b50 Concurrency::cancel_current_task 42 API calls 14858->14863 14864 4246af 14859->14864 14860 424336 14971 427830 14860->14971 14876 4244c4 14861->14876 14862->14856 14862->14858 14865 424615 14862->14865 14866 4245ee 14862->14866 14863->14856 14867 438c70 std::_Throw_Cpp_error 40 API calls 14864->14867 14890 4246d1 std::ios_base::_Ios_base_dtor 14864->14890 14873 433672 std::_Facet_Register 42 API calls 14865->14873 14878 4245ff 14865->14878 14866->14858 14868 4245f9 14866->14868 14869 424715 14867->14869 14870 433672 std::_Facet_Register 42 API calls 14868->14870 14988 41d010 14869->14988 14870->14878 14873->14878 14874 4243b0 14874->14124 14879 427830 42 API calls 14876->14879 14878->14864 14878->14890 14978 431f9c 14878->14978 14881 424510 14879->14881 14880 42472f 14882 4351fb Concurrency::cancel_current_task RaiseException 14880->14882 14881->14124 14883 424738 14882->14883 14884 424798 14883->14884 14885 42475b 14883->14885 14886 42477f 14883->14886 14887 402b50 Concurrency::cancel_current_task 42 API calls 14884->14887 14885->14884 14888 424762 14885->14888 14889 424791 14886->14889 14893 433672 std::_Facet_Register 42 API calls 14886->14893 14891 424768 14887->14891 14892 433672 std::_Facet_Register 42 API calls 14888->14892 14889->14124 14890->14124 14895 438c70 std::_Throw_Cpp_error 40 API calls 14891->14895 14898 424771 14891->14898 14892->14891 14896 424789 14893->14896 14897 4247a2 14895->14897 14896->14124 14898->14124 14900 416143 std::_Locinfo::_Locinfo_ctor 14899->14900 14901 416174 14899->14901 14900->14118 14902 416200 14901->14902 14903 416180 14901->14903 14905 418f00 std::_Throw_Cpp_error 42 API calls 14902->14905 14904 4032d0 std::_Throw_Cpp_error 42 API calls 14903->14904 14908 4161bf std::_Locinfo::_Locinfo_ctor 14904->14908 14906 416232 14905->14906 14906->14118 14907 4161ed 14907->14118 14908->14907 14909 402fe0 std::_Throw_Cpp_error 40 API calls 14908->14909 14909->14907 14921 431cea 14910->14921 14914 416b02 14913->14914 14915 416b1d 14914->14915 14947 4150e0 14914->14947 14915->14813 14918 419bbb 14917->14918 14919 419b96 14917->14919 14918->14815 14919->14918 14955 4188a0 14919->14955 14934 431a9f 14921->14934 14924 4351fb Concurrency::cancel_current_task RaiseException 14925 431d09 14924->14925 14937 431af4 14925->14937 14928 4351fb Concurrency::cancel_current_task RaiseException 14929 431d29 14928->14929 14940 431b37 14929->14940 14932 4351fb Concurrency::cancel_current_task RaiseException 14933 431d49 14932->14933 14944 4034e0 14934->14944 14938 4034e0 std::invalid_argument::invalid_argument 41 API calls 14937->14938 14939 431b06 14938->14939 14939->14928 14941 431b4b std::regex_error::regex_error 14940->14941 14942 4034e0 std::invalid_argument::invalid_argument 41 API calls 14941->14942 14943 431b54 14942->14943 14943->14932 14945 434b15 ___std_exception_copy 41 API calls 14944->14945 14946 403522 14945->14946 14946->14924 14948 415117 14947->14948 14954 4151b5 14947->14954 14949 416ad0 42 API calls 14948->14949 14950 415120 14949->14950 14951 41519d 14950->14951 14952 404900 std::_Throw_Cpp_error 42 API calls 14950->14952 14953 419b60 42 API calls 14951->14953 14951->14954 14952->14951 14953->14954 14954->14915 14956 404900 std::_Throw_Cpp_error 42 API calls 14955->14956 14957 4188bf 14956->14957 14957->14918 14959 4277dc 14958->14959 14960 4277f9 std::ios_base::_Ios_base_dtor 14958->14960 14959->14960 14961 438c70 std::_Throw_Cpp_error 40 API calls 14959->14961 14960->14853 14962 427824 14961->14962 14964 426ff9 14963->14964 14965 42703c 14963->14965 14964->14965 14966 427013 14964->14966 14968 433672 std::_Facet_Register 42 API calls 14964->14968 14965->14965 14967 42701c 14966->14967 14969 433672 std::_Facet_Register 42 API calls 14966->14969 14967->14860 14968->14966 14970 427035 14969->14970 14970->14860 14974 427882 std::ios_base::_Ios_base_dtor 14971->14974 14975 42783d 14971->14975 14972 402df0 std::_Throw_Cpp_error 42 API calls 14972->14975 14973 427853 14973->14974 14976 438c70 std::_Throw_Cpp_error 40 API calls 14973->14976 14974->14874 14975->14972 14975->14973 14977 4278b6 14976->14977 14979 431fb2 14978->14979 14980 431fa5 FindClose 14978->14980 14979->14878 14980->14979 14981 431fb6 14980->14981 14982 4441c6 __Getctype 40 API calls 14981->14982 14983 431fbb 14982->14983 14984 431f9c 40 API calls 14983->14984 14985 431fca FindFirstFileExW 14984->14985 14986 431fe5 14985->14986 14987 431fe9 GetLastError 14985->14987 14986->14878 14987->14986 14989 41d01a 14988->14989 14990 41d02e 14988->14990 14989->14990 14991 431f9c 43 API calls 14989->14991 14992 419910 14990->14992 14991->14989 14993 419928 14992->14993 14994 419938 std::ios_base::_Ios_base_dtor 14992->14994 14993->14994 14995 438c70 std::_Throw_Cpp_error 40 API calls 14993->14995 14994->14880 14996 41994d 14995->14996 15000 43976a std::locale::_Setgloballocale 14997->15000 14998 439771 14999 4416ff ___std_exception_copy 14 API calls 14998->14999 15001 439776 14999->15001 15000->14998 15002 439791 15000->15002 15003 438c60 ___std_exception_copy 40 API calls 15001->15003 15004 4397a3 15002->15004 15005 439796 15002->15005 15006 439781 15003->15006 15014 44a8ef 15004->15014 15007 4416ff ___std_exception_copy 14 API calls 15005->15007 15006->13768 15006->14170 15007->15006 15010 4397b3 15012 4416ff ___std_exception_copy 14 API calls 15010->15012 15011 4397c0 15022 4397fe 15011->15022 15012->15006 15015 44a8fb std::locale::_Setgloballocale 15014->15015 15026 44424b RtlEnterCriticalSection 15015->15026 15017 44a909 15027 44a993 15017->15027 15023 439802 15022->15023 15047 441264 RtlLeaveCriticalSection 15023->15047 15025 439813 15025->15006 15026->15017 15035 44a9b6 15027->15035 15028 44a916 15040 44a94f 15028->15040 15029 44aa0e 15030 44a65a __Getctype 14 API calls 15029->15030 15031 44aa17 15030->15031 15033 44b01a ___std_exception_destroy 14 API calls 15031->15033 15034 44aa20 15033->15034 15034->15028 15036 44b7f4 std::locale::_Setgloballocale 6 API calls 15034->15036 15035->15028 15035->15029 15035->15035 15043 441250 RtlEnterCriticalSection 15035->15043 15044 441264 RtlLeaveCriticalSection 15035->15044 15037 44aa3f 15036->15037 15045 441250 RtlEnterCriticalSection 15037->15045 15046 444293 RtlLeaveCriticalSection 15040->15046 15042 4397ac 15042->15010 15042->15011 15043->15035 15044->15035 15045->15028 15046->15042 15047->15025 15062 43ce79 15048->15062 15050 43d6ff 15056 43d723 15050->15056 15069 43e1d0 15050->15069 15051 43d6b7 15051->15050 15052 43d6cc 15051->15052 15061 43d6e7 std::_Locinfo::_Locinfo_ctor 15051->15061 15054 438be3 ___std_exception_copy 40 API calls 15052->15054 15054->15061 15058 43d747 15056->15058 15076 43ce94 15056->15076 15057 43d7cf 15059 43ce22 40 API calls 15057->15059 15058->15057 15083 43ce22 15058->15083 15059->15061 15061->14146 15063 43ce91 15062->15063 15064 43ce7e 15062->15064 15063->15051 15065 4416ff ___std_exception_copy 14 API calls 15064->15065 15066 43ce83 15065->15066 15067 438c60 ___std_exception_copy 40 API calls 15066->15067 15068 43ce8e 15067->15068 15068->15051 15070 438a47 ___std_exception_copy 40 API calls 15069->15070 15071 43e1e0 15070->15071 15089 44a15a 15071->15089 15077 43cea0 15076->15077 15078 43ceb6 15076->15078 15080 44454e __Getctype 40 API calls 15077->15080 15079 43cec6 15078->15079 15233 449a39 15078->15233 15079->15056 15081 43ceab std::_Locinfo::_Locinfo_ctor 15080->15081 15081->15056 15084 43ce33 15083->15084 15085 43ce47 15083->15085 15084->15085 15086 4416ff ___std_exception_copy 14 API calls 15084->15086 15085->15057 15087 43ce3c 15086->15087 15088 438c60 ___std_exception_copy 40 API calls 15087->15088 15088->15085 15090 44a171 15089->15090 15091 43e1fd 15089->15091 15090->15091 15092 452392 __Getctype 40 API calls 15090->15092 15093 44a1b8 15091->15093 15092->15091 15094 43e20a 15093->15094 15095 44a1cf 15093->15095 15094->15056 15095->15094 15097 4506bd 15095->15097 15098 449e42 __Getctype 40 API calls 15097->15098 15099 4506c2 15098->15099 15102 4505d5 15099->15102 15101 4506cd 15101->15094 15103 4505e1 std::locale::_Setgloballocale 15102->15103 15110 4505fb 15103->15110 15117 44424b RtlEnterCriticalSection 15103->15117 15105 45060b 15113 44b01a ___std_exception_destroy 14 API calls 15105->15113 15115 450637 15105->15115 15106 450602 15106->15101 15107 4441c6 __Getctype 40 API calls 15109 450674 15107->15109 15111 4506b0 15109->15111 15121 449efd 15109->15121 15110->15106 15110->15107 15111->15101 15113->15115 15118 450654 15115->15118 15117->15105 15169 444293 RtlLeaveCriticalSection 15118->15169 15120 45065b 15120->15110 15122 449f08 15121->15122 15125 449f0e 15121->15125 15123 44b65c __Getctype 6 API calls 15122->15123 15123->15125 15124 44b69b __Getctype 6 API calls 15126 449f28 15124->15126 15125->15124 15127 449f14 15125->15127 15126->15127 15129 44a65a __Getctype 14 API calls 15126->15129 15128 449f19 15127->15128 15130 4441c6 __Getctype 40 API calls 15127->15130 15146 450480 15128->15146 15132 449f38 15129->15132 15131 449f92 15130->15131 15133 449f55 15132->15133 15134 449f40 15132->15134 15135 44b69b __Getctype 6 API calls 15133->15135 15136 44b69b __Getctype 6 API calls 15134->15136 15137 449f61 15135->15137 15138 449f4c 15136->15138 15139 449f74 15137->15139 15140 449f65 15137->15140 15141 44b01a ___std_exception_destroy 14 API calls 15138->15141 15143 449c70 __Getctype 14 API calls 15139->15143 15142 44b69b __Getctype 6 API calls 15140->15142 15141->15127 15142->15138 15144 449f7f 15143->15144 15145 44b01a ___std_exception_destroy 14 API calls 15144->15145 15145->15128 15147 4505d5 std::_Locinfo::_Locinfo_ctor 50 API calls 15146->15147 15148 4504aa 15147->15148 15170 450207 15148->15170 15153 4504dc 15155 44b01a ___std_exception_destroy 14 API calls 15153->15155 15154 4504ea 15184 4506d0 15154->15184 15157 4504c3 15155->15157 15157->15111 15159 450522 15160 4416ff ___std_exception_copy 14 API calls 15159->15160 15162 450527 15160->15162 15161 450569 15165 4505b2 15161->15165 15195 4500f9 15161->15195 15163 44b01a ___std_exception_destroy 14 API calls 15162->15163 15163->15157 15164 45053d std::_Locinfo::_Locinfo_ctor 15164->15161 15167 44b01a ___std_exception_destroy 14 API calls 15164->15167 15166 44b01a ___std_exception_destroy 14 API calls 15165->15166 15166->15157 15167->15161 15169->15120 15203 4395ae 15170->15203 15173 450228 GetOEMCP 15175 450251 15173->15175 15174 45023a 15174->15175 15176 45023f GetACP 15174->15176 15175->15157 15177 44b094 15175->15177 15176->15175 15178 44b0d2 15177->15178 15182 44b0a2 __Getctype 15177->15182 15180 4416ff ___std_exception_copy 14 API calls 15178->15180 15179 44b0bd RtlAllocateHeap 15181 44b0d0 15179->15181 15179->15182 15180->15181 15181->15153 15181->15154 15182->15178 15182->15179 15183 445a89 std::_Facet_Register 2 API calls 15182->15183 15183->15182 15185 450207 std::_Locinfo::_Locinfo_ctor 48 API calls 15184->15185 15186 4506f0 15185->15186 15187 4507f5 std::_Locinfo::_Locinfo_ctor 15186->15187 15189 45072d IsValidCodePage 15186->15189 15193 450748 std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 15186->15193 15188 433d77 _ValidateLocalCookies 5 API calls 15187->15188 15190 450517 15188->15190 15189->15187 15191 45073f 15189->15191 15190->15159 15190->15164 15192 450768 GetCPInfo 15191->15192 15191->15193 15192->15187 15192->15193 15211 4502db 15193->15211 15196 450105 std::locale::_Setgloballocale 15195->15196 15222 44424b RtlEnterCriticalSection 15196->15222 15198 45010f 15223 450146 15198->15223 15204 4395c5 15203->15204 15205 4395cc 15203->15205 15204->15173 15204->15174 15205->15204 15206 449e42 __Getctype 40 API calls 15205->15206 15207 4395ed 15206->15207 15208 44a12d __Getctype 40 API calls 15207->15208 15209 439603 15208->15209 15210 44a18b std::_Locinfo::_Locinfo_ctor 50 API calls 15209->15210 15210->15204 15212 450303 GetCPInfo 15211->15212 15213 4503cc 15211->15213 15212->15213 15219 45031b 15212->15219 15215 433d77 _ValidateLocalCookies 5 API calls 15213->15215 15214 44f44d std::_Locinfo::_Locinfo_ctor 49 API calls 15216 450383 15214->15216 15217 45047e 15215->15217 15218 44a8a6 std::_Locinfo::_Locinfo_ctor 49 API calls 15216->15218 15217->15187 15220 4503a4 15218->15220 15219->15214 15221 44a8a6 std::_Locinfo::_Locinfo_ctor 49 API calls 15220->15221 15221->15213 15222->15198 15224 43ceeb std::_Locinfo::_Locinfo_ctor 40 API calls 15223->15224 15225 450168 15224->15225 15226 43ceeb std::_Locinfo::_Locinfo_ctor 40 API calls 15225->15226 15227 450187 15226->15227 15228 45011c 15227->15228 15229 44b01a ___std_exception_destroy 14 API calls 15227->15229 15230 45013a 15228->15230 15229->15228 15231 444293 std::_Lockit::~_Lockit RtlLeaveCriticalSection 15230->15231 15232 450128 15231->15232 15232->15165 15234 4395ae std::_Locinfo::_Locinfo_ctor 50 API calls 15233->15234 15235 449a56 15234->15235 15239 449a66 15235->15239 15240 44f44d 15235->15240 15237 433d77 _ValidateLocalCookies 5 API calls 15238 449b02 15237->15238 15238->15079 15239->15237 15241 4395ae std::_Locinfo::_Locinfo_ctor 49 API calls 15240->15241 15242 44f46d 15241->15242 15255 44b17a 15242->15255 15244 44f529 15246 433d77 _ValidateLocalCookies 5 API calls 15244->15246 15245 44f521 15258 433275 15245->15258 15250 44f54c 15246->15250 15247 44f49a 15247->15244 15247->15245 15249 44b094 std::_Locinfo::_Locinfo_ctor 15 API calls 15247->15249 15251 44f4bf std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 15247->15251 15249->15251 15250->15239 15251->15245 15252 44b17a std::_Locinfo::_Locinfo_ctor MultiByteToWideChar 15251->15252 15253 44f508 15252->15253 15253->15245 15254 44f50f GetStringTypeW 15253->15254 15254->15245 15262 44b0e2 15255->15262 15259 43327f 15258->15259 15261 433290 15258->15261 15260 441c96 ___std_exception_destroy 14 API calls 15259->15260 15259->15261 15260->15261 15261->15244 15263 44b0f3 MultiByteToWideChar 15262->15263 15263->15247 15265 41ab55 15264->15265 15267 41aba3 15265->15267 15273 41e8a0 15265->15273 15268 41ab83 15268->14157 15270 403459 15269->15270 15277 440dd7 15270->15277 15274 41e8ce 15273->15274 15276 41e8f8 std::_Locinfo::_Locinfo_ctor 15273->15276 15275 4032d0 std::_Throw_Cpp_error 42 API calls 15274->15275 15275->15276 15276->15268 15278 440deb ___std_exception_copy 15277->15278 15283 43e565 15278->15283 15281 43899c ___std_exception_copy 40 API calls 15282 403467 WriteProcessMemory WriteProcessMemory CreateRemoteThread WaitForSingleObject 15281->15282 15282->14163 15282->14164 15284 43e591 15283->15284 15285 43e5b4 15283->15285 15286 438be3 ___std_exception_copy 40 API calls 15284->15286 15285->15284 15289 43e5bc 15285->15289 15287 43e5a9 15286->15287 15288 433d77 _ValidateLocalCookies 5 API calls 15287->15288 15290 43e6d7 15288->15290 15294 43faa7 15289->15294 15290->15281 15312 440b0d 15294->15312 15297 43facc 15298 438be3 ___std_exception_copy 40 API calls 15297->15298 15299 43e63d 15298->15299 15309 43f28d 15299->15309 15302 43e1d0 std::_Locinfo::_Locinfo_ctor 50 API calls 15304 43faf4 std::_Locinfo::_Locinfo_ctor 15302->15304 15304->15299 15304->15302 15305 43fbd0 15304->15305 15316 43f49b 15304->15316 15319 43fed4 15304->15319 15353 44036f 15304->15353 15306 438be3 ___std_exception_copy 40 API calls 15305->15306 15307 43fbea 15306->15307 15308 438be3 ___std_exception_copy 40 API calls 15307->15308 15308->15299 15310 44b01a ___std_exception_destroy 14 API calls 15309->15310 15311 43f29d 15310->15311 15311->15287 15313 43fac1 15312->15313 15314 440b18 15312->15314 15313->15297 15313->15299 15313->15304 15315 438be3 ___std_exception_copy 40 API calls 15314->15315 15315->15313 15382 43e842 15316->15382 15318 43f4d6 15318->15304 15320 43fef2 15319->15320 15321 43fedb 15319->15321 15324 438be3 ___std_exception_copy 40 API calls 15320->15324 15330 43ff31 15320->15330 15322 4403f4 15321->15322 15323 440394 15321->15323 15321->15330 15325 44042d 15322->15325 15326 4403f9 15322->15326 15327 44041a 15323->15327 15328 44039a 15323->15328 15329 43ff26 15324->15329 15331 440432 15325->15331 15332 44044a 15325->15332 15333 440426 15326->15333 15334 4403fb 15326->15334 15417 43ebfc 15327->15417 15340 4403eb 15328->15340 15341 44039f 15328->15341 15329->15304 15330->15304 15331->15327 15331->15340 15352 4403c5 15331->15352 15428 440a4d 15332->15428 15424 440a30 15333->15424 15335 4403ae 15334->15335 15343 44040a 15334->15343 15351 440453 15335->15351 15392 440785 15335->15392 15340->15351 15406 43ed89 15340->15406 15341->15335 15344 4403d8 15341->15344 15341->15352 15343->15327 15345 44040e 15343->15345 15344->15351 15402 440916 15344->15402 15345->15351 15413 4409ab 15345->15413 15347 433d77 _ValidateLocalCookies 5 API calls 15349 4406cc 15347->15349 15349->15304 15351->15347 15352->15351 15431 44c5ba 15352->15431 15354 4403f4 15353->15354 15355 440394 15353->15355 15356 44042d 15354->15356 15357 4403f9 15354->15357 15358 44041a 15355->15358 15359 44039a 15355->15359 15360 440432 15356->15360 15361 44044a 15356->15361 15362 440426 15357->15362 15363 4403fb 15357->15363 15367 43ebfc 41 API calls 15358->15367 15369 4403eb 15359->15369 15370 44039f 15359->15370 15360->15358 15360->15369 15380 4403c5 15360->15380 15366 440a4d 41 API calls 15361->15366 15364 440a30 41 API calls 15362->15364 15365 4403ae 15363->15365 15372 44040a 15363->15372 15364->15380 15368 440785 52 API calls 15365->15368 15381 440453 15365->15381 15366->15380 15367->15380 15368->15380 15371 43ed89 41 API calls 15369->15371 15369->15381 15370->15365 15373 4403d8 15370->15373 15370->15380 15371->15380 15372->15358 15374 44040e 15372->15374 15375 440916 51 API calls 15373->15375 15373->15381 15377 4409ab 40 API calls 15374->15377 15374->15381 15375->15380 15376 433d77 _ValidateLocalCookies 5 API calls 15378 4406cc 15376->15378 15377->15380 15378->15304 15379 44c5ba 51 API calls 15379->15380 15380->15379 15380->15381 15381->15376 15383 43ce79 std::_Locinfo::_Locinfo_ctor 40 API calls 15382->15383 15384 43e854 15383->15384 15385 43e869 15384->15385 15388 43e89c 15384->15388 15391 43e884 std::_Locinfo::_Locinfo_ctor 15384->15391 15386 438be3 ___std_exception_copy 40 API calls 15385->15386 15386->15391 15387 43e933 15389 43ce22 40 API calls 15387->15389 15388->15387 15390 43ce22 40 API calls 15388->15390 15389->15391 15390->15387 15391->15318 15393 44079f 15392->15393 15441 43e790 15393->15441 15395 4407de 15452 44c439 15395->15452 15398 43e1d0 std::_Locinfo::_Locinfo_ctor 50 API calls 15399 440895 15398->15399 15400 43e1d0 std::_Locinfo::_Locinfo_ctor 50 API calls 15399->15400 15401 4408c8 15399->15401 15400->15401 15401->15352 15401->15401 15404 440931 15402->15404 15403 440967 15403->15352 15404->15403 15405 44c5ba 51 API calls 15404->15405 15405->15403 15407 43ed9e 15406->15407 15408 43edc0 15407->15408 15410 43ede7 15407->15410 15409 438be3 ___std_exception_copy 40 API calls 15408->15409 15411 43eddd 15409->15411 15410->15411 15412 43e790 15 API calls 15410->15412 15411->15352 15412->15411 15416 4409c1 15413->15416 15414 438be3 ___std_exception_copy 40 API calls 15415 4409e2 15414->15415 15415->15352 15416->15414 15416->15415 15418 43ec11 15417->15418 15419 43ec33 15418->15419 15421 43ec5a 15418->15421 15420 438be3 ___std_exception_copy 40 API calls 15419->15420 15423 43ec50 15420->15423 15422 43e790 15 API calls 15421->15422 15421->15423 15422->15423 15423->15352 15425 440a3c 15424->15425 15516 43ea6f 15425->15516 15427 440a4c 15427->15352 15429 43ed89 41 API calls 15428->15429 15430 440a62 15429->15430 15430->15352 15433 44c5cf 15431->15433 15432 44c610 15436 44c5fc std::locale::_Setgloballocale 15432->15436 15439 44c5d3 std::_Locinfo::_Locinfo_ctor std::locale::_Setgloballocale 15432->15439 15523 44ec55 15432->15523 15433->15432 15434 43e1d0 std::_Locinfo::_Locinfo_ctor 50 API calls 15433->15434 15433->15436 15433->15439 15434->15432 15435 438be3 ___std_exception_copy 40 API calls 15435->15439 15436->15435 15436->15439 15438 44c6cb 15438->15439 15440 44c6e1 GetLastError 15438->15440 15439->15352 15440->15436 15440->15439 15442 43e7b7 15441->15442 15449 43e7a5 15441->15449 15443 44b094 std::_Locinfo::_Locinfo_ctor 15 API calls 15442->15443 15442->15449 15444 43e7db 15443->15444 15445 43e7e3 15444->15445 15446 43e7ee 15444->15446 15447 44b01a ___std_exception_destroy 14 API calls 15445->15447 15471 43f2a7 15446->15471 15447->15449 15449->15395 15451 44b01a ___std_exception_destroy 14 API calls 15451->15449 15453 44c46e 15452->15453 15454 44c44a 15452->15454 15453->15454 15456 44c4a1 15453->15456 15455 438be3 ___std_exception_copy 40 API calls 15454->15455 15465 440871 15455->15465 15457 44c509 15456->15457 15458 44c4da 15456->15458 15459 44c537 15457->15459 15464 44c532 15457->15464 15474 44c2dd 15458->15474 15482 44bb66 15459->15482 15462 44c55f 15466 44c564 15462->15466 15467 44c57f 15462->15467 15463 44c599 15509 44be93 15463->15509 15464->15462 15464->15463 15465->15398 15465->15399 15492 44c20e 15466->15492 15502 44c08a 15467->15502 15472 44b01a ___std_exception_destroy 14 API calls 15471->15472 15473 43e7f9 15472->15473 15473->15451 15475 44c2f3 15474->15475 15476 44c2fe 15474->15476 15475->15465 15477 4499a5 ___std_exception_copy 40 API calls 15476->15477 15478 44c359 15477->15478 15479 44c363 15478->15479 15480 438c8d __Getctype 11 API calls 15478->15480 15479->15465 15481 44c371 15480->15481 15483 44bb79 15482->15483 15484 44bb88 15483->15484 15485 44bbaa 15483->15485 15486 438be3 ___std_exception_copy 40 API calls 15484->15486 15487 44bbbf 15485->15487 15489 44bc12 15485->15489 15491 44bba0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::locale::_Setgloballocale __allrem _strrchr 15486->15491 15488 44be93 52 API calls 15487->15488 15488->15491 15490 43e1d0 std::_Locinfo::_Locinfo_ctor 50 API calls 15489->15490 15489->15491 15490->15491 15491->15465 15493 4547bf 42 API calls 15492->15493 15494 44c23e 15493->15494 15495 4546c5 40 API calls 15494->15495 15496 44c27c 15495->15496 15497 44c2bc 15496->15497 15498 44c295 15496->15498 15500 44c283 15496->15500 15499 44bf37 50 API calls 15497->15499 15501 44c120 50 API calls 15498->15501 15499->15500 15500->15465 15501->15500 15503 4547bf 42 API calls 15502->15503 15504 44c0b9 15503->15504 15505 4546c5 40 API calls 15504->15505 15506 44c0fa 15505->15506 15507 44c101 15506->15507 15508 44c120 50 API calls 15506->15508 15507->15465 15508->15507 15510 4547bf 42 API calls 15509->15510 15511 44bebd 15510->15511 15512 4546c5 40 API calls 15511->15512 15513 44bf0b 15512->15513 15514 44bf12 15513->15514 15515 44bf37 50 API calls 15513->15515 15514->15465 15515->15514 15517 43ea84 15516->15517 15518 43eacd 15517->15518 15519 43eaa6 15517->15519 15521 43e790 15 API calls 15518->15521 15522 43eac3 15518->15522 15520 438be3 ___std_exception_copy 40 API calls 15519->15520 15520->15522 15521->15522 15522->15427 15525 44ec68 std::_Locinfo::_Locinfo_ctor 15523->15525 15524 44eca6 WideCharToMultiByte 15524->15438 15525->15524 15527 441440 15526->15527 15528 441418 15526->15528 15527->14173 15528->15527 15529 441425 15528->15529 15530 441447 15528->15530 15531 438be3 ___std_exception_copy 40 API calls 15529->15531 15534 441363 15530->15534 15531->15527 15535 44136f std::locale::_Setgloballocale 15534->15535 15542 441250 RtlEnterCriticalSection 15535->15542 15537 44137d 15543 4413be 15537->15543 15542->15537 15553 44c8aa 15543->15553 15550 4413b2 15695 441264 RtlLeaveCriticalSection 15550->15695 15552 44139b 15552->14173 15573 44c86c 15553->15573 15555 4413d6 15560 441481 15555->15560 15556 44c8bb 15556->15555 15557 44b094 std::_Locinfo::_Locinfo_ctor 15 API calls 15556->15557 15558 44c914 15557->15558 15559 44b01a ___std_exception_destroy 14 API calls 15558->15559 15559->15555 15563 441493 15560->15563 15564 4413f4 15560->15564 15561 4414a1 15562 438be3 ___std_exception_copy 40 API calls 15561->15562 15562->15564 15563->15561 15563->15564 15567 4414d7 std::_Locinfo::_Locinfo_ctor 15563->15567 15569 44c955 15564->15569 15566 44a1e9 40 API calls 15566->15567 15567->15564 15567->15566 15589 439a91 15567->15589 15595 449678 15567->15595 15570 44c960 15569->15570 15571 44138a 15569->15571 15570->15571 15572 439a91 73 API calls 15570->15572 15571->15550 15572->15571 15575 44c878 15573->15575 15574 44c8a2 15574->15556 15575->15574 15576 44a1e9 40 API calls 15575->15576 15577 44c893 15576->15577 15580 453be3 15577->15580 15579 44c899 15579->15556 15581 453bf0 15580->15581 15582 453bfd 15580->15582 15583 4416ff ___std_exception_copy 14 API calls 15581->15583 15585 453c09 15582->15585 15586 4416ff ___std_exception_copy 14 API calls 15582->15586 15584 453bf5 15583->15584 15584->15579 15585->15579 15587 453c2a 15586->15587 15588 438c60 ___std_exception_copy 40 API calls 15587->15588 15588->15584 15590 439ad1 15589->15590 15591 439aaa 15589->15591 15590->15567 15591->15590 15592 44a1e9 40 API calls 15591->15592 15593 439ac6 15592->15593 15594 449678 73 API calls 15593->15594 15594->15590 15596 449684 std::locale::_Setgloballocale 15595->15596 15597 4496c5 15596->15597 15599 44970b 15596->15599 15605 44968c 15596->15605 15598 438be3 ___std_exception_copy 40 API calls 15597->15598 15598->15605 15606 44e6c4 RtlEnterCriticalSection 15599->15606 15601 449711 15602 44972f 15601->15602 15607 449789 15601->15607 15635 449781 15602->15635 15605->15567 15606->15601 15608 4497b1 15607->15608 15634 4497d4 15607->15634 15609 4497b5 15608->15609 15611 449810 15608->15611 15610 438be3 ___std_exception_copy 40 API calls 15609->15610 15610->15634 15612 44982e 15611->15612 15645 44263d 15611->15645 15638 4492ce 15612->15638 15616 449846 15620 449875 15616->15620 15625 44984e 15616->15625 15617 44988d 15618 4498f6 WriteFile 15617->15618 15619 4498a1 15617->15619 15621 449918 GetLastError 15618->15621 15618->15634 15623 4498e2 15619->15623 15624 4498a9 15619->15624 15653 448e9f GetConsoleOutputCP 15620->15653 15621->15634 15681 44934b 15623->15681 15626 4498ce 15624->15626 15627 4498ae 15624->15627 15625->15634 15648 449266 15625->15648 15673 44950f 15626->15673 15631 4498b7 15627->15631 15627->15634 15630 449888 15630->15634 15666 449426 15631->15666 15634->15602 15694 44e779 RtlLeaveCriticalSection 15635->15694 15637 449787 15637->15605 15639 453be3 40 API calls 15638->15639 15641 4492e0 15639->15641 15640 449344 15640->15616 15640->15617 15641->15640 15642 44930e 15641->15642 15643 43e1d0 std::_Locinfo::_Locinfo_ctor 50 API calls 15641->15643 15642->15640 15644 449328 GetConsoleMode 15642->15644 15643->15642 15644->15640 15688 44251c 15645->15688 15647 442656 15647->15612 15649 4492bd 15648->15649 15652 449288 15648->15652 15649->15634 15650 453db0 CreateFileW CloseHandle WriteConsoleW GetLastError WriteConsoleW 15650->15652 15651 4492bf GetLastError 15651->15649 15652->15649 15652->15650 15652->15651 15654 448f11 15653->15654 15663 448f18 std::_Locinfo::_Locinfo_ctor 15653->15663 15655 43e1d0 std::_Locinfo::_Locinfo_ctor 50 API calls 15654->15655 15655->15663 15656 433d77 _ValidateLocalCookies 5 API calls 15657 44925f 15656->15657 15657->15630 15658 44c724 50 API calls 15658->15663 15659 4491ce 15659->15656 15660 453ca8 5 API calls std::_Locinfo::_Locinfo_ctor 15660->15663 15661 44ec55 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 15661->15663 15662 449147 WriteFile 15662->15663 15664 44923d GetLastError 15662->15664 15663->15658 15663->15659 15663->15660 15663->15661 15663->15662 15665 449185 WriteFile 15663->15665 15664->15659 15665->15663 15665->15664 15671 449435 15666->15671 15667 4494f4 15668 433d77 _ValidateLocalCookies 5 API calls 15667->15668 15670 44950d 15668->15670 15669 4494aa WriteFile 15669->15671 15672 4494f6 GetLastError 15669->15672 15670->15634 15671->15667 15671->15669 15672->15667 15676 44951e 15673->15676 15674 433d77 _ValidateLocalCookies 5 API calls 15675 44963f 15674->15675 15675->15630 15677 44ec55 std::_Locinfo::_Locinfo_ctor WideCharToMultiByte 15676->15677 15678 449628 GetLastError 15676->15678 15679 4495dd WriteFile 15676->15679 15680 449626 15676->15680 15677->15676 15678->15680 15679->15676 15679->15678 15680->15674 15686 44935a 15681->15686 15682 44940b 15683 433d77 _ValidateLocalCookies 5 API calls 15682->15683 15684 449424 15683->15684 15684->15630 15685 4493ca WriteFile 15685->15686 15687 44940d GetLastError 15685->15687 15686->15682 15686->15685 15687->15682 15689 44e940 40 API calls 15688->15689 15690 44252e 15689->15690 15691 44254a SetFilePointerEx 15690->15691 15693 442536 15690->15693 15692 442562 GetLastError 15691->15692 15691->15693 15692->15693 15693->15647 15694->15637 15695->15552 15697 43cf8f std::locale::_Setgloballocale 15696->15697 15698 43cf99 15697->15698 15699 43cfbc 15697->15699 15700 438be3 ___std_exception_copy 40 API calls 15698->15700 15706 43cfb4 15699->15706 15707 441250 RtlEnterCriticalSection 15699->15707 15700->15706 15702 43cfda 15708 43d01a 15702->15708 15704 43cfe7 15722 43d012 15704->15722 15706->14179 15707->15702 15709 43d027 15708->15709 15710 43d04a 15708->15710 15711 438be3 ___std_exception_copy 40 API calls 15709->15711 15712 439a91 73 API calls 15710->15712 15721 43d042 15710->15721 15711->15721 15713 43d062 15712->15713 15725 44b054 15713->15725 15716 44a1e9 40 API calls 15717 43d076 15716->15717 15729 448d2c 15717->15729 15720 44b01a ___std_exception_destroy 14 API calls 15720->15721 15721->15704 15787 441264 RtlLeaveCriticalSection 15722->15787 15724 43d018 15724->15706 15726 43d06a 15725->15726 15727 44b06b 15725->15727 15726->15716 15727->15726 15728 44b01a ___std_exception_destroy 14 API calls 15727->15728 15728->15726 15730 448d55 15729->15730 15735 43d07d 15729->15735 15731 448da4 15730->15731 15733 448d7c 15730->15733 15732 438be3 ___std_exception_copy 40 API calls 15731->15732 15732->15735 15736 448c9b 15733->15736 15735->15720 15735->15721 15737 448ca7 std::locale::_Setgloballocale 15736->15737 15744 44e6c4 RtlEnterCriticalSection 15737->15744 15739 448cb5 15740 448ce6 15739->15740 15745 448dff 15739->15745 15758 448d20 15740->15758 15744->15739 15761 44e940 15745->15761 15747 448e15 15774 44e8af 15747->15774 15749 448e0f 15749->15747 15750 448e47 15749->15750 15751 44e940 40 API calls 15749->15751 15750->15747 15752 44e940 40 API calls 15750->15752 15754 448e3e 15751->15754 15753 448e53 FindCloseChangeNotification 15752->15753 15753->15747 15755 448e5f GetLastError 15753->15755 15756 44e940 40 API calls 15754->15756 15755->15747 15756->15750 15757 448e6d 15757->15740 15786 44e779 RtlLeaveCriticalSection 15758->15786 15760 448d09 15760->15735 15762 44e962 15761->15762 15763 44e94d 15761->15763 15765 4416ec 14 API calls 15762->15765 15767 44e987 15762->15767 15783 4416ec 15763->15783 15768 44e992 15765->15768 15767->15749 15770 4416ff ___std_exception_copy 14 API calls 15768->15770 15769 4416ff ___std_exception_copy 14 API calls 15771 44e95a 15769->15771 15772 44e99a 15770->15772 15771->15749 15773 438c60 ___std_exception_copy 40 API calls 15772->15773 15773->15771 15775 44e925 15774->15775 15776 44e8be 15774->15776 15777 4416ff ___std_exception_copy 14 API calls 15775->15777 15776->15775 15782 44e8e8 15776->15782 15778 44e92a 15777->15778 15779 4416ec 14 API calls 15778->15779 15780 44e915 15779->15780 15780->15757 15781 44e90f SetStdHandle 15781->15780 15782->15780 15782->15781 15784 449f93 std::locale::_Setgloballocale 14 API calls 15783->15784 15785 4416f1 15784->15785 15785->15769 15786->15760 15787->15724 15789 418034 15788->15789 15790 417f1d 15788->15790 15797 402cf0 std::_Throw_Cpp_error 42 API calls 15789->15797 15802 417f29 15789->15802 15791 417fcb 15790->15791 15792 417f83 15790->15792 15793 417f24 15790->15793 15794 417f2b 15790->15794 15795 417f7c 15790->15795 15791->14193 15799 433672 std::_Facet_Register 42 API calls 15792->15799 15880 41c3a0 15793->15880 15796 433672 std::_Facet_Register 42 API calls 15794->15796 15885 41cf80 15795->15885 15796->15802 15801 41804f 15797->15801 15799->15802 15890 407f90 15801->15890 15802->14193 15804 418062 15805 4351fb Concurrency::cancel_current_task RaiseException 15804->15805 15806 418073 15805->15806 15809 42215f 15807->15809 15958 44133b 15809->15958 15812 41b4f0 15813 41db10 15812->15813 15814 41db56 15813->15814 15815 41de3d 15813->15815 16010 41ebb0 15814->16010 15817 41fd70 42 API calls 15815->15817 15819 41de87 15817->15819 15818 41dba4 15821 41fd70 42 API calls 15818->15821 15820 41eda0 55 API calls 15819->15820 15874 41df5e std::ios_base::_Ios_base_dtor 15819->15874 15822 41dee2 15820->15822 15823 41dbc1 15821->15823 15826 4075c0 42 API calls 15822->15826 15876 41dcc3 std::ios_base::_Ios_base_dtor 15823->15876 16016 41eda0 15823->16016 15824 417ef0 42 API calls 15830 41dfc7 15824->15830 15825 41de38 std::ios_base::_Ios_base_dtor 15825->14197 15831 41df06 15826->15831 15828 41dd82 15837 417ef0 42 API calls 15828->15837 15847 41dd9f 15828->15847 15829 41dcec 15833 417ef0 42 API calls 15829->15833 15830->15825 15834 438c70 std::_Throw_Cpp_error 40 API calls 15830->15834 15835 41f440 55 API calls 15831->15835 15832 41dc1c 16069 4075c0 15832->16069 15852 41dd01 15833->15852 15838 41e06f 15834->15838 15839 41df1f 15835->15839 15837->15847 16130 4190b0 15838->16130 15840 41e093 15839->15840 15844 402df0 std::_Throw_Cpp_error 42 API calls 15839->15844 15846 4190b0 41 API calls 15840->15846 15849 41df40 15844->15849 15851 41e0a1 15846->15851 15853 4135b0 40 API calls 15847->15853 15848 4351fb Concurrency::cancel_current_task RaiseException 15854 41e08e 15848->15854 15855 407a20 14 API calls 15849->15855 15850 41dc56 15850->15838 15856 41dc6b 15850->15856 15857 4351fb Concurrency::cancel_current_task RaiseException 15851->15857 16125 4135b0 15852->16125 15867 41dd6c 15853->15867 15858 438c70 std::_Throw_Cpp_error 40 API calls 15854->15858 15859 41df4f 15855->15859 15860 402df0 std::_Throw_Cpp_error 42 API calls 15856->15860 15861 41e0b2 15857->15861 15858->15840 15863 402df0 std::_Throw_Cpp_error 42 API calls 15859->15863 15864 41dc77 15860->15864 15865 438c70 std::_Throw_Cpp_error 40 API calls 15861->15865 15862 4135b0 40 API calls 15868 41de26 15862->15868 15863->15874 15870 41e0b7 15865->15870 15867->15862 15871 4135b0 40 API calls 15868->15871 15871->15825 15874->15824 15874->15830 15874->15861 15876->15828 15876->15829 15878 402df0 std::_Throw_Cpp_error 42 API calls 15877->15878 15879 41d4cb 15878->15879 15879->14199 15881 433672 std::_Facet_Register 42 API calls 15880->15881 15882 41c3c3 15881->15882 15883 433672 std::_Facet_Register 42 API calls 15882->15883 15884 41c3ec 15883->15884 15884->15802 15886 433672 std::_Facet_Register 42 API calls 15885->15886 15887 41cfb7 15886->15887 15888 403040 std::_Throw_Cpp_error 42 API calls 15887->15888 15889 41cfee 15888->15889 15889->15802 15905 407350 15890->15905 15892 408029 15930 41ad80 15892->15930 15895 402df0 std::_Throw_Cpp_error 42 API calls 15896 40804c 15895->15896 15897 408076 std::ios_base::_Ios_base_dtor 15896->15897 15899 4080df 15896->15899 15934 4072b0 15897->15934 15902 438c70 std::_Throw_Cpp_error 40 API calls 15899->15902 15901 402df0 std::_Throw_Cpp_error 42 API calls 15903 4080cb 15901->15903 15904 4080e4 15902->15904 15903->15804 15904->15804 15937 404d70 15905->15937 15914 418f00 std::_Throw_Cpp_error 42 API calls 15915 4073e6 15914->15915 15916 402df0 std::_Throw_Cpp_error 42 API calls 15915->15916 15917 40744c 15916->15917 15918 407476 std::ios_base::_Ios_base_dtor 15917->15918 15920 4074bf 15917->15920 15919 402df0 std::_Throw_Cpp_error 42 API calls 15918->15919 15921 40749e 15919->15921 15922 438c70 std::_Throw_Cpp_error 40 API calls 15920->15922 15923 402df0 std::_Throw_Cpp_error 42 API calls 15921->15923 15924 4074c4 15922->15924 15925 4074aa 15923->15925 15926 434b78 ___std_exception_destroy 14 API calls 15924->15926 15925->15892 15927 407511 15926->15927 15928 434b78 ___std_exception_destroy 14 API calls 15927->15928 15929 407527 std::ios_base::_Ios_base_dtor 15928->15929 15929->15892 15931 41adb4 15930->15931 15932 418f00 std::_Throw_Cpp_error 42 API calls 15931->15932 15933 40803d 15932->15933 15933->15895 15935 434b15 ___std_exception_copy 41 API calls 15934->15935 15936 40731a 15935->15936 15936->15901 15939 404da6 15937->15939 15938 404dd8 15941 41ac50 15938->15941 15939->15938 15940 403040 std::_Throw_Cpp_error 42 API calls 15939->15940 15940->15938 15943 41ac81 15941->15943 15942 41acd3 15943->15942 15944 41e8a0 42 API calls 15943->15944 15945 4073af 15944->15945 15946 41abb0 15945->15946 15947 41abe1 15946->15947 15947->15947 15948 418f00 std::_Throw_Cpp_error 42 API calls 15947->15948 15949 4073c2 15948->15949 15950 41ae20 15949->15950 15953 41e710 15950->15953 15952 4073d1 15952->15914 15954 41e753 15953->15954 15955 4032d0 std::_Throw_Cpp_error 42 API calls 15954->15955 15956 41e758 std::_Locinfo::_Locinfo_ctor 15954->15956 15957 41e843 std::_Locinfo::_Locinfo_ctor 15955->15957 15956->15952 15957->15952 15959 449e42 __Getctype 40 API calls 15958->15959 15960 441346 15959->15960 15961 44a12d __Getctype 40 API calls 15960->15961 15962 42225f 15961->15962 15963 41fd70 15962->15963 15966 41fd84 15963->15966 15970 41fde4 15963->15970 15965 41ff6c 15965->15812 15971 41fdc2 15966->15971 15977 429e20 15966->15977 15969 41fecc 15969->15965 15976 429e20 42 API calls 15969->15976 16003 4208f0 15969->16003 15974 41fe74 15970->15974 15999 4201e0 15970->15999 15971->15970 15972 41fe58 15971->15972 15973 429e20 42 API calls 15971->15973 15972->15974 15995 421430 15972->15995 15973->15972 15974->15812 15976->15969 15978 429e62 15977->15978 15979 429f76 15977->15979 15980 429e7c 15978->15980 15982 429eca 15978->15982 15983 429eba 15978->15983 15981 403330 42 API calls 15979->15981 15986 433672 std::_Facet_Register 42 API calls 15980->15986 15984 429f7b 15981->15984 15989 433672 std::_Facet_Register 42 API calls 15982->15989 15992 429e9a std::_Locinfo::_Locinfo_ctor 15982->15992 15983->15980 15983->15984 15985 402b50 Concurrency::cancel_current_task 42 API calls 15984->15985 15987 429f80 15985->15987 15988 429e8f 15986->15988 15990 438c70 std::_Throw_Cpp_error 40 API calls 15987->15990 15988->15987 15988->15992 15989->15992 15991 429f85 15990->15991 15993 4277d0 40 API calls 15992->15993 15994 429f47 15993->15994 15994->15971 15996 421443 15995->15996 15997 421471 15996->15997 15998 429e20 42 API calls 15996->15998 15997->15970 15998->15997 16000 4201f0 15999->16000 16001 429e20 42 API calls 16000->16001 16002 420260 16000->16002 16001->16000 16002->15969 16004 421430 42 API calls 16003->16004 16006 4208fc 16004->16006 16005 42090a 16005->15969 16006->16005 16007 429e20 42 API calls 16006->16007 16008 420995 16006->16008 16007->16006 16008->16005 16009 429e20 42 API calls 16008->16009 16009->16008 16011 41ec6d 16010->16011 16012 417ef0 42 API calls 16011->16012 16013 41ec8d 16012->16013 16133 4216c0 16013->16133 16015 41ecdf 16015->15818 16017 41ee46 16016->16017 16018 41ef4d 16016->16018 16019 41f425 16017->16019 16022 41e8a0 42 API calls 16017->16022 16020 418f00 std::_Throw_Cpp_error 42 API calls 16018->16020 16024 438c70 std::_Throw_Cpp_error 40 API calls 16019->16024 16021 41ef5b 16020->16021 16023 41ef6a 16021->16023 16030 41f191 16021->16030 16025 41ee79 16022->16025 16026 41f440 55 API calls 16023->16026 16027 41f42f 16024->16027 16028 418f00 std::_Throw_Cpp_error 42 API calls 16025->16028 16029 41ef79 16026->16029 16031 438c70 std::_Throw_Cpp_error 40 API calls 16027->16031 16032 41ee93 16028->16032 16038 403040 std::_Throw_Cpp_error 42 API calls 16029->16038 16030->16030 16035 403040 std::_Throw_Cpp_error 42 API calls 16030->16035 16033 41f434 16031->16033 16034 418f00 std::_Throw_Cpp_error 42 API calls 16032->16034 16036 438c70 std::_Throw_Cpp_error 40 API calls 16033->16036 16037 41eee3 16034->16037 16039 41f1c9 16035->16039 16068 41f375 std::ios_base::_Ios_base_dtor 16036->16068 16037->16019 16040 41ef1f std::ios_base::_Ios_base_dtor 16037->16040 16041 41efba 16038->16041 16042 41fbf0 42 API calls 16039->16042 16043 402df0 std::_Throw_Cpp_error 42 API calls 16040->16043 16045 418f00 std::_Throw_Cpp_error 42 API calls 16041->16045 16047 41f1e0 16042->16047 16043->16018 16044 438c70 std::_Throw_Cpp_error 40 API calls 16048 41f43e 16044->16048 16046 41efcd 16045->16046 16049 41e710 42 API calls 16046->16049 16050 418f00 std::_Throw_Cpp_error 42 API calls 16047->16050 16051 41f019 16049->16051 16055 41f22f std::ios_base::_Ios_base_dtor 16050->16055 16052 418f00 std::_Throw_Cpp_error 42 API calls 16051->16052 16053 41f032 16052->16053 16054 418f00 std::_Throw_Cpp_error 42 API calls 16053->16054 16058 41f081 std::ios_base::_Ios_base_dtor 16054->16058 16055->16033 16059 41f18c std::ios_base::_Ios_base_dtor 16055->16059 16056 41f3f2 std::ios_base::_Ios_base_dtor 16056->15832 16057 402df0 std::_Throw_Cpp_error 42 API calls 16062 41f0e3 std::ios_base::_Ios_base_dtor 16057->16062 16058->16027 16058->16057 16059->16056 16061 403040 std::_Throw_Cpp_error 42 API calls 16059->16061 16060 41f161 std::ios_base::_Ios_base_dtor 16063 402df0 std::_Throw_Cpp_error 42 API calls 16060->16063 16064 41f30c 16061->16064 16062->16027 16062->16060 16063->16059 16065 41fbf0 42 API calls 16064->16065 16066 41f323 16065->16066 16067 418f00 std::_Throw_Cpp_error 42 API calls 16066->16067 16067->16068 16068->16044 16068->16056 16216 404e30 16069->16216 16072 404e30 42 API calls 16073 40762b 16072->16073 16074 41ace0 42 API calls 16073->16074 16075 407640 16074->16075 16076 41abb0 42 API calls 16075->16076 16077 407656 16076->16077 16078 41e710 42 API calls 16077->16078 16080 40766d std::ios_base::_Ios_base_dtor 16078->16080 16079 40770a std::ios_base::_Ios_base_dtor 16081 402df0 std::_Throw_Cpp_error 42 API calls 16079->16081 16080->16079 16082 407a09 16080->16082 16084 40773b 16081->16084 16083 438c70 std::_Throw_Cpp_error 40 API calls 16082->16083 16085 407a0e 16083->16085 16086 402df0 std::_Throw_Cpp_error 42 API calls 16084->16086 16087 438c70 std::_Throw_Cpp_error 40 API calls 16085->16087 16088 40774a 16086->16088 16089 407a13 16087->16089 16090 407350 42 API calls 16088->16090 16091 4077a4 16090->16091 16092 418f00 std::_Throw_Cpp_error 42 API calls 16091->16092 16093 4077b9 16092->16093 16094 41e710 42 API calls 16093->16094 16095 40780c 16094->16095 16096 418f00 std::_Throw_Cpp_error 42 API calls 16095->16096 16097 407828 16096->16097 16098 41ad80 42 API calls 16097->16098 16099 407879 std::ios_base::_Ios_base_dtor 16098->16099 16099->16085 16100 402df0 std::_Throw_Cpp_error 42 API calls 16099->16100 16102 4078e8 std::ios_base::_Ios_base_dtor 16100->16102 16101 402df0 std::_Throw_Cpp_error 42 API calls 16103 407947 16101->16103 16102->16085 16102->16101 16103->16085 16104 407975 std::ios_base::_Ios_base_dtor 16103->16104 16105 402df0 std::_Throw_Cpp_error 42 API calls 16104->16105 16106 4079a6 16105->16106 16107 4072b0 41 API calls 16106->16107 16108 4079ca 16107->16108 16109 402df0 std::_Throw_Cpp_error 42 API calls 16108->16109 16110 4079f3 16109->16110 16111 41f440 16110->16111 16112 41f630 16111->16112 16118 41f4c9 std::ios_base::_Ios_base_dtor std::_Locinfo::_Locinfo_ctor 16111->16118 16112->15850 16114 41f647 16117 438c70 std::_Throw_Cpp_error 40 API calls 16114->16117 16115 4032d0 std::_Throw_Cpp_error 42 API calls 16115->16118 16116 418f00 std::_Throw_Cpp_error 42 API calls 16116->16118 16119 41f651 16117->16119 16118->16112 16118->16114 16118->16115 16118->16116 16220 4034a0 16118->16220 16119->15850 16126 4135d1 16125->16126 16127 4135f1 std::ios_base::_Ios_base_dtor 16125->16127 16126->16127 16128 438c70 std::_Throw_Cpp_error 40 API calls 16126->16128 16127->15867 16129 413625 16128->16129 16129->15867 16227 416590 16130->16227 16136 4217d0 16133->16136 16135 4216da std::locale::_Setgloballocale 16135->16015 16137 421809 16136->16137 16143 421838 16136->16143 16138 421923 16137->16138 16141 42181b 16137->16141 16153 421990 16138->16153 16141->16143 16144 429f90 16141->16144 16143->16135 16145 429fc2 16144->16145 16146 42a0a3 16144->16146 16165 42d190 16145->16165 16147 403330 42 API calls 16146->16147 16151 42a000 std::_Locinfo::_Locinfo_ctor 16147->16151 16149 438c70 std::_Throw_Cpp_error 40 API calls 16150 42a0ad 16149->16150 16151->16149 16152 42a05f std::ios_base::_Ios_base_dtor 16151->16152 16152->16143 16154 431cea 42 API calls 16153->16154 16156 42199a 16154->16156 16155 421928 16156->16155 16157 402cf0 std::_Throw_Cpp_error 42 API calls 16156->16157 16158 421a03 16157->16158 16159 41ace0 42 API calls 16158->16159 16160 421a18 16159->16160 16173 407cf0 16160->16173 16162 421a2d 16163 4351fb Concurrency::cancel_current_task RaiseException 16162->16163 16164 421a3e 16163->16164 16166 42d1d9 16165->16166 16167 42d199 16165->16167 16166->16166 16167->16166 16168 42d1b0 16167->16168 16171 433672 std::_Facet_Register 42 API calls 16167->16171 16169 42d1b9 16168->16169 16170 433672 std::_Facet_Register 42 API calls 16168->16170 16169->16151 16172 42d1d2 16170->16172 16171->16168 16172->16151 16174 407350 42 API calls 16173->16174 16175 407d80 16174->16175 16176 41ad80 42 API calls 16175->16176 16177 407d94 16176->16177 16178 402df0 std::_Throw_Cpp_error 42 API calls 16177->16178 16179 407da3 16178->16179 16180 407dcd std::ios_base::_Ios_base_dtor 16179->16180 16182 407e33 16179->16182 16181 4072b0 41 API calls 16180->16181 16183 407dfd 16181->16183 16185 438c70 std::_Throw_Cpp_error 40 API calls 16182->16185 16184 402df0 std::_Throw_Cpp_error 42 API calls 16183->16184 16186 407e1e 16184->16186 16187 407e38 16185->16187 16186->16162 16188 407350 42 API calls 16187->16188 16189 407ece 16188->16189 16190 41ad80 42 API calls 16189->16190 16191 407ee2 16190->16191 16192 402df0 std::_Throw_Cpp_error 42 API calls 16191->16192 16193 407ef1 16192->16193 16194 407f1b std::ios_base::_Ios_base_dtor 16193->16194 16196 407f81 16193->16196 16195 4072b0 41 API calls 16194->16195 16197 407f4b 16195->16197 16199 438c70 std::_Throw_Cpp_error 40 API calls 16196->16199 16198 402df0 std::_Throw_Cpp_error 42 API calls 16197->16198 16201 407f6c 16198->16201 16200 407f86 16199->16200 16202 407350 42 API calls 16200->16202 16201->16162 16203 408029 16202->16203 16204 41ad80 42 API calls 16203->16204 16205 40803d 16204->16205 16206 402df0 std::_Throw_Cpp_error 42 API calls 16205->16206 16207 40804c 16206->16207 16208 408076 std::ios_base::_Ios_base_dtor 16207->16208 16210 4080df 16207->16210 16209 4072b0 41 API calls 16208->16209 16211 4080aa 16209->16211 16213 438c70 std::_Throw_Cpp_error 40 API calls 16210->16213 16212 402df0 std::_Throw_Cpp_error 42 API calls 16211->16212 16214 4080cb 16212->16214 16215 4080e4 16213->16215 16214->16162 16215->16162 16217 404e66 16216->16217 16217->16217 16218 404ea8 16217->16218 16219 403040 std::_Throw_Cpp_error 42 API calls 16217->16219 16218->16072 16219->16218 16223 403380 16220->16223 16224 403399 16223->16224 16225 440dd7 53 API calls 16224->16225 16228 434b15 ___std_exception_copy 41 API calls 16227->16228 16229 4165ce 16228->16229 16230 434b15 ___std_exception_copy 41 API calls 16229->16230 16231 416601 16230->16231 16231->15848 16233 458e17 16232->16233 16237 458c08 16232->16237 16233->14202 16235 458d38 std::locale::_Setgloballocale 16235->16233 16236 403130 42 API calls 16235->16236 16236->16235 16237->16235 16239 4387b0 16237->16239 16248 403130 16237->16248 16240 4387e3 16239->16240 16245 4387c7 16239->16245 16241 449e42 __Getctype 40 API calls 16240->16241 16242 4387e8 16241->16242 16243 44a12d __Getctype 40 API calls 16242->16243 16244 4387f8 16243->16244 16244->16245 16246 449a39 50 API calls 16244->16246 16245->16237 16247 43882a 16246->16247 16247->16237 16249 4032b3 16248->16249 16250 40316f 16248->16250 16251 403330 42 API calls 16249->16251 16252 403189 16250->16252 16254 4031d7 16250->16254 16255 4031c7 16250->16255 16253 4032b8 16251->16253 16257 433672 std::_Facet_Register 42 API calls 16252->16257 16256 402b50 Concurrency::cancel_current_task 42 API calls 16253->16256 16258 433672 std::_Facet_Register 42 API calls 16254->16258 16261 40319c std::_Locinfo::_Locinfo_ctor 16254->16261 16255->16252 16255->16253 16256->16261 16257->16261 16258->16261 16259 438c70 std::_Throw_Cpp_error 40 API calls 16260 4032c2 16259->16260 16261->16259 16262 40326b std::ios_base::_Ios_base_dtor 16261->16262 16262->16237 16264 433659 GetSystemTimeAsFileTime 16263->16264 16265 43364d GetSystemTimePreciseAsFileTime 16263->16265 16266 433077 16264->16266 16265->16266 16266->13660 16871 4247b0 16872 4248ed 16871->16872 16873 4247ed 16871->16873 16874 403330 42 API calls 16872->16874 16878 424a30 42 API calls 16873->16878 16875 4248f2 16874->16875 16876 424a23 16875->16876 16877 42493d 16875->16877 16879 403330 42 API calls 16876->16879 16881 424a30 42 API calls 16877->16881 16882 424827 16878->16882 16880 424a28 16879->16880 16883 424977 16881->16883 16885 41e1e0 40 API calls 16882->16885 16890 413d50 16883->16890 16886 4248b4 16885->16886 16887 42499f 16888 41e1e0 40 API calls 16887->16888 16889 4249ea 16888->16889 16891 413df7 std::_Locinfo::_Locinfo_ctor 16890->16891 16892 413d8f 16890->16892 16891->16887 16892->16891 16893 413d96 16892->16893 16894 413e69 16892->16894 16895 413f7d 16892->16895 16896 413f1e 16892->16896 16899 433672 std::_Facet_Register 42 API calls 16893->16899 16898 433672 std::_Facet_Register 42 API calls 16894->16898 16900 433672 std::_Facet_Register 42 API calls 16895->16900 16962 417e80 16896->16962 16901 413e73 16898->16901 16902 413da0 16899->16902 16903 413f8a 16900->16903 16901->16891 16923 42bf30 16901->16923 16904 433672 std::_Facet_Register 42 API calls 16902->16904 16903->16891 16907 413fd3 16903->16907 16908 41408e 16903->16908 16906 413dd2 16904->16906 16950 42f460 16906->16950 16911 414004 16907->16911 16912 413fdb 16907->16912 16910 403330 42 API calls 16908->16910 16915 414093 16910->16915 16913 433672 std::_Facet_Register 42 API calls 16911->16913 16912->16915 16916 413fe6 16912->16916 16913->16891 16914 413eb1 16914->16891 16919 413d50 104 API calls 16914->16919 16917 402b50 Concurrency::cancel_current_task 42 API calls 16915->16917 16918 433672 std::_Facet_Register 42 API calls 16916->16918 16920 413fec 16917->16920 16918->16920 16919->16914 16920->16891 16921 438c70 std::_Throw_Cpp_error 40 API calls 16920->16921 16922 41409d 16921->16922 16924 42bf42 16923->16924 16925 42bfab 16923->16925 16927 42bf7c 16924->16927 16928 42bf4d 16924->16928 16926 403330 42 API calls 16925->16926 16929 42bfb0 16926->16929 16931 42bf99 16927->16931 16933 433672 std::_Facet_Register 42 API calls 16927->16933 16928->16929 16930 42bf54 16928->16930 16934 402b50 Concurrency::cancel_current_task 42 API calls 16929->16934 16932 433672 std::_Facet_Register 42 API calls 16930->16932 16931->16914 16935 42bf5a 16932->16935 16936 42bf86 16933->16936 16934->16935 16937 42bf63 16935->16937 16938 438c70 std::_Throw_Cpp_error 40 API calls 16935->16938 16936->16914 16937->16914 16939 42bfba 16938->16939 16940 42c077 16939->16940 16941 42c00c 16939->16941 16944 42c013 std::_Locinfo::_Locinfo_ctor 16939->16944 16943 403330 42 API calls 16940->16943 16967 41fab0 16941->16967 16945 42c07c 16943->16945 16944->16914 16946 433672 std::_Facet_Register 42 API calls 16945->16946 16947 42c0ae 16946->16947 16948 403040 std::_Throw_Cpp_error 42 API calls 16947->16948 16949 42c0f2 16948->16949 16949->16914 16951 42f498 16950->16951 16952 42f53f 16950->16952 16953 433672 std::_Facet_Register 42 API calls 16951->16953 16952->16891 16954 42f4ba 16953->16954 16955 4163b0 std::_Throw_Cpp_error 42 API calls 16954->16955 16956 42f4d0 16955->16956 16957 413d50 104 API calls 16956->16957 16958 42f4e0 16957->16958 16959 42f460 104 API calls 16958->16959 16960 42f531 16959->16960 16961 42f460 104 API calls 16960->16961 16961->16952 16963 433672 std::_Facet_Register 42 API calls 16962->16963 16964 417ea6 16963->16964 16965 4163b0 std::_Throw_Cpp_error 42 API calls 16964->16965 16966 417ec5 16965->16966 16966->16891 16968 41fac2 16967->16968 16969 41fb2b 16967->16969 16971 41facd 16968->16971 16972 41fafc 16968->16972 16970 402b50 Concurrency::cancel_current_task 42 API calls 16969->16970 16975 41fada 16970->16975 16971->16969 16973 41fad4 16971->16973 16974 41fb19 16972->16974 16977 433672 std::_Facet_Register 42 API calls 16972->16977 16976 433672 std::_Facet_Register 42 API calls 16973->16976 16974->16944 16978 438c70 std::_Throw_Cpp_error 40 API calls 16975->16978 16980 41fae3 16975->16980 16976->16975 16979 41fb06 16977->16979 16981 41fb35 16978->16981 16979->16944 16980->16944 16983 41fb5b std::locale::_Setgloballocale 16981->16983 16985 429c70 16981->16985 16983->16944 16984 41fb7f 16984->16944 16986 429dc4 16985->16986 16992 429ca2 16985->16992 16987 403330 42 API calls 16986->16987 16990 429d04 std::_Locinfo::_Locinfo_ctor 16987->16990 16988 429dbf 16989 402b50 Concurrency::cancel_current_task 42 API calls 16988->16989 16989->16986 16991 438c70 std::_Throw_Cpp_error 40 API calls 16990->16991 17003 429d8f std::ios_base::_Ios_base_dtor 16990->17003 16993 429dce 16991->16993 16992->16988 16994 429cf3 16992->16994 16995 429d1d 16992->16995 17004 419950 16993->17004 16994->16988 16996 429cfe 16994->16996 16995->16990 16999 433672 std::_Facet_Register 42 API calls 16995->16999 16998 433672 std::_Facet_Register 42 API calls 16996->16998 16998->16990 16999->16990 17000 429dd9 17001 4351fb Concurrency::cancel_current_task RaiseException 17000->17001 17002 429de2 17001->17002 17003->16984 17005 419968 17004->17005 17006 419978 std::ios_base::_Ios_base_dtor 17004->17006 17005->17006 17007 438c70 std::_Throw_Cpp_error 40 API calls 17005->17007 17006->17000 17008 41998d 17007->17008 17009 419a4f 17008->17009 17016 432b74 17008->17016 17009->17000 17015 419a04 17015->17000 17017 432af7 17016->17017 17018 4199cc 17017->17018 17045 439815 17017->17045 17018->17009 17024 4183b0 17018->17024 17023 43d0a8 78 API calls 17023->17018 17025 41843c 17024->17025 17026 418463 17024->17026 17097 44120a 17025->17097 17028 41c430 17026->17028 17029 432470 std::_Lockit::_Lockit 7 API calls 17028->17029 17030 41c45f 17029->17030 17031 432470 std::_Lockit::_Lockit 7 API calls 17030->17031 17035 41c4a9 std::_Throw_Cpp_error 17030->17035 17033 41c481 17031->17033 17032 41c4f8 17034 4324c8 std::_Lockit::~_Lockit 2 API calls 17032->17034 17037 4324c8 std::_Lockit::~_Lockit 2 API calls 17033->17037 17036 41c5c9 17034->17036 17035->17032 17038 433672 std::_Facet_Register 42 API calls 17035->17038 17036->17015 17037->17035 17039 41c506 17038->17039 17040 404040 std::_Throw_Cpp_error 75 API calls 17039->17040 17041 41c536 17040->17041 17042 404100 std::_Throw_Cpp_error 73 API calls 17041->17042 17043 41c592 17042->17043 17044 4326f7 std::_Facet_Register 42 API calls 17043->17044 17044->17032 17047 43975e std::locale::_Setgloballocale 17045->17047 17046 439771 17048 4416ff ___std_exception_copy 14 API calls 17046->17048 17047->17046 17050 439791 17047->17050 17049 439776 17048->17049 17051 438c60 ___std_exception_copy 40 API calls 17049->17051 17052 4397a3 17050->17052 17053 439796 17050->17053 17061 432b43 17051->17061 17055 44a8ef 17 API calls 17052->17055 17054 4416ff ___std_exception_copy 14 API calls 17053->17054 17054->17061 17056 4397ac 17055->17056 17057 4397b3 17056->17057 17058 4397c0 17056->17058 17059 4416ff ___std_exception_copy 14 API calls 17057->17059 17060 4397fe RtlLeaveCriticalSection 17058->17060 17059->17061 17060->17061 17061->17018 17062 43d5f6 17061->17062 17063 43d609 ___std_exception_copy 17062->17063 17068 43d34d 17063->17068 17066 43899c ___std_exception_copy 40 API calls 17067 432b5e 17066->17067 17067->17018 17067->17023 17070 43d359 std::locale::_Setgloballocale 17068->17070 17069 43d35f 17071 438be3 ___std_exception_copy 40 API calls 17069->17071 17070->17069 17072 43d3a2 17070->17072 17078 43d37a 17071->17078 17079 441250 RtlEnterCriticalSection 17072->17079 17074 43d3ae 17080 43d4d0 17074->17080 17076 43d3c4 17089 43d3ed 17076->17089 17078->17066 17079->17074 17081 43d4e3 17080->17081 17082 43d4f6 17080->17082 17081->17076 17092 43d3f7 17082->17092 17084 43d5a7 17084->17076 17085 439a91 73 API calls 17087 43d547 17085->17087 17086 43d519 17086->17084 17086->17085 17088 44263d 42 API calls 17087->17088 17088->17084 17096 441264 RtlLeaveCriticalSection 17089->17096 17091 43d3f5 17091->17078 17093 43d408 17092->17093 17095 43d460 17092->17095 17094 4425fd 42 API calls 17093->17094 17093->17095 17094->17095 17095->17086 17096->17091 17098 441216 17097->17098 17101 44122b 17097->17101 17099 4416ff ___std_exception_copy 14 API calls 17098->17099 17100 44121b 17099->17100 17102 438c60 ___std_exception_copy 40 API calls 17100->17102 17101->17026 17103 441226 17102->17103 17103->17026

                                    Executed Functions

                                    Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382libraryloadernetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 75 409280-4092dd call 4163b0 78 409413-409521 call 402df0 call 4ea420 75->78 79 4092e3-4092e9 75->79 93 409523-409535 78->93 94 409537-40953f call 418dc0 78->94 80 4092f0-409313 79->80 82 409324-409331 80->82 83 409315-40931f 80->83 86 409342-40934f 82->86 87 409333-40933d 82->87 85 409403-409406 83->85 89 409409-40940d 85->89 90 409360-40936d 86->90 91 409351-40935b 86->91 87->85 89->78 89->80 95 40937e-40938b 90->95 96 40936f-409379 90->96 91->85 99 409544-409597 call 4ea420 * 2 93->99 94->99 97 409399-4093a6 95->97 98 40938d-409397 95->98 96->85 101 4093b4-4093c1 97->101 102 4093a8-4093b2 97->102 98->85 112 409599-4095c8 call 4ea420 call 435270 99->112 113 4095cb-4095e1 call 4ea420 99->113 104 4093c3-4093cd 101->104 105 4093cf-4093dc 101->105 102->85 104->85 107 4093ea-4093f4 105->107 108 4093de-4093e8 105->108 107->89 111 4093f6-4093ff 107->111 108->85 111->85 112->113 118 4096e2 113->118 119 4095e7-4095ed 113->119 122 4096e6-4096f0 118->122 121 4095f0-4096ce GetModuleHandleA GetProcAddress WSASend 119->121 124 4096d4-4096dc 121->124 125 40975f-409763 121->125 126 4096f2-4096fe 122->126 127 40971e-40973d 122->127 124->118 124->121 125->122 128 409700-40970e 126->128 129 409714-40971b call 4338f3 126->129 130 40976f-409796 127->130 131 40973f-40974b 127->131 128->129 132 409797-4097fe call 438c70 call 402df0 * 2 128->132 129->127 134 409765-40976c call 4338f3 131->134 135 40974d-40975b 131->135 134->130 135->132 139 40975d 135->139 139->134
                                    APIs
                                    • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,0054D15C,00000000,74D723A0,-00589880), ref: 004096A6
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
                                    • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0054D15C,00000000,74D723A0,-00589880), ref: 004096C9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProcSend
                                    • String ID: Ws2_32.dll
                                    • API String ID: 2819740048-3093949381
                                    • Opcode ID: d946741ea927b9b060335f299eec8efad25939578b4ebaaa967d5c79e73c84d4
                                    • Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
                                    • Opcode Fuzzy Hash: d946741ea927b9b060335f299eec8efad25939578b4ebaaa967d5c79e73c84d4
                                    • Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96
                                    Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279networksleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • setsockopt.WS2_32(00000378,0000FFFF,00001006,?,00000008), ref: 004C7BA6
                                    • recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
                                    • WSAGetLastError.WS2_32 ref: 004C7BC5
                                    • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
                                    • recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
                                    • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
                                    • recv.WS2_32(00000000,?,00000008), ref: 004C7D1B
                                      • Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
                                      • Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
                                      • Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
                                      • Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
                                      • Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
                                      • Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
                                      • Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690
                                    • recv.WS2_32(?,00000004,00000008), ref: 004C7E23
                                    • __Xtime_get_ticks.LIBCPMT ref: 004C7E2A
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
                                    • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
                                    • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
                                    • String ID:
                                    • API String ID: 3089209366-0
                                    • Opcode ID: deda763b8fb6066c72b20903b58187ae793f723e7b47fea433c0891846b4f81f
                                    • Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
                                    • Opcode Fuzzy Hash: deda763b8fb6066c72b20903b58187ae793f723e7b47fea433c0891846b4f81f
                                    • Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95
                                    Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 56 4c8590-4c85c2 WSAStartup 57 4c85c8-4c85f2 call 4ea420 * 2 56->57 58 4c8696-4c869f 56->58 63 4c85fe-4c8644 getaddrinfo 57->63 64 4c85f4-4c85f8 57->64 65 4c8646-4c864c 63->65 66 4c8690 WSACleanup 63->66 64->58 64->63 67 4c864e 65->67 68 4c86a4-4c86ae FreeAddrInfoW 65->68 66->58 70 4c8654-4c8668 socket 67->70 68->66 69 4c86b0-4c86b8 68->69 70->66 71 4c866a-4c867a connect 70->71 72 4c867c-4c8684 closesocket 71->72 73 4c86a0 71->73 72->70 74 4c8686-4c868a FreeAddrInfoW 72->74 73->68 74->66
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                    • String ID:
                                    • API String ID: 448659506-0
                                    • Opcode ID: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
                                    • Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
                                    • Opcode Fuzzy Hash: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
                                    • Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7
                                    Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 146 449789-4497ab 147 4497b1-4497b3 146->147 148 44999e 146->148 150 4497b5-4497d4 call 438be3 147->150 151 4497df-449802 147->151 149 4499a0-4499a4 148->149 159 4497d7-4497da 150->159 152 449804-449806 151->152 153 449808-44980e 151->153 152->153 155 449810-449821 152->155 153->150 153->155 157 449834-449844 call 4492ce 155->157 158 449823-449831 call 44263d 155->158 164 449846-44984c 157->164 165 44988d-44989f 157->165 158->157 159->149 168 449875-44988b call 448e9f 164->168 169 44984e-449851 164->169 166 4498f6-449916 WriteFile 165->166 167 4498a1-4498a7 165->167 170 449921 166->170 171 449918-44991e GetLastError 166->171 173 4498e2-4498f4 call 44934b 167->173 174 4498a9-4498ac 167->174 185 44986e-449870 168->185 175 449853-449856 169->175 176 44985c-44986b call 449266 169->176 178 449924-44992f 170->178 171->170 192 4498c9-4498cc 173->192 179 4498ce-4498e0 call 44950f 174->179 180 4498ae-4498b1 174->180 175->176 181 449936-449939 175->181 176->185 186 449931-449934 178->186 187 449999-44999c 178->187 179->192 188 44993c-44993e 180->188 189 4498b7-4498c4 call 449426 180->189 181->188 185->178 186->181 187->149 193 449940-449945 188->193 194 44996c-449978 188->194 189->192 192->185 197 449947-449959 193->197 198 44995e-449967 call 4416c8 193->198 199 449982-449994 194->199 200 44997a-449980 194->200 197->159 198->159 199->159 200->148 200->199
                                    APIs
                                      • Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(4D3BC757,00000000,00000000,?), ref: 00448F02
                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044990E
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00449918
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ConsoleErrorFileLastOutputWrite
                                    • String ID:
                                    • API String ID: 2915228174-0
                                    • Opcode ID: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
                                    • Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
                                    • Opcode Fuzzy Hash: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
                                    • Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65
                                    Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 203 448dff-448e13 call 44e940 206 448e15-448e17 203->206 207 448e19-448e21 203->207 208 448e67-448e87 call 44e8af 206->208 209 448e23-448e2a 207->209 210 448e2c-448e2f 207->210 219 448e99 208->219 220 448e89-448e97 call 4416c8 208->220 209->210 212 448e37-448e4b call 44e940 * 2 209->212 213 448e31-448e35 210->213 214 448e4d-448e5d call 44e940 FindCloseChangeNotification 210->214 212->206 212->214 213->212 213->214 214->206 222 448e5f-448e65 GetLastError 214->222 224 448e9b-448e9e 219->224 220->224 222->208
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00448CE6,00000000,?,0057A178,0000000C,00448DA2,?,?,?), ref: 00448E55
                                    • GetLastError.KERNEL32(?,00448CE6,00000000,?,0057A178,0000000C,00448DA2,?,?,?), ref: 00448E5F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ChangeCloseErrorFindLastNotification
                                    • String ID:
                                    • API String ID: 1687624791-0
                                    • Opcode ID: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
                                    • Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
                                    • Opcode Fuzzy Hash: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
                                    • Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D
                                    Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 228 44251c-442534 call 44e940 231 442536-44253d 228->231 232 44254a-442560 SetFilePointerEx 228->232 233 442544-442548 231->233 234 442575-44257f 232->234 235 442562-442573 GetLastError call 4416c8 232->235 236 44259b-44259e 233->236 234->233 238 442581-442596 234->238 235->233 238->236
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00442626,?,?,?,?,?), ref: 00442558
                                    • GetLastError.KERNEL32(?,?,?,?,00442626,?,?,?,?,?,00000000,?,00000000), ref: 00442565
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastPointer
                                    • String ID:
                                    • API String ID: 2976181284-0
                                    • Opcode ID: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
                                    • Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
                                    • Opcode Fuzzy Hash: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
                                    • Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4
                                    Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 240 4032d0-4032e0 241 4032e2-4032e7 240->241 242 403306-403308 240->242 245 4032e9-4032ea call 433672 241->245 246 40331f call 402b50 241->246 243 403318-40331e 242->243 244 40330a-403317 call 433672 242->244 252 4032ef-4032f6 245->252 251 403324-403329 call 438c70 246->251 252->251 253 4032f8-403305 252->253
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 0040331F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                    • Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
                                    • Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
                                    • Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788
                                    Function 0044B094 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 256 44b094-44b0a0 257 44b0d2-44b0dd call 4416ff 256->257 258 44b0a2-44b0a4 256->258 265 44b0df-44b0e1 257->265 259 44b0a6-44b0a7 258->259 260 44b0bd-44b0ce RtlAllocateHeap 258->260 259->260 262 44b0d0 260->262 263 44b0a9-44b0b0 call 448280 260->263 262->265 263->257 268 44b0b2-44b0bb call 445a89 263->268 268->257 268->260
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 0044B0C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
                                    • Instruction ID: 07eaf642519ac51a5bd3283dd2addbb445c80e248ae9cef49388ffb333b33e8c
                                    • Opcode Fuzzy Hash: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
                                    • Instruction Fuzzy Hash: 99E022322006206BFF313AA69C14B5B764CEF413A3F190227EC25A62D1DB3CCC0092EE

                                    Non-executed Functions

                                    Function 004CF280 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 240injectionmemorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 004CF2F1
                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004CF30D
                                    • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004CF342
                                    • VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004CF36B
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000), ref: 004CF50F
                                    • WriteProcessMemory.KERNEL32(?,00000218,004CF5E0,-00000010,00000000), ref: 004CF531
                                    • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 004CF544
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004CF54D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
                                    • String ID: %s|%s$131
                                    • API String ID: 2137838514-1629954864
                                    • Opcode ID: b88fb1ed2ebfd2a655c4879da0ce9de7ec8f2c0603ef1b71525654192dd42d6d
                                    • Instruction ID: 2ab717f03d3c912496b66fb944616d360f792c6fe5d042a247d22025e7d5b78f
                                    • Opcode Fuzzy Hash: b88fb1ed2ebfd2a655c4879da0ce9de7ec8f2c0603ef1b71525654192dd42d6d
                                    • Instruction Fuzzy Hash: 36B16BB1D002089FDB14CFA4CC95BAEBBB5FF18300F10426DE905BB291D774A984DBA5
                                    Function 004534CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                      • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004535D7
                                    • IsValidCodePage.KERNEL32(?), ref: 00453615
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00453628
                                    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00453670
                                    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045368B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                    • String ID: *V
                                    • API String ID: 415426439-2897881622
                                    • Opcode ID: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
                                    • Instruction ID: 4a54d826d8e8e5dc964d84ffa3ac1e49b68ae0fe58eca9cd8e7cd24ca5604c7d
                                    • Opcode Fuzzy Hash: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
                                    • Instruction Fuzzy Hash: 4E517471A00209AFDB20DFA5CC41ABF77B8AF05743F14446AED01E7252EB74DA48DB65
                                    Function 004547BF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: 43a42e638d961d261596a491a02aa4b2327403fcfc943c4a8adc8c2915f1bcde
                                    • Instruction ID: 95be6499ce7b8f5c3e7b75284ec9f8f0661dd908efafa341dd21629552806af8
                                    • Opcode Fuzzy Hash: 43a42e638d961d261596a491a02aa4b2327403fcfc943c4a8adc8c2915f1bcde
                                    • Instruction Fuzzy Hash: 3AD23D71E086288FDB65CE28CD507EAB7B5EB84306F1441EBD80DE7241D778AE898F45
                                    Function 00452B5A Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                      • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                    • GetACP.KERNEL32(?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?,?), ref: 00452C19
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?), ref: 00452C50
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00452DB3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CodeInfoLocalePageValid
                                    • String ID: *V$utf8
                                    • API String ID: 607553120-210452255
                                    • Opcode ID: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
                                    • Instruction ID: 742b11dcb7ff0b0bfa38c284345f0d68b4d7ce619a9ba0daefdf44cafbbca61f
                                    • Opcode Fuzzy Hash: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
                                    • Instruction Fuzzy Hash: F071FA32600602A6D725AF75CD45B6B73A8EF16705F10042FFD05D7283EBF8E94C9699
                                    Function 004532F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00453605,?,?), ref: 0045338C
                                    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00453605,?,?), ref: 004533B5
                                    • GetACP.KERNEL32(?,?,00453605,?,?), ref: 004533CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
                                    • Instruction ID: 0023b8279c9b3e3643c8ce07df61025d6c2b7e12d2ffc4f7461f6cfcb2a1a3ae
                                    • Opcode Fuzzy Hash: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
                                    • Instruction Fuzzy Hash: 8021C432600100A7DB308F54C900A9BB3A6AF50FD3B568466EC06D7312EF36EF49D358
                                    Function 0043C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                    • Instruction ID: 01dad5c531b3804b6668612822d9feb5b6f7af541a2af8c3bc89036eeee974e8
                                    • Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
                                    • Instruction Fuzzy Hash: DA023A71E002199BDF14CFA9D9C06AEFBB1FF48314F24926AE919B7380D735A9418B94
                                    Function 0043361D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimePreciseAsFileTime.KERNEL32(?,00433077,?,?,?,?,004C7E2F), ref: 00433655
                                    • GetSystemTimeAsFileTime.KERNEL32(?,4D3BC757,00000000,?,00551382,000000FF,?,00433077,?,?,?,?,004C7E2F), ref: 00433659
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem$Precise
                                    • String ID: `-@
                                    • API String ID: 743729956-3781167437
                                    • Opcode ID: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
                                    • Instruction ID: 3e04e591088ee8cc2650925c1d28f2227fba881fd4e87dc1a7d03300bd93dc66
                                    • Opcode Fuzzy Hash: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
                                    • Instruction Fuzzy Hash: 73F0A032904A54EFCB118F44DC11B59BBA8F708B21F004626EC12A3790DB34A9049F94
                                    Function 00452F77 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                      • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452FCB
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00453015
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004530DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: InfoLocale$ErrorLast
                                    • String ID:
                                    • API String ID: 661929714-0
                                    • Opcode ID: f5cfd2435bfc6126f1a27ca0e302e8257e218aad689c2380b82d9cb027d6b9a4
                                    • Instruction ID: 48740d242bba4bd8a9c349c0ec2c6d2d1cd0f344531baebb5e7d544be35332ed
                                    • Opcode Fuzzy Hash: f5cfd2435bfc6126f1a27ca0e302e8257e218aad689c2380b82d9cb027d6b9a4
                                    • Instruction Fuzzy Hash: 4661C2315006079FEB249F25CC82BABB7A8EF04787F10417AED05C6686EB7CDA49CB54
                                    Function 00438A64 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 00438B5C
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00438B66
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00438B73
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 190c57a89f893cc3a60c21e64f5d89c3dc83bf777de16abb744d2c180980a4ce
                                    • Instruction ID: 8ec399b23226fa191ec5ef1820ea8a0bb8d05e2da4fe9e987d2f7c16b8c22cf0
                                    • Opcode Fuzzy Hash: 190c57a89f893cc3a60c21e64f5d89c3dc83bf777de16abb744d2c180980a4ce
                                    • Instruction Fuzzy Hash: 8331D4759013189BCB21DF65D8897CDBBB8BF08310F5051EAF81CA7251EB749B858F48
                                    Function 00431F9C Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindClose.KERNEL32(000000FF,?,0041D027,?,?,?,00424721), ref: 00431FA8
                                    • FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,0041D027,?,?,?,00424721), ref: 00431FD7
                                    • GetLastError.KERNEL32(?,0041D027,?,?,?,00424721), ref: 00431FE9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: Find$CloseErrorFileFirstLast
                                    • String ID:
                                    • API String ID: 4020440971-0
                                    • Opcode ID: b16ae3ed5c4ea8c825a7741cabbb9deee3b3ed014939fe7a26025e30d09a83a3
                                    • Instruction ID: 374c7283d1fee54890fd1da0f93e4c1b7d6ed331c4205a5270736a92a01d96fc
                                    • Opcode Fuzzy Hash: b16ae3ed5c4ea8c825a7741cabbb9deee3b3ed014939fe7a26025e30d09a83a3
                                    • Instruction Fuzzy Hash: D9F08232000208BFDB206FB5DC08DBA7BADEB18371F108626FD68C16B0D731D9A596B5
                                    Function 0044B734 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?,?,?,00447E76,?,20001004,?,00000002,?,?,00447468), ref: 0044B768
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: `-@
                                    • API String ID: 2299586839-3781167437
                                    • Opcode ID: 49b4b54da173fcca6da5c5c7afb6aecc463d0371a21e889a3031e465fe0a4c2b
                                    • Instruction ID: 6cde8863e94abc83afdff9d02dc43b85bf30edba8fd47250f688fa8aae92868b
                                    • Opcode Fuzzy Hash: 49b4b54da173fcca6da5c5c7afb6aecc463d0371a21e889a3031e465fe0a4c2b
                                    • Instruction Fuzzy Hash: 65E04F36500218BBEF223F61EC05EAE7F26EF447A2F008416FD0565271CB75C921BAE9
                                    Function 0044DA86 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0044DA81,?,?,?,?,?,?,00000000), ref: 0044DCB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: c4b844f4748ab43110d9ddc2113bf4f3516c88aed4eb779ad480f52b638fb61b
                                    • Instruction ID: a9cfdaf791ee03315f30e706cc2315f363a0b4456a4e08294abae47f684f0219
                                    • Opcode Fuzzy Hash: c4b844f4748ab43110d9ddc2113bf4f3516c88aed4eb779ad480f52b638fb61b
                                    • Instruction Fuzzy Hash: ECB15171910608DFE715CF28C48AB557BE0FF45364F25865AE899CF3A1C339E992CB44
                                    Function 004531CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                      • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045321E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: ce8f16c0568beb61190bd24bea5fc54c05911f28a5d336557b2a67b9f4554f6f
                                    • Instruction ID: c68ba993faf54d01c6f16d81f3f5077507b086e8cfab0080940638b83f1b5490
                                    • Opcode Fuzzy Hash: ce8f16c0568beb61190bd24bea5fc54c05911f28a5d336557b2a67b9f4554f6f
                                    • Instruction Fuzzy Hash: 8D219872514606ABDB189E25DC42A7BB3A8EF04756F1000BFFD01D6242EB7CDE489758
                                    Function 00452E51 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                      • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                    • EnumSystemLocalesW.KERNEL32(00452F77,00000001,00000000,?,?,?,004535AB,?), ref: 00452EC3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: ed3a15461aa07a0672f4d58e186f542e4a9ded439744096cd7c499f36c17fdd7
                                    • Instruction ID: 0b970845e1a8773270f0425e193d970e9e25a52c90aa89fa5165c8154eb0a54b
                                    • Opcode Fuzzy Hash: ed3a15461aa07a0672f4d58e186f542e4a9ded439744096cd7c499f36c17fdd7
                                    • Instruction Fuzzy Hash: 8B11593B2007014FDB189F39D99267BB7A1FF84319B14442EED8687B41D3B5B806DB44
                                    Function 004533F9 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                      • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00453193,00000000,00000000,?), ref: 00453425
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID:
                                    • API String ID: 3736152602-0
                                    • Opcode ID: 9fb8eb4d6cfb5dc9ab71851ad247751131481363ade4371d576ad0b9e7960359
                                    • Instruction ID: 7310505bafe8fff12ee8f5912ce4e44c5146d6de948bcf0b33cac505e4352342
                                    • Opcode Fuzzy Hash: 9fb8eb4d6cfb5dc9ab71851ad247751131481363ade4371d576ad0b9e7960359
                                    • Instruction Fuzzy Hash: 72014E336002127BDB195E25CC45BBB7764DB41797F14442AEC06A3281DA78FE45D994
                                    Function 00452D5F Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                      • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00452DB3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale
                                    • String ID: *V$utf8
                                    • API String ID: 3736152602-210452255
                                    • Opcode ID: 59e00f747d9bc6cf307ab543fe27e9585fa5185e009a5a777542dc83f29e6ce8
                                    • Instruction ID: aeef1e48df53c0e1e1989da3d76282249285fc4edbaa792ed956cb55b8cc0ce8
                                    • Opcode Fuzzy Hash: 59e00f747d9bc6cf307ab543fe27e9585fa5185e009a5a777542dc83f29e6ce8
                                    • Instruction Fuzzy Hash: E3F0C832610205ABD714AF35DC4AEBB73A8DB59316F10017FF902D7282EA7CAD099768
                                    Function 00452EEC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                      • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                    • EnumSystemLocalesW.KERNEL32(004531CA,00000001,?,?,?,?,00453573,?,?,?,?), ref: 00452F36
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: a7aabdafeecc33135d5ef59119c1dd02303f614df75aa08249f401847eac2aa8
                                    • Instruction ID: 46f5077cb0f7882f4a3a694ed1b059b17750918d15d6876221f24d4c3ab0ea03
                                    • Opcode Fuzzy Hash: a7aabdafeecc33135d5ef59119c1dd02303f614df75aa08249f401847eac2aa8
                                    • Instruction Fuzzy Hash: 38F022372003045FDB249F35AC81A7B7BA1FB82769B15842FFE068B692C2B59C02A654
                                    Function 0044B1B1 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0044424B: RtlEnterCriticalSection.NTDLL(-00588967), ref: 0044425A
                                    • EnumSystemLocalesW.KERNEL32(0044B1A4,00000001,0057A298,0000000C,0044B5D9,?,?,?,?), ref: 0044B1E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: c95449866fe5fa4667aabee73304f47e4942a34859e8fff04667a9b00fb14092
                                    • Instruction ID: e80e171ad64c81d089edaf6c836f83e2cf4dda05f2f2c126e8d7e53f9a4c0b50
                                    • Opcode Fuzzy Hash: c95449866fe5fa4667aabee73304f47e4942a34859e8fff04667a9b00fb14092
                                    • Instruction Fuzzy Hash: F3F04F76A00200DFE700DF99E806B9C7BF0FB59B25F10819BF810E7290DBB999049F45
                                    Function 00452E06 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
                                      • Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8
                                    • EnumSystemLocalesW.KERNEL32(00452D5F,00000001,?,?,?,004535CD,?,?,?,?), ref: 00452E3D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem
                                    • String ID:
                                    • API String ID: 2417226690-0
                                    • Opcode ID: 5ffb0c9d813d6eba6d8fd2e10c847f2c312efa30acac4b18343fb8da06ef6d7e
                                    • Instruction ID: fee7300587f55c0c421301d99721cdf1a1ff6f595eefe83fa7d5e966eb6188b0
                                    • Opcode Fuzzy Hash: 5ffb0c9d813d6eba6d8fd2e10c847f2c312efa30acac4b18343fb8da06ef6d7e
                                    • Instruction Fuzzy Hash: 8FF0553A30020557CB04AF35D80666BBFA0EFC2711B06405BEE09CB392C2B99846DB94
                                    Function 004F2FD0 Relevance: .7, Instructions: 735COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4b4a0174d0d62f2b1227807bd6e07e9c018e82f5f56551d9681256b3b92353b2
                                    • Instruction ID: 68aa0d5ee95f80c7a91d8174e86b503e14c67071ff11744bcabbed3cfa87bcc2
                                    • Opcode Fuzzy Hash: 4b4a0174d0d62f2b1227807bd6e07e9c018e82f5f56551d9681256b3b92353b2
                                    • Instruction Fuzzy Hash: F96270B0D002599FDB14CF59C5846BEBBB1BF84308F2481AEDA14AB346C779DA46CF94
                                    Function 0042F580 Relevance: .4, Instructions: 394COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
                                    • Instruction ID: 0e8ddfc969875e3dd00111f91a6503ca4c3a70c52638cfea05a5ef0fdf848abd
                                    • Opcode Fuzzy Hash: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
                                    • Instruction Fuzzy Hash: 1EE10276F1022A9FDB05CFA8D4816ADFBF1AF88320B5942AAD814B7340D774A945CB94
                                    Function 0044036F Relevance: .3, Instructions: 333COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a41b321b0bedac8989d8c8297ce8e3211a7e70ffbcb0090baa5e3f65be106bda
                                    • Instruction ID: 86fdf0966577921a64d033a0687854855d7760d31b02c963075edfb0c817f6d8
                                    • Opcode Fuzzy Hash: a41b321b0bedac8989d8c8297ce8e3211a7e70ffbcb0090baa5e3f65be106bda
                                    • Instruction Fuzzy Hash: 45C1DA709006069FEB24CF68C484A6BBBB1EF45304F14461FDB969B791C338ED66CB5A
                                    Function 00452610 Relevance: .3, Instructions: 327COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 337bf9b0213a408d992dbd779b211f999c4c3a8d278f465cc99103b402b18e84
                                    • Instruction ID: 7c06e8313ae742015ce167e0291709e23a9c2e608a4b019449313ff3a09dc83f
                                    • Opcode Fuzzy Hash: 337bf9b0213a408d992dbd779b211f999c4c3a8d278f465cc99103b402b18e84
                                    • Instruction Fuzzy Hash: 21B129315007019BDB38EB65CD82AB7B3A8EF45309F14452FED43C6642EBB9E989C718
                                    Function 00458BB0 Relevance: .2, Instructions: 221COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 31304fda07eb44754811e6465f7945cd712cae6a90f07cbe7a52602e90953672
                                    • Instruction ID: f297913e25a3591813c030fa515b242fba5e7fe6b87ce0d9dc90972f2508a2cf
                                    • Opcode Fuzzy Hash: 31304fda07eb44754811e6465f7945cd712cae6a90f07cbe7a52602e90953672
                                    • Instruction Fuzzy Hash: 0281FDB4A002469FDB118F69D8817BEFBF4AB2A315F04016EDC55A7383CB38990DD7A4
                                    Function 004EFC40 Relevance: .2, Instructions: 189COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5d9e1b96ebeb8905ce8cf41e2ed65b6f129fd888b54bee42289f6865976a0455
                                    • Instruction ID: 9260139a4ef8e20400bb9b6c572cac56afe306f3fbbdb3538d7680a8b6287584
                                    • Opcode Fuzzy Hash: 5d9e1b96ebeb8905ce8cf41e2ed65b6f129fd888b54bee42289f6865976a0455
                                    • Instruction Fuzzy Hash: 506195356345684FE708CF1EECD04363B52A39E30538542AAEA81C7395C576FA2EE7E0
                                    Function 0043A928 Relevance: .2, Instructions: 156COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                                    • Instruction ID: 0bb0d4fe57c201db2c152aeff89cf209e4ab217caaafa113e802d716cdce1c0b
                                    • Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                                    • Instruction Fuzzy Hash: 5B517D72D00219AFDF04CF99C940AEFBBB6FF88314F198459E955AB301D7389A50CB95
                                    Function 004371A0 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction ID: 4ba24db855cab2182e42f47a77fd888252c09f86d43135b4b8e5651c7dd79236
                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction Fuzzy Hash: B21131F724D08143EA74863DC8B46BBA795EBCD320F2D63BBE0C14BB58D52AD5459908
                                    Function 004579E3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlDecodePointer.NTDLL(?), ref: 004579FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: DecodePointer
                                    • String ID: `-@$acos$asin$exp$log$log10$pow$sqrt
                                    • API String ID: 3527080286-3628989360
                                    • Opcode ID: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
                                    • Instruction ID: bbf143f63b3841ec77cfacb8c6df481a799db6acf17f433172942b25d65e7ef2
                                    • Opcode Fuzzy Hash: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
                                    • Instruction Fuzzy Hash: 1651B370808A0ACBCF109F58F84C1BEBFB1FB05309F154166D851A7266C7799A2DCB4D
                                    Function 0041A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0041A09D
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0041A0BF
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A0E7
                                    • __Getctype.LIBCPMT ref: 0041A1C5
                                    • std::_Facet_Register.LIBCPMT ref: 0041A1F9
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A223
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                    • String ID: PD@$PG@$E@
                                    • API String ID: 1102183713-4120405683
                                    • Opcode ID: 495f4126c8959cda1dad90c343e93fba20469dde2e2043d742b69906c970156d
                                    • Instruction ID: b372b58ab1bb25eec4b44a09b7f8f3aef2cc67a410616163416d5e42c3dffe19
                                    • Opcode Fuzzy Hash: 495f4126c8959cda1dad90c343e93fba20469dde2e2043d742b69906c970156d
                                    • Instruction Fuzzy Hash: 6E51BAB0D01245DFCB11CF98C9457AEBBF0FB14714F14825ED855AB391DB78AA88CB92
                                    Function 004372D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 00437307
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0043730F
                                    • _ValidateLocalCookies.LIBCMT ref: 00437398
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 004373C3
                                    • _ValidateLocalCookies.LIBCMT ref: 00437418
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: `-@$csm
                                    • API String ID: 1170836740-3738301566
                                    • Opcode ID: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
                                    • Instruction ID: bde692452db8eba3752ab90a3e7788ac0719a0bf92b2230e47b89eff8dfd02fd
                                    • Opcode Fuzzy Hash: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
                                    • Instruction Fuzzy Hash: B041F8709042099FCF20DF59C885A9FBBA4BF08328F14905BFC54AB392D739E905DB95
                                    Function 0041C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0041C45A
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0041C47C
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0041C4A4
                                    • std::_Facet_Register.LIBCPMT ref: 0041C59A
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0041C5C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                    • String ID: E@$PD@
                                    • API String ID: 459529453-4103272508
                                    • Opcode ID: fb94b052f71f665722219136562a8730e5ed9d67761b2a33bc821d4977d05291
                                    • Instruction ID: e4bc83ced0ac359faa997fd18d4eeb760fe14de2594101695cc0fd15b6690fbc
                                    • Opcode Fuzzy Hash: fb94b052f71f665722219136562a8730e5ed9d67761b2a33bc821d4977d05291
                                    • Instruction Fuzzy Hash: C351EFB0900255EFDB11CF58C991BAEBBF0FB10314F24415EE846AB381D7B9AA45CB95
                                    Function 0044BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                    • Instruction ID: d7b9d7273cbfac5d15a556f8c8651b9033d93685d5a38535419dded3191b9e75
                                    • Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
                                    • Instruction Fuzzy Hash: D5B14672D006559FEB158F24CC81BEBBBA5EF59310F2441ABE904AB382D778D901C7E9
                                    Function 0044B37E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(00000000,?,0044B48D,?,?,00000000,00000001,?,?,0044B6B7,00000022,FlsSetValue,00561B88,00561B90,00000001), ref: 0044B43F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 3664257935-537541572
                                    • Opcode ID: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
                                    • Instruction ID: e3d7dbf8d3e43151f67a2d3675c4fcd7809fc0c9af6198dcb17880ded4e1cd5b
                                    • Opcode Fuzzy Hash: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
                                    • Instruction Fuzzy Hash: A2212B36A01220A7E7319F619C45A6B7768EB51761F140112FC06A7392D734ED05D6D9
                                    Function 00443633 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,4D3BC757,?,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 00443668
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044367A
                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 0044369C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$`-@$mscoree.dll
                                    • API String ID: 4061214504-3731901874
                                    • Opcode ID: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
                                    • Instruction ID: 11f561727bfec435161e86ab51d2faaed74d5e09c0b89d0474703e999051cdf2
                                    • Opcode Fuzzy Hash: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
                                    • Instruction Fuzzy Hash: 5601A232A44715AFDB219F44DC19BAFBBB8FB14B52F014526E812E27E0DB749A04CA94
                                    Function 00432729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00432730
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0043273B
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004327A9
                                      • Part of subcall function 0043288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004328A4
                                    • std::locale::_Setgloballocale.LIBCPMT ref: 00432756
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                    • String ID: `-@
                                    • API String ID: 677527491-3781167437
                                    • Opcode ID: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
                                    • Instruction ID: 335728d06f8999c9367bb6f0cb93ad347570f0e44e9dcbef2930aaa8ccdcd417
                                    • Opcode Fuzzy Hash: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
                                    • Instruction Fuzzy Hash: 9D01FC35A006109BC70AFB20CC5157D7BB0FF98790F44250EE81163391CFB8AE06DB89
                                    Function 00432BC8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00432BDC
                                    • RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432BFB
                                    • RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C29
                                    • RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C84
                                    • RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C9B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: AcquireExclusiveLock$CurrentThread
                                    • String ID:
                                    • API String ID: 66001078-0
                                    • Opcode ID: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
                                    • Instruction ID: ee0d2db44a198d3d02c1eb3b1b0ff5a364ec90963e300245c4d31640e9e12550
                                    • Opcode Fuzzy Hash: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
                                    • Instruction Fuzzy Hash: B2415931900A0ADFCB20DF65CA8096EB3B4FF0C311F20692BD446D7650D7B8E986DB69
                                    Function 00407350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___std_exception_destroy.LIBVCRUNTIME ref: 0040750C
                                    • ___std_exception_destroy.LIBVCRUNTIME ref: 00407522
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ___std_exception_destroy
                                    • String ID: )@$[json.exception.
                                    • API String ID: 4194217158-3378332251
                                    • Opcode ID: 74f1ced649a80f54c74698f2e3f1ef80366f2fbaef409b1663f26043a5eac72a
                                    • Instruction ID: d1fd1ad00dbeab1566b73d8112c34bc80c76f551163e59ed82d928a5322bc1a2
                                    • Opcode Fuzzy Hash: 74f1ced649a80f54c74698f2e3f1ef80366f2fbaef409b1663f26043a5eac72a
                                    • Instruction Fuzzy Hash: 8C51CFB1C046489BD710DFA8C905B9EBBB4FF15318F14426EE850A73C2E7B86A44C7A5
                                    Function 00404900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F
                                      • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,74D723A0,?,00431D09,?,005799D8,74D723A0,?,74D723A0,-00589880), ref: 0043525B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 1903096808-1866435925
                                    • Opcode ID: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
                                    • Instruction ID: 99c94d1e80f512c720ba00148ae48faeb0acee82eabb402b7e5943aa58dcc262
                                    • Opcode Fuzzy Hash: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
                                    • Instruction Fuzzy Hash: AC119CF2844644ABCB10DF688C03BAB37C8E744715F04463EFE58972C1EB399800C79A
                                    Function 00448E9F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleOutputCP.KERNEL32(4D3BC757,00000000,00000000,?), ref: 00448F02
                                      • Part of subcall function 0044EC55: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0044A862,?,00000000,-00000008), ref: 0044ECB6
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00449154
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0044919A
                                    • GetLastError.KERNEL32 ref: 0044923D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                    • String ID:
                                    • API String ID: 2112829910-0
                                    • Opcode ID: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
                                    • Instruction ID: b6f9ea87837ca93654473fd2bae4ec290e60b55bc3ade45d2d9d29a5185f0d60
                                    • Opcode Fuzzy Hash: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
                                    • Instruction Fuzzy Hash: 70D1BC75D00249AFDF14CFA8C880AAEBBB5FF09304F28456AE856EB351D734AD45CB54
                                    Function 00456D32 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000), ref: 00456D49
                                    • GetLastError.KERNEL32(?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?,?,?,0044986B,?), ref: 00456D55
                                      • Part of subcall function 00456D1B: CloseHandle.KERNEL32(FFFFFFFE,00456D65,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?,?), ref: 00456D2B
                                    • ___initconout.LIBCMT ref: 00456D65
                                      • Part of subcall function 00456CDD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00456D0C,00453DBB,?,?,00449291,?,00000000,00000000,?), ref: 00456CF0
                                    • WriteConsoleW.KERNEL32(?,?,?,00000000,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?), ref: 00456D7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
                                    • Instruction ID: b582005f90f2c4d159ccd48a3422ceca8e6e351b7b3b67145bbef734a6de3f3c
                                    • Opcode Fuzzy Hash: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
                                    • Instruction Fuzzy Hash: F4F01C37500518BBCF221FD1DC18A8A3F76EB583A2B814415FE0D96231D6328928EB94
                                    Function 004036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___std_exception_copy.LIBVCRUNTIME ref: 00403819
                                    • ___std_exception_destroy.LIBVCRUNTIME ref: 004038F0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ___std_exception_copy___std_exception_destroy
                                    • String ID: )@
                                    • API String ID: 2970364248-4120265097
                                    • Opcode ID: ed1ac0f14267c2b8626e9d784d9228836504f476972db074cc70cf608e0aac1a
                                    • Instruction ID: 269ef50febfdc4b1c22cf7239a576f40f0b19685bcb009e1facc48eb6157c32a
                                    • Opcode Fuzzy Hash: ed1ac0f14267c2b8626e9d784d9228836504f476972db074cc70cf608e0aac1a
                                    • Instruction Fuzzy Hash: DD6169B1C00248DBDB10DF98C945B9EFFB5FF19324F14825EE814AB282D7B95A44CBA5
                                    Function 004047F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F
                                      • Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,74D723A0,?,00431D09,?,005799D8,74D723A0,?,74D723A0,-00589880), ref: 0043525B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
                                    • String ID: ios_base::badbit set$ios_base::failbit set
                                    • API String ID: 1903096808-1240500531
                                    • Opcode ID: 8193a8ffeaccef37eb783ff7fe0bdc902a64c2974526b8af49cedd0c2b6b92ef
                                    • Instruction ID: 59789774a96eacd1a5b8f49c51d8e497543063f0a2ed12b155596828dbf76f3a
                                    • Opcode Fuzzy Hash: 8193a8ffeaccef37eb783ff7fe0bdc902a64c2974526b8af49cedd0c2b6b92ef
                                    • Instruction Fuzzy Hash: E84124B2C00244ABCB04DF68C845BAEBBB8FB49710F14826EF554A73C1D7795A00CBA5
                                    Function 00404040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00404061
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004040C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                    • String ID: bad locale name
                                    • API String ID: 3988782225-1405518554
                                    • Opcode ID: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
                                    • Instruction ID: 65c2995a4cce64452fc0e082f9126f7f9302ed92d60cad1113ce5137d9e79936
                                    • Opcode Fuzzy Hash: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
                                    • Instruction Fuzzy Hash: DB112670805B84EED321CF69C50474BBFF0AF25714F10868DD09597781D3B9A604CB95
                                    Function 00416590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___std_exception_copy.LIBVCRUNTIME ref: 004165C9
                                    • ___std_exception_copy.LIBVCRUNTIME ref: 004165FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ___std_exception_copy
                                    • String ID: )@
                                    • API String ID: 2659868963-4120265097
                                    • Opcode ID: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
                                    • Instruction ID: 79ebb971947c26e29da123751e765caa72f3f100f47198c89106861aa63fe252
                                    • Opcode Fuzzy Hash: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
                                    • Instruction Fuzzy Hash: F0112EB6910649EBCB11CF99C980B86FBF8FF09724F10876AE82497641E774A5448BA0
                                    Function 00407A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___std_exception_destroy.LIBVCRUNTIME ref: 00407A5C
                                    • ___std_exception_destroy.LIBVCRUNTIME ref: 00407A72
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: ___std_exception_destroy
                                    • String ID: )@
                                    • API String ID: 4194217158-4120265097
                                    • Opcode ID: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
                                    • Instruction ID: 96290d15a7b89a27e7413382239de33ac52fdad5c525fa7f0e86a9c1871ea130
                                    • Opcode Fuzzy Hash: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
                                    • Instruction Fuzzy Hash: 68F012B1805744DFC711DF98C90178DFFF8FB05728F50466AE855A3780E7B5660487A5
                                    Function 0044B7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000016,00000001,004389D2,00000001,00000016,00438BE1,?,?,?,?,?,00000000), ref: 0044B834
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4135787921.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4135724092.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136141433.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136273916.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136345578.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136419236.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000745000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000747000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000749000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000764000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000779000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000789000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4136497224.00000000007E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138772842.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_BqqQh4Jr7L.jbxd
                                    Similarity
                                    • API ID: CountCriticalInitializeSectionSpin
                                    • String ID: InitializeCriticalSectionEx$`-@
                                    • API String ID: 2593887523-3269949891
                                    • Opcode ID: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
                                    • Instruction ID: 5bcc12c1b0658f8dc7434a33690804c70bb56e7eadbb0958c8ec10a8e9d05d13
                                    • Opcode Fuzzy Hash: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
                                    • Instruction Fuzzy Hash: BDE09236581318BBCB212F92DC06DAE7F25EB24BA2F048022FD1956161C7768821BBD9