Edit tour

Windows Analysis Report
mpc-hc64.exe

Overview

General Information

Sample Name:	mpc-hc64.exe
Analysis ID:	658363
MD5:	b371a4b7ccb2ac89e38db6db3fff5381
SHA1:	e6b9b895ea94d41b0440bde57c3ac1b98f72ac3f
SHA256:	deac2a87da8340b072a2c266b465d517f86c1e3b18113e1c0113d662ba043c6b
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Tries to load missing DLLs

PE file contains sections with non-standard names

JA3 SSL client fingerprint seen in connection with other malware

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

mpc-hc64.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\mpc-hc64.exe" MD5: B371A4B7CCB2AC89E38DB6DB3FFF5381)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: mpc-hc64.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 172.67.3.208:443 -> 192.168.2.3:49750 version: TLS 1.2

Source: mpc-hc64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: H:\progs\Compiling\mpc-hc\bin\mpc-hc_x64\mpc-hc64.pdb source: mpc-hc64.exe

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: mpc-hc64.exe	String found in binary or memory: http://7-zip.org
Source: mpc-hc64.exe	String found in binary or memory: http://MediaArea.net/MediaInfo
Source: mpc-hc64.exe	String found in binary or memory: http://MediaArea.net/MediaInfoMediaInfoLib
Source: mpc-hc64.exe	String found in binary or memory: http://alexzambelli.com/blog/2009/02/10/smooth-streaming-architecture/
Source: mpc-hc64.exe	String found in binary or memory: http://alexzambelli.com/blog/2009/02/10/smooth-streaming-architecture/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://amamaman.hp.infoseek.co.jp/english/amv2_e.html;;;
Source: mpc-hc64.exe	String found in binary or memory: http://amamaman.hp.infoseek.co.jp/english/amv2_e.html;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://api.opensubtitles.org/xml-rpc
Source: mpc-hc64.exe	String found in binary or memory: http://api.thesubdb.com
Source: mpc-hc64.exe	String found in binary or memory: http://api.thesubdb.com/?action=download&hash=%s&language=%s
Source: mpc-hc64.exe	String found in binary or memory: http://api.thesubdb.com/?action=languages
Source: mpc-hc64.exe	String found in binary or memory: http://api.thesubdb.com/?action=languages&sK=&sAKA=1?sXML=1https://www.podnapisi.net/ppodnapisi/sear
Source: mpc-hc64.exe	String found in binary or memory: http://api.thesubdb.com/?action=search&hash=%s
Source: mpc-hc64.exe	String found in binary or memory: http://api.thesubdb.com/?action=search&hash=%sSubDB::HashUser-Agenthttp://api.thesubdb.com/?action=u
Source: mpc-hc64.exe	String found in binary or memory: http://api.thesubdb.com/?action=upload&hash=%s
Source: mpc-hc64.exe	String found in binary or memory: http://bellard.org/bpg/
Source: mpc-hc64.exe	String found in binary or memory: http://browsehappy.com/
Source: mpc-hc64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: mpc-hc64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: mpc-hc64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: mpc-hc64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: mpc-hc64.exe, 00000000.00000002.550860063.0000017BCE552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mpc-hc64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: mpc-hc64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mpc-hc64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: mpc-hc64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: mpc-hc64.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: mpc-hc64.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: mpc-hc64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: mpc-hc64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mpc-hc64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mpc-hc64.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: mpc-hc64.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: mpc-hc64.exe	String found in binary or memory: http://developers.videolan.org/x264.html
Source: mpc-hc64.exe	String found in binary or memory: http://diracvideo.org/
Source: mpc-hc64.exe	String found in binary or memory: http://diracvideo.org/;Lossy
Source: mpc-hc64.exe	String found in binary or memory: http://dividix.host.sk
Source: mpc-hc64.exe	String found in binary or memory: http://dividix.host.sk;.net
Source: mpc-hc64.exe	String found in binary or memory: http://eMajix.com
Source: mpc-hc64.exe	String found in binary or memory: http://eMajix.com;;;
Source: mpc-hc64.exe	String found in binary or memory: http://eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdf
Source: mpc-hc64.exe	String found in binary or memory: http://eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdf;;;;
Source: mpc-hc64.exe	String found in binary or memory: http://etree.org/shnutils/shorten/;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://ffdshow-tryout.sourceforge.net/
Source: mpc-hc64.exe	String found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;
Source: mpc-hc64.exe	String found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;;;
Source: mpc-hc64.exe	String found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;;RGBA
Source: mpc-hc64.exe	String found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://ffdshow.sourceforge.net/tikiwiki/tiki-index.php?page=Getting
Source: mpc-hc64.exe	String found in binary or memory: http://flac.sourceforge.net
Source: mpc-hc64.exe	String found in binary or memory: http://flac.sourceforge.net/
Source: mpc-hc64.exe	String found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe
Source: mpc-hc64.exe	String found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe;Advanced;;
Source: mpc-hc64.exe	String found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe;Alpha;;
Source: mpc-hc64.exe	String found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe;Heightened
Source: mpc-hc64.exe	String found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe;Simple;;
Source: mpc-hc64.exe	String found in binary or memory: http://gpac.sourceforge.net/;JPEG
Source: mpc-hc64.exe	String found in binary or memory: http://localhost:%d/viewres.html?id=%IxAll
Source: mpc-hc64.exe	String found in binary or memory: http://mediaarea.net/DIVX;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://mediaarea.net/DX50;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://mediaarea.net/XVID;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://mediaxw.sourceforge.net
Source: mpc-hc64.exe	String found in binary or memory: http://mediaxw.sourceforge.net;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe;;;
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe;;;RGB
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;;
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUV;
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exe
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exe;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe;;;
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exe
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exe;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe
Source: mpc-hc64.exe	String found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://mpc-hc.org)
Source: mpc-hc64.exe	String found in binary or memory: http://mpc-hc.org)http://api.thesubdb.comSubDBhttp://www.opensubtitles.orghttp://napisy24.pl/Napisy2
Source: mpc-hc64.exe	String found in binary or memory: http://mysif.ru/SIF1_dd_Eng.htm;;;
Source: mpc-hc64.exe	String found in binary or memory: http://napisy24.pl/
Source: mpc-hc64.exe	String found in binary or memory: http://napisy24.pl/komentarze?napisId=
Source: mpc-hc64.exe	String found in binary or memory: http://napisy24.pl/komentarze?napisId=napisIdNapisy24::Hashtime%02d:%02d:%02dfyearNapisy24::Download
Source: mpc-hc64.exe	String found in binary or memory: http://napisy24.pl/run/CheckSubAgent.php
Source: mpc-hc64.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: mpc-hc64.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: mpc-hc64.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: mpc-hc64.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: mpc-hc64.exe	String found in binary or memory: http://opus-codec.org
Source: mpc-hc64.exe	String found in binary or memory: http://opus-codec.org/;Lossy
Source: mpc-hc64.exe	String found in binary or memory: http://packs.matroska.org/
Source: mpc-hc64.exe	String found in binary or memory: http://rarlabs.com
Source: mpc-hc64.exe	String found in binary or memory: http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358
Source: mpc-hc64.exe	String found in binary or memory: http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358;;;
Source: mpc-hc64.exe	String found in binary or memory: http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://sourceforge.net/projects/mediainfo/
Source: mpc-hc64.exe	String found in binary or memory: http://thbeck.de/Tak/Tak.html;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://true-audio.com
Source: mpc-hc64.exe	String found in binary or memory: http://umezawa.dyndns.info/archive/utvideo;;;RGB;4:4:4
Source: mpc-hc64.exe	String found in binary or memory: http://umezawa.dyndns.info/archive/utvideo;;;RGBA;4:4:4:4
Source: mpc-hc64.exe	String found in binary or memory: http://umezawa.dyndns.info/archive/utvideo;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://umezawa.dyndns.info/archive/utvideo;;;YUV;4:2:2
Source: mpc-hc64.exe	String found in binary or memory: http://video.google.com/playerdownload.html
Source: mpc-hc64.exe	String found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=Recommended_Ogg_Vorbis
Source: mpc-hc64.exe	String found in binary or memory: http://winace.com
Source: mpc-hc64.exe	String found in binary or memory: http://winamp.com
Source: mpc-hc64.exe	String found in binary or memory: http://winlirc.sourceforge.net/CPPageAccelTbl%uhttp://www.mediatexx.com/Ctrl
Source: mpc-hc64.exe	String found in binary or memory: http://winzip.com
Source: mpc-hc64.exe	String found in binary or memory: http://world.casio.com/;Casio
Source: mpc-hc64.exe	String found in binary or memory: http://www.3gpp.org/;3GPP
Source: mpc-hc64.exe	String found in binary or memory: http://www.3gpp2.org/;3GPP2
Source: mpc-hc64.exe	String found in binary or memory: http://www.3ivx.com/download/
Source: mpc-hc64.exe	String found in binary or memory: http://www.3ivx.com/download/;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://www.adobe.fr/products/encore/;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: mpc-hc64.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/File
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/appletv/;Apple
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/iphone/;Apple
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/itunes/;AES
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/itunes/;Apple
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;422
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;422;;YUV;4:2:2
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;4444
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;4444;;;4:4:4
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;;4:4:4
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;RGB
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;YUV;
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;YUV;4:2:2
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Adobe
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Base
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Facebook
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;High;;YUV;4:2:2
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;ISML
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;ISO
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;JVT
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;LT;;YUV;4:2:2
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Mobile
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Narrow
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Normal;;YUV;4:2:2
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;PIFF
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Proxy;;YUV;4:2:2
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;QuickTime
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Quicktime
Source: mpc-hc64.exe	String found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Wide
Source: mpc-hc64.exe	String found in binary or memory: http://www.array.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.array.com;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://www.autodesk.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.avs.org.cn/;Lossy
Source: mpc-hc64.exe	String found in binary or memory: http://www.bbc.co.uk/rd/projects/dirac/index.shtml;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.bitjazz.com/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.blender3d.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.chem.nott.ac.uk/flc.html;Lossy
Source: mpc-hc64.exe	String found in binary or memory: http://www.chiariglione.org/mpeg/technologies/mp04-sls/index.htm;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://www.cineform.com/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.cineform.com/products/ConnectHD.htm
Source: mpc-hc64.exe	String found in binary or memory: http://www.cineform.com/products/ConnectHD.htm;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.cineform.com/products/ConnectHD.htm;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://www.cinepak.com/text.html
Source: mpc-hc64.exe	String found in binary or memory: http://www.cinepak.com/text.html;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.cpcweb.com/Captioning/cap_software.htm;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://www.cyberlink.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.cyberlink.com;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: mpc-hc64.exe	String found in binary or memory: http://www.digicine.com/PROTO-ASDCP-AM-20040311#
Source: mpc-hc64.exe	String found in binary or memory: http://www.digicine.com/PROTO-ASDCP-CPL-20040511#
Source: mpc-hc64.exe	String found in binary or memory: http://www.digicine.com/PROTO-ASDCP-PKL-20040311#
Source: mpc-hc64.exe	String found in binary or memory: http://www.digicine.com/PROTO-ASDCP-PKL-20040311#text/xml;asdcpKind=CPLapplication/x-smpte-mxf;asdcp
Source: mpc-hc64.exe	String found in binary or memory: http://www.digitalvoodoo.net/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.divx.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.divx.com;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://www.divxity.com/download/ap4v1-702.exe
Source: mpc-hc64.exe	String found in binary or memory: http://www.divxity.com/download/ap4v1-702.exe;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://www.dolby.com/consumer/technology/trueHD.html
Source: mpc-hc64.exe	String found in binary or memory: http://www.dts.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexrgb.htm
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGB
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGB;
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGB;;4
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGB;;8
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGBA
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexyuv.htm
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexyuv.htm;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV;
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV;4:1:1
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV;4:2:2
Source: mpc-hc64.exe	String found in binary or memory: http://www.fraps.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.fraps.com/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.free-codecs.com/Ogg_DirectShow_Filters_download.htm
Source: mpc-hc64.exe	String found in binary or memory: http://www.free-codecs.com/download/Alparysoft_Lossless_Video_Codec.htm
Source: mpc-hc64.exe	String found in binary or memory: http://www.free-codecs.com/download/Alparysoft_Lossless_Video_Codec.htm;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.geovision.com.tw/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.gotomeeting.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.gotomeeting.com/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.ii.uj.edu.pl/~jezabek/blox/blox-0.1.0b.zip
Source: mpc-hc64.exe	String found in binary or memory: http://www.ii.uj.edu.pl/~jezabek/blox/blox-0.1.0b.zip;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://www.iis.fraunhofer.de/amm/index.html
Source: mpc-hc64.exe	String found in binary or memory: http://www.iis.fraunhofer.de/amm/index.html;
Source: mpc-hc64.exe	String found in binary or memory: http://www.iis.fraunhofer.de/amm/index.html;;Version
Source: mpc-hc64.exe	String found in binary or memory: http://www.intel.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.isky.co.kr/html/cs/download.jsp
Source: mpc-hc64.exe	String found in binary or memory: http://www.iso.org/;JPEG
Source: mpc-hc64.exe	String found in binary or memory: http://www.iso.org/;Motion
Source: mpc-hc64.exe	String found in binary or memory: http://www.itu.int
Source: mpc-hc64.exe	String found in binary or memory: http://www.itu.int/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.ligos.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.linek.sk/mlc/;;;;;;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://www.loronix.com/products/video_clips/wavecodec.asp
Source: mpc-hc64.exe	String found in binary or memory: http://www.loronix.com/products/video_clips/wavecodec.asp;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.lossless-audio.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.lossless-audio.com/;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://www.lucasarts.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.lucasarts.com/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.macromedia.com/go/getflashplayer
Source: mpc-hc64.exe	String found in binary or memory: http://www.matrox.com/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.meridian-audio.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.monkeysaudio.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.monkeysaudio.com/;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://www.morgan-multimedia.com/JPEG
Source: mpc-hc64.exe	String found in binary or memory: http://www.msoftware.co.nz
Source: mpc-hc64.exe	String found in binary or memory: http://www.musepack.net;Lossy
Source: mpc-hc64.exe	String found in binary or memory: http://www.nellymoser.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.nero.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.nero.com;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://www.nerodigital.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.nerodigital.com;Nero
Source: mpc-hc64.exe	String found in binary or memory: http://www.nue.tu-berlin.de/forschung/projekte/lossless/mp4als.html#downloads
Source: mpc-hc64.exe	String found in binary or memory: http://www.nue.tu-berlin.de/forschung/projekte/lossless/mp4als.html#downloads;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://www.on2.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.on2.com/vp7.php3
Source: mpc-hc64.exe	String found in binary or memory: http://www.on2.com/vp7.php3;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.opensubtitles.org
Source: mpc-hc64.exe	String found in binary or memory: http://www.pegasusimaging.com/cgi-bin/download2.cgi?LVIDB
Source: mpc-hc64.exe	String found in binary or memory: http://www.pegasusimaging.com/cgi-bin/download2.cgi?LVIDB;;;RGB;
Source: mpc-hc64.exe	String found in binary or memory: http://www.playon.tv/playlater
Source: mpc-hc64.exe	String found in binary or memory: http://www.q-team.de
Source: mpc-hc64.exe	String found in binary or memory: http://www.q-team.de;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.real.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.real.com;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.real.com;;;;;;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://www.real.com;HE-AAC
Source: mpc-hc64.exe	String found in binary or memory: http://www.real.com;LC
Source: mpc-hc64.exe	String found in binary or memory: http://www.sdcard.org/;SD
Source: mpc-hc64.exe	String found in binary or memory: http://www.sega.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.sega.com/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-2/2013
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-2/2016/PKL
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-2/2016/PKLhttp://www.smpte-ra.org/schemas/429-8/2007/PKLAnnotat
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-2/XXXX
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013http://www.smpte-ra.org/schemas/2067-2/XXXXhttp://www.smp
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2016
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/XXXX
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/429-7/2006/CPL
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/429-7/2006/CPLhttp://www.digicine.com/PROTO-ASDCP-CPL-20040511#TimeC
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/429-8/2007/PKL
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/429-9/2007/AM
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte-ra.org/schemas/429-9/2007/AMhttp://www.digicine.com/PROTO-ASDCP-AM-20040311#AssetMa
Source: mpc-hc64.exe	String found in binary or memory: http://www.smpte.org/;;;YUV
Source: mpc-hc64.exe	String found in binary or memory: http://www.sony.com/;Sony
Source: mpc-hc64.exe	String found in binary or memory: http://www.sony.com/;Sony/Mobile
Source: mpc-hc64.exe	String found in binary or memory: http://www.speex.org/
Source: mpc-hc64.exe	String found in binary or memory: http://www.speex.org/;Lossy
Source: mpc-hc64.exe	String found in binary or memory: http://www.streambox.com/products/act-L2_codec.htm
Source: mpc-hc64.exe	String found in binary or memory: http://www.streambox.com/products/act-L2_codec.htm;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.theora.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.theora.org
Source: mpc-hc64.exe	String found in binary or memory: http://www.theora.org/;Lossy
Source: mpc-hc64.exe	String found in binary or memory: http://www.twinvq.org/english/index_en.html
Source: mpc-hc64.exe	String found in binary or memory: http://www.vmware.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.vmware.com/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.vodei.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.volny.cz/aberka/czech/aqt.html;Lossless
Source: mpc-hc64.exe	String found in binary or memory: http://www.vorbis.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.vorbis.com/;Lossy
Source: mpc-hc64.exe	String found in binary or memory: http://www.vorbis.com;
Source: mpc-hc64.exe	String found in binary or memory: http://www.vorbis.com;;Mode
Source: mpc-hc64.exe	String found in binary or memory: http://www.voxware.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.wavpack.com
Source: mpc-hc64.exe	String found in binary or memory: http://www.wavpack.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.wavpack.com/;
Source: mpc-hc64.exe	String found in binary or memory: http://www.webmproject.org/
Source: mpc-hc64.exe	String found in binary or memory: http://www.webmproject.org/;Lossy
Source: mpc-hc64.exe	String found in binary or memory: http://www.webmproject.org;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://www.winnov.com/
Source: mpc-hc64.exe	String found in binary or memory: http://www.winnov.com/;;;
Source: mpc-hc64.exe	String found in binary or memory: http://www.xvid.org/Downloads.15.0.html
Source: mpc-hc64.exe	String found in binary or memory: http://www.xvid.org/Downloads.15.0.html;;;YUV;4:2:0
Source: mpc-hc64.exe	String found in binary or memory: http://xmm.sourceforge.net/DivX5-6_Xvid_Bitstream_version.php
Source: mpc-hc64.exe	String found in binary or memory: https://github.com/Vidvox/hap;;;
Source: mpc-hc64.exe	String found in binary or memory: https://mpc-hc.org/
Source: mpc-hc64.exe	String found in binary or memory: https://mpc-hc.org/downloads/%u.%u.%u.0Your
Source: mpc-hc64.exe, 00000000.00000002.550631297.0000017BCE513000.00000004.00000020.00020000.00000000.sdmp, mpc-hc64.exe, 00000000.00000002.550447198.0000017BCE4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpc-hc.org/version.txt
Source: mpc-hc64.exe, 00000000.00000002.550631297.0000017BCE513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpc-hc.org/version.txtF
Source: mpc-hc64.exe	String found in binary or memory: https://mpc-hc.org/version.txtUpdaterLastCheck
Source: mpc-hc64.exe, 00000000.00000002.550447198.0000017BCE4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpc-hc.org/version.txtpO
Source: mpc-hc64.exe	String found in binary or memory: https://trac.mpc-hc.org/
Source: mpc-hc64.exe	String found in binary or memory: https://trac.mpc-hc.org/ticket/3739AfxSocketInit
Source: mpc-hc64.exe	String found in binary or memory: https://trac.mpc-hc.org/wiki/Toolbar_imageshttps://mpc-hc.org/donate/DwmGetWindowAttributeDwmapi.dll
Source: mpc-hc64.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: mpc-hc64.exe	String found in binary or memory: https://www.podnapisi.net
Source: mpc-hc64.exe	String found in binary or memory: https://www.podnapisi.net/ppodnapisi/search
Source: mpc-hc64.exe	String found in binary or memory: https://www.podnapisi.net/subtitles/%s/download
Source: mpc-hc64.exe	String found in binary or memory: https://www.podnapisi.net/subtitles/%s/downloadpodnapisi::Hash&ap=mpc-hc&ua=mpc-hcpostAction=CheckSu

Source: unknown

DNS traffic detected: queries for: mpc-hc.org

Source: global traffic

HTTP traffic detected: GET /version.txt HTTP/1.1User-Agent: MPC-HC (64-bit) (Windows 10.0 x64)/1.7.13 (e37826845)Host: mpc-hc.orgCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 172.67.3.208:443 -> 192.168.2.3:49750 version: TLS 1.2

Source: mpc-hc64.exe, 00000000.00000000.280378828.00007FF77FB90000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: GetRawInputData

Source: mpc-hc64.exe, 00000000.00000000.280378828.00007FF77FB90000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs mpc-hc64.exe
Source: mpc-hc64.exe, 00000000.00000000.280378828.00007FF77FB90000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: http://www.smpte-ra.org/schemas/2067-2/2016/PKLhttp://www.smpte-ra.org/schemas/429-8/2007/PKLAnnotationTextDCP PKLIMF PKLhttp://www.digicine.com/PROTO-ASDCP-PKL-20040311#text/xml;asdcpKind=CPLapplication/x-smpte-mxf;asdcpKind=PictureOriginalFileNametext/xmlapplication/x-smpte-mxf;asdcpKind=Sound vs mpc-hc64.exe
Source: mpc-hc64.exe, 00000000.00000002.557735054.00007FF77FB90000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs mpc-hc64.exe
Source: mpc-hc64.exe, 00000000.00000002.557735054.00007FF77FB90000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: http://www.smpte-ra.org/schemas/2067-2/2016/PKLhttp://www.smpte-ra.org/schemas/429-8/2007/PKLAnnotationTextDCP PKLIMF PKLhttp://www.digicine.com/PROTO-ASDCP-PKL-20040311#text/xml;asdcpKind=CPLapplication/x-smpte-mxf;asdcpKind=PictureOriginalFileNametext/xmlapplication/x-smpte-mxf;asdcpKind=Sound vs mpc-hc64.exe
Source: mpc-hc64.exe	Binary or memory string: OriginalFileName vs mpc-hc64.exe
Source: mpc-hc64.exe	Binary or memory string: http://www.smpte-ra.org/schemas/2067-2/2016/PKLhttp://www.smpte-ra.org/schemas/429-8/2007/PKLAnnotationTextDCP PKLIMF PKLhttp://www.digicine.com/PROTO-ASDCP-PKL-20040311#text/xml;asdcpKind=CPLapplication/x-smpte-mxf;asdcpKind=PictureOriginalFileNametext/xmlapplication/x-smpte-mxf;asdcpKind=Sound vs mpc-hc64.exe

Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mpc-hc64.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: dcomp.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: rmclient.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\mpc-hc64.exe	Section loaded: ncryptsslp.dll

Source: mpc-hc64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mpc-hc64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\mpc-hc64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{591209c7-767b-42b2-9fba-44ee4615f2c7}\InProcServer32

Source: C:\Users\user\Desktop\mpc-hc64.exe

Mutant created: \Sessions\1\BaseNamedObjects\MediaPlayerClassicW

Source: mpc-hc64.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 2

Perma Link

Source: mpc-hc64.exe	String found in binary or memory: Video switchStream failed. Result: 0x%08xCFGManagerBDA::SetChannelInternalAudio switchStream failed. Result: 0x%08xStream maps:Mapped PID MPEG-2: %u, Mapped PID H.264: %u, Mapped PID HEVC: %u.Mapped PID MPA: %u, Mapped PID AC3: %u, Mapped PID EAC3: %u, Mapped PID AAC-LATM: %u.Mapped PID Subtitles: %u.Dynamic pin interface not supported.CFGManagerBDA::SwitchStreamSwitchStream - Stream type: %d. Result: 0x%08xIMediaControl stop: 0x%08x.CFGManagerBDA::ChangeStateIMediaControl pause.IMediaControl play: 0x%08x.atIconLibVersionmpciconlib.dllMedia Player ClassicPreviousRegistrationSoftware\Clients\Media\Media Player Classic\CapabilitiesSoftware\Clients\Media\Media Player Classic\Capabilities\FileAssociations" "%1""" /add "%1" %1VideoFilesMusicFiles %1 /cdCDAudio %1 /dvdDVDMovieGetIconIndexGetIconLibVersionmplayerc64NoRecentDocs",0SOFTWARE\RegisteredApplicationsApplicationDescriptionApplicationIconApplicationName\shell\enqueueIcon\shell\enqueue\command\shell\open\shell\open\command"%s",%d\DefaultIconDirectory\shell\mplayerc64.enqueueDirectory\shell\mplayerc64.enqueue\commandDirectory\shell\mplayerc64.playDirectory\shell\mplayerc64.play\commandMediaPlayerClassic.Autorun\CommandMediaPlayerClassic.Autorun\Shell\PlayOnArrivalSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MPCPlayActionProviderInvokeProgIDPlayInvokeVerb,0DefaultIconSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers\PlayMPCPlaycomctl32.dllTaskDialogIndirect/iconsassoc
Source: mpc-hc64.exe	String found in binary or memory: #menu-help {
Source: mpc-hc64.exe	String found in binary or memory: <td id="menu-help" class="text-right">Help</td>
Source: mpc-hc64.exe	String found in binary or memory: /logoffLog off after playback&/lockLock workstation after playback//monitoroffTurn off the monitor after playback6/playnextOpen next file in the folder after playback$/fullscreenStart in fullscreen mode"/minimizedStart in minimized mode&/newUse a new instance of the playerF/addAdd "pathname" to playlist, can be combined with /open and /play!/randomizeRandomize the playlist1/regvidCreate file associations for video files1/regaudCreate file associations for audio files3/regplCreate file associations for playlist files>/regallCreate file associations for all supported file types'/unregallRemove all file associations1/start msStart playing at "ms" (= milliseconds)5/startpos hh:mm:ssStart playing at position hh:mm:ss&/fixedsize w,hSet a fixed window size;/monitor NStart player on monitor N, where N starts from 1[/audiorenderer NStart using audiorenderer N, where N starts from 1 (see "Output" settings)1/shaderpreset "Pr"Start using "Pr" shader preset Media Player Classic Home Cinema%Marcel Hoffs, marcelhoffs@hotmail.com&Steven W. Smith, smith78@sbcglobal.net#Robbie Khan, email@robbiekhan.co.uk

Source: classification engine

Classification label: clean1.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\mpc-hc64.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\mpc-hc64.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\mpc-hc64.exe

Window found: window name: msctls_updown32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\mpc-hc64.exe

Window detected: Number of UI elements: 36

Source: mpc-hc64.exe

Static file information: File size 12661488 > 1048576

Source: mpc-hc64.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: mpc-hc64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: mpc-hc64.exe

Static PE information: certificate valid

Source: mpc-hc64.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x81e200
Source: mpc-hc64.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2bec00

Source: mpc-hc64.exe	Static PE information: More than 200 imports for KERNEL32.dll
Source: mpc-hc64.exe	Static PE information: More than 200 imports for USER32.dll

Source: mpc-hc64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mpc-hc64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mpc-hc64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mpc-hc64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mpc-hc64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mpc-hc64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: mpc-hc64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: mpc-hc64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: H:\progs\Compiling\mpc-hc\bin\mpc-hc_x64\mpc-hc64.pdb source: mpc-hc64.exe

Source: mpc-hc64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mpc-hc64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mpc-hc64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mpc-hc64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mpc-hc64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: mpc-hc64.exe	Static PE information: section name: .giats
Source: mpc-hc64.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\mpc-hc64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\mpc-hc64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\mpc-hc64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\mpc-hc64.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\mpc-hc64.exe

Process information queried: ProcessInformation

Source: mpc-hc64.exe, 00000000.00000002.550814281.0000017BCE540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mpc-hc64.exe, 00000000.00000002.550447198.0000017BCE4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USnT
Source: mpc-hc64.exe	Binary or memory string: VMNC;Vmware;;;http://www.vmware.com/;;;
Source: mpc-hc64.exe, 00000000.00000002.549687980.0000017BCC2A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mpc-hc64.exe	Binary or memory string: VMNC;Vmware;4CC;V;;;;http://www.vmware.com/

Source: mpc-hc64.exe, 00000000.00000002.549687980.0000017BCC2A0000.00000004.00000020.00020000.00000000.sdmp, mpc-hc64.exe, 00000000.00000002.550135175.0000017BCC465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\192.168.2.1\all\procexp.exe
Source: mpc-hc64.exe, 00000000.00000002.549687980.0000017BCC2A0000.00000004.00000020.00020000.00000000.sdmp, mpc-hc64.exe, 00000000.00000002.550135175.0000017BCC465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "c:\users\user\desktop\procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
mpc-hc64.exe	1%	Virustotal	Browse
mpc-hc64.exe	0%	Metadefender	Browse
mpc-hc64.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe	0%	Avira URL Cloud	safe
http://www.fourcc.org/indexyuv.htm;;;YUV;	0%	Avira URL Cloud	safe
http://www.isky.co.kr/html/cs/download.jsp	0%	Avira URL Cloud	safe
http://www.divx.com;;;YUV;4:2:0	0%	Avira URL Cloud	safe
http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exe	0%	Avira URL Cloud	safe
http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-2/2016/PKL	0%	Avira URL Cloud	safe
http://www.speex.org/	0%	Avira URL Cloud	safe
http://www.lucasarts.com/	0%	Avira URL Cloud	safe
http://api.thesubdb.com	0%	Avira URL Cloud	safe
http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe;;;	0%	Avira URL Cloud	safe
http://api.thesubdb.com/?action=download&hash=%s&language=%s	0%	Avira URL Cloud	safe
http://mediaxw.sourceforge.net;;;YUV	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-2/2016/PKLhttp://www.smpte-ra.org/schemas/429-8/2007/PKLAnnotat	0%	Avira URL Cloud	safe
http://eMajix.com	0%	Avira URL Cloud	safe
http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUV	0%	Avira URL Cloud	safe
http://www.streambox.com/products/act-L2_codec.htm	0%	Avira URL Cloud	safe
http://www.real.com;;;	0%	Avira URL Cloud	safe
http://eMajix.com;;;	0%	Avira URL Cloud	safe
http://www.vorbis.com;;Mode	0%	Avira URL Cloud	safe
http://www.real.com;LC	0%	Avira URL Cloud	safe
http://api.thesubdb.com/?action=search&hash=%s	0%	Avira URL Cloud	safe
http://www.cinepak.com/text.html;;;	0%	Avira URL Cloud	safe
http://www.fourcc.org/indexyuv.htm;;;YUV;4:1:1	0%	Avira URL Cloud	safe
http://www.theora.com	0%	Avira URL Cloud	safe
http://www.on2.com/vp7.php3;;;	0%	Avira URL Cloud	safe
http://www.digicine.com/PROTO-ASDCP-AM-20040311#	0%	Avira URL Cloud	safe
http://www.vorbis.com/;Lossy	0%	Avira URL Cloud	safe
http://mysif.ru/SIF1_dd_Eng.htm;;;	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/429-7/2006/CPLhttp://www.digicine.com/PROTO-ASDCP-CPL-20040511#TimeC	0%	Avira URL Cloud	safe
http://www.musepack.net;Lossy	0%	Avira URL Cloud	safe
http://www.adobe.fr/products/encore/;Lossless	0%	Avira URL Cloud	safe
http://www.smpte-ra.org/schemas/2067-2/2013	0%	Avira URL Cloud	safe
http://www.array.com	0%	Avira URL Cloud	safe
http://winace.com	0%	Avira URL Cloud	safe
http://mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exe	0%	Avira URL Cloud	safe
http://www.nerodigital.com	0%	Avira URL Cloud	safe
http://www.real.com;;;;;;Lossless	0%	Avira URL Cloud	safe
http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe;;;YUV	0%	Avira URL Cloud	safe
http://www.digitalvoodoo.net/;;;	0%	Avira URL Cloud	safe
http://www.q-team.de;;;	0%	Avira URL Cloud	safe
http://www.cineform.com/products/ConnectHD.htm	0%	Avira URL Cloud	safe
http://amamaman.hp.infoseek.co.jp/english/amv2_e.html;;;	0%	Avira URL Cloud	safe
http://www.fourcc.org/indexrgb.htm;;;RGB	0%	Avira URL Cloud	safe
http://diracvideo.org/	0%	Avira URL Cloud	safe
http://www.chiariglione.org/mpeg/technologies/mp04-sls/index.htm;Lossless	0%	Avira URL Cloud	safe
http://www.webmproject.org;;;YUV;4:2:0	0%	Avira URL Cloud	safe
http://eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdf	0%	Avira URL Cloud	safe
http://www.cyberlink.com;;;	0%	Avira URL Cloud	safe
http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;YUV	0%	Avira URL Cloud	safe
http://www.cinepak.com/text.html	0%	Avira URL Cloud	safe
http://www.fourcc.org/indexrgb.htm;;;RGB;;8	0%	Avira URL Cloud	safe
http://www.fourcc.org/indexrgb.htm;;;RGB;;4	0%	Avira URL Cloud	safe
http://www.bbc.co.uk/rd/projects/dirac/index.shtml;;;	0%	Avira URL Cloud	safe
http://www.fourcc.org/indexrgb.htm;;;;	0%	Avira URL Cloud	safe
http://www.voxware.com/	0%	Avira URL Cloud	safe
http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe;;;YUV	0%	Avira URL Cloud	safe
http://www.vorbis.com	0%	Avira URL Cloud	safe
http://www.on2.com/vp7.php3	0%	Avira URL Cloud	safe
http://www.morgan-multimedia.com/JPEG	0%	Avira URL Cloud	safe
http://www.digicine.com/PROTO-ASDCP-CPL-20040511#	0%	Avira URL Cloud	safe
http://thbeck.de/Tak/Tak.html;Lossless	0%	Avira URL Cloud	safe
http://www.fourcc.org/indexrgb.htm;;;RGBA	0%	Avira URL Cloud	safe
http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe	0%	Avira URL Cloud	safe
http://www.fourcc.org/indexrgb.htm;;;RGB;	0%	Avira URL Cloud	safe
http://www.array.com;;;YUV;4:2:0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mpc-hc.org	172.67.3.208	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.fourcc.org/indexyuv.htm;;;YUV;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.isky.co.kr/html/cs/download.jsp	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.dolby.com/consumer/technology/trueHD.html	mpc-hc64.exe	false		high
http://ffdshow-tryout.sourceforge.net/;;;	mpc-hc64.exe	false		high
http://www.divx.com;;;YUV;4:2:0	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://www.winnov.com/	mpc-hc64.exe	false		high
http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exe	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.smpte-ra.org/schemas/2067-2/2016/PKL	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.speex.org/	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.iis.fraunhofer.de/amm/index.html;	mpc-hc64.exe	false		high
http://www.lucasarts.com/	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://api.thesubdb.com	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358	mpc-hc64.exe	false		high
http://api.thesubdb.com/?action=download&hash=%s&language=%s	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://world.casio.com/;Casio	mpc-hc64.exe	false		high
http://www.free-codecs.com/download/Alparysoft_Lossless_Video_Codec.htm;;;	mpc-hc64.exe	false		high
http://mediaxw.sourceforge.net;;;YUV	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://www.smpte-ra.org/schemas/2067-2/2016/PKLhttp://www.smpte-ra.org/schemas/429-8/2007/PKLAnnotat	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
https://trac.mpc-hc.org/	mpc-hc64.exe	false		high
http://eMajix.com	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUV	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.streambox.com/products/act-L2_codec.htm	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.real.com;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://eMajix.com;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://www.iso.org/;JPEG	mpc-hc64.exe	false		high
http://www.real.com	mpc-hc64.exe	false		high
http://www.vorbis.com;;Mode	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://www.real.com;LC	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://packs.matroska.org/	mpc-hc64.exe	false		high
http://api.thesubdb.com/?action=search&hash=%s	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://mediaarea.net/XVID;;;YUV;4:2:0	mpc-hc64.exe	false		high
http://www.cinepak.com/text.html;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.fourcc.org/indexyuv.htm;;;YUV;4:1:1	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.smpte.org/;;;YUV	mpc-hc64.exe	false		high
http://www.theora.com	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.on2.com/vp7.php3;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://api.opensubtitles.org/xml-rpc	mpc-hc64.exe	false		high
http://dividix.host.sk	mpc-hc64.exe	false		high
http://www.cyberlink.com	mpc-hc64.exe	false		high
http://www.digicine.com/PROTO-ASDCP-AM-20040311#	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.vorbis.com/;Lossy	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://mysif.ru/SIF1_dd_Eng.htm;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://ffdshow.sourceforge.net/tikiwiki/tiki-index.php?page=Getting	mpc-hc64.exe	false		high
http://www.smpte-ra.org/schemas/429-7/2006/CPLhttp://www.digicine.com/PROTO-ASDCP-CPL-20040511#TimeC	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.musepack.net;Lossy	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://www.adobe.fr/products/encore/;Lossless	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
https://mpc-hc.org/	mpc-hc64.exe	false		high
http://ffdshow-tryout.sourceforge.net/;;;YUV;4:2:0	mpc-hc64.exe	false		high
http://video.google.com/playerdownload.html	mpc-hc64.exe	false		high
http://www.macromedia.com/go/getflashplayer	mpc-hc64.exe	false		high
http://www.smpte-ra.org/schemas/2067-2/2013	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.iis.fraunhofer.de/amm/index.html;;Version	mpc-hc64.exe	false		high
http://www.winnov.com/;;;	mpc-hc64.exe	false		high
http://www.array.com	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.nero.com	mpc-hc64.exe	false		high
http://winace.com	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exe	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.nerodigital.com	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.real.com;;;;;;Lossless	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe;;;YUV	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.digitalvoodoo.net/;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://mediaxw.sourceforge.net	mpc-hc64.exe	false		high
http://www.playon.tv/playlater	mpc-hc64.exe	false		high
http://www.q-team.de;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://www.cineform.com/products/ConnectHD.htm	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://amamaman.hp.infoseek.co.jp/english/amv2_e.html;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358;;;YUV	mpc-hc64.exe	false		high
http://www.fourcc.org/indexrgb.htm;;;RGB	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://diracvideo.org/	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://ffdshow-tryout.sourceforge.net/	mpc-hc64.exe	false		high
http://www.chiariglione.org/mpeg/technologies/mp04-sls/index.htm;Lossless	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.webmproject.org;;;YUV;4:2:0	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdf	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.cyberlink.com;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	low
http://www.nue.tu-berlin.de/forschung/projekte/lossless/mp4als.html#downloads	mpc-hc64.exe	false		high
http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;YUV	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.cinepak.com/text.html	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.fourcc.org/indexrgb.htm;;;RGB;;8	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://flac.sourceforge.net/	mpc-hc64.exe	false		high
http://www.fourcc.org/indexrgb.htm;;;RGB;;4	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.bbc.co.uk/rd/projects/dirac/index.shtml;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.fourcc.org/indexrgb.htm;;;;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.voxware.com/	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe;;;YUV	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.wavpack.com/	mpc-hc64.exe	false		high
http://www.vorbis.com	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.on2.com/vp7.php3	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.morgan-multimedia.com/JPEG	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.digicine.com/PROTO-ASDCP-CPL-20040511#	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.sega.com/	mpc-hc64.exe	false		high
http://thbeck.de/Tak/Tak.html;Lossless	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.fourcc.org/indexrgb.htm;;;RGBA	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://www.3gpp.org/;3GPP	mpc-hc64.exe	false		high
http://www.fourcc.org/indexrgb.htm;;;RGB;	mpc-hc64.exe	false	Avira URL Cloud: safe	unknown
http://MediaArea.net/MediaInfoMediaInfoLib	mpc-hc64.exe	false		high
http://www.array.com;;;YUV;4:2:0	mpc-hc64.exe	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.3.208	mpc-hc.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	658363
Start date and time: 06/07/202220:58:59	2022-07-06 20:58:59 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	mpc-hc64.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.winEXE@1/0@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.35.229.133, 52.242.101.226, 20.54.89.106, 20.223.24.244, 52.152.110.14, 40.125.122.176
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.35876680446728
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mpc-hc64.exe
File size:	12661488
MD5:	b371a4b7ccb2ac89e38db6db3fff5381
SHA1:	e6b9b895ea94d41b0440bde57c3ac1b98f72ac3f
SHA256:	deac2a87da8340b072a2c266b465d517f86c1e3b18113e1c0113d662ba043c6b
SHA512:	899bfe03b8d9e327e5fa333b1dacf625bc1770b1d6101d5cf8994f06de6ff9531fdb57244eaa98a90e3dad0805f0d9e40eb6bc80dc6505d0bc77153de13d395b
SSDEEP:	196608:6VrDJlt+vpZriEP06gYKtdw28MMLMKgBvILZQLAC:urDJltspZriEP06gYKtdw28wFwNQLAC
TLSH:	03D67C0A7BB841D4C1A7C1B8CA5AC787E7B278515B31CBEF215D421A2F735E14E3A362
File Content Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......Zf..................?...............%.....v......^......%Y..5...%Y......9.................y.....qq\.......b.5......._.....u....

File Icon


Icon Hash:	d0bca9e8aacac81c

Static PE Info

General

Entrypoint:	0x14076cc94
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x596B8AA4 [Sun Jul 16 15:47:48 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	96245f0590e122d222ea6ad59210e429

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	1/24/2016 4:00:00 PM 1/29/2019 4:00:00 AM
Subject Chain	CN=Fotis Zafiropoulos, O=Fotis Zafiropoulos, L=\u039a\u0391\u03a3\u03a4\u03a1\u0399\u03a4\u03a3\u0399, S=\u03a0\u0391\u03a4\u03a1\u0391\u03a3, C=GR
Version:	3
Thumbprint MD5:	66AB459776FE686DF8921F96901FD67E
Thumbprint SHA-1:	AC9C620C67F29C882BD1D641916527AF5ADBBC70
Thumbprint SHA-256:	AA503D3AB5AB4838C1438DF257DCF9C958AA54937B11AF54FE07238467D40B4A
Serial:	0D173151D3DB317E050EFC22C5B3A0DD

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F9858DAA6CCh
dec eax
add esp, 28h
jmp 00007F9858DA9887h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00373C91h]
jne 00007F9858DA9A15h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F9858DA9A05h
ret
dec eax
ror ecx, 10h
jmp 00007F9858DAA1FCh
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
lea eax, dword ptr [00110BEFh]
dec eax
mov ebx, ecx
dec eax
mov dword ptr [ecx], eax
test dl, 00000001h
je 00007F9858DA9A0Ch
mov edx, 00000018h
call 00007F9858643F9Fh
dec eax
mov eax, ebx
dec eax
add esp, 20h
pop ebx
ret
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+18h], ebx
dec eax
mov dword ptr [eax+20h], esi
dec eax
mov dword ptr [eax+10h], edx
dec eax
mov dword ptr [eax+08h], ecx
push edi
inc ecx
push esi
inc ecx
push edi
dec eax
sub esp, 30h
dec ecx
mov esi, ecx
dec ebp
mov edi, eax
dec esp
mov esi, edx
dec eax
mov edi, ecx
xor ebx, ebx
dec eax
mov dword ptr [eax-20h], ebx
mov byte ptr [eax-28h], bl
dec ecx
cmp ebx, edi
je 00007F9858DA9A21h
dec eax
mov ecx, esi
call 00007F9858DAA41Fh
dec eax
mov ecx, edi
call esi
dec ecx
add edi, esi
dec eax
mov dword ptr [esp+50h], edi

Rich Headers

Programming Language:

[ C ] VS2005 build 50727
[IMP] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xad8c08	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbca000	0x85a10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb57000	0x51bd0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc0fa00	0x38f0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc50000	0x20118	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9aca30	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9acaa0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x87d960	0x94	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x820000	0x1d70	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xad8b80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x81e1f0	0x81e200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x820000	0x2beb76	0x2bec00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xadf000	0x770c4	0x1d200	False	0.18339256974248927	data	4.459554212695516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xb57000	0x51bd0	0x51c00	False	0.4935403526376147	data	6.4877877230759	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0xba9000	0x1c2f4	0x1c400	False	0.29746266592920356	data	4.220044250274541	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.giats	0xbc6000	0x10	0x200	False	0.05078125	data	0.15517757530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xbc7000	0x9	0x200	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0xbc8000	0x1320	0x1400	False	0.350390625	VISX image file	5.664095170518579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xbca000	0x85a10	0x85c00	False	0.42426438376168224	data	5.981371104965256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc50000	0x20118	0x20200	False	0.0943503769455253	data	5.4526940447101495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0xbdfcf8	0x3a00	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
FILE	0xbe8330	0x1ace	assembler source, ASCII text, with CRLF line terminators	English	United States
FILE	0xbeb338	0x38a9	ASCII text, with CRLF line terminators	English	United States
FILE	0xbe9e00	0x1536	MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel	English	United States
PNG	0xc2b728	0x43	PNG image data, 1 x 1, 1-bit grayscale, non-interlaced	English	United States
PNG	0xc2b770	0x27b1	PNG image data, 206 x 148, 8-bit grayscale, non-interlaced	English	United States
PNG	0xc2df28	0xc7cd	PNG image data, 241 x 198, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3a6f8	0x21b8	PNG image data, 310 x 150, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3cc28	0x3b5	PNG image data, 32 x 16, 8-bit/color RGBA, non-interlaced	English	United States
PNG	0xc3cfe0	0xaf	PNG image data, 110 x 20, 2-bit colormap, non-interlaced	English	United States
PNG	0xc3d090	0x5b	PNG image data, 10 x 20, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3cb88	0x9a	PNG image data, 15 x 20, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc2a6b0	0x44	PNG image data, 1 x 1, 8-bit gray+alpha, non-interlaced	English	United States
PNG	0xc3caf0	0x95	PNG image data, 515 x 20, 2-bit colormap, non-interlaced	English	United States
PNG	0xc2b3b8	0x2aa	PNG image data, 22 x 30, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc2ae00	0x8e	PNG image data, 1 x 30, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc2ae90	0x528	PNG image data, 28 x 30, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc2b6d8	0x4e	PNG image data, 4 x 1, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3c918	0x4e	PNG image data, 4 x 1, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc2a6f8	0x50	PNG image data, 1 x 4, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc2b668	0x6a	PNG image data, 4 x 4, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3c8b0	0x66	PNG image data, 4 x 4, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3c9e8	0x55	PNG image data, 4 x 19, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3ca40	0x53	PNG image data, 1 x 19, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3ca98	0x51	PNG image data, 4 x 19, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3c968	0x79	PNG image data, 13 x 19, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc2a748	0x4a	PNG image data, 1 x 28, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc2a8f0	0x76	PNG image data, 25 x 28, 2-bit colormap, non-interlaced	English	United States
PNG	0xc2a888	0x63	PNG image data, 23 x 28, 2-bit colormap, non-interlaced	English	United States
PNG	0xc2aae0	0x6a	PNG image data, 25 x 28, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc2a968	0x72	PNG image data, 24 x 28, 2-bit colormap, non-interlaced	English	United States
PNG	0xc2a798	0x73	PNG image data, 22 x 28, 2-bit colormap, non-interlaced	English	United States
PNG	0xc2a810	0x72	PNG image data, 23 x 28, 2-bit colormap, non-interlaced	English	United States
PNG	0xc2a9e0	0x7c	PNG image data, 28 x 28, 2-bit colormap, non-interlaced	English	United States
PNG	0xc2aa60	0x79	PNG image data, 31 x 28, 2-bit colormap, non-interlaced	English	United States
PNG	0xc2ad58	0xa7	PNG image data, 28 x 28, 8-bit colormap, non-interlaced	English	United States
PNG	0xc2ac48	0x110	PNG image data, 28 x 28, 8-bit colormap, non-interlaced	English	United States
PNG	0xc2ab50	0x91	PNG image data, 55 x 28, 2-bit colormap, non-interlaced	English	United States
PNG	0xc2abe8	0x5d	PNG image data, 10 x 21, 8-bit/color RGB, non-interlaced	English	United States
PNG	0xc3d0f0	0x2fc	PNG image data, 108 x 18, 8-bit colormap, non-interlaced	English	United States
SHADER	0xc3d918	0xab1	C source, ASCII text, with CRLF line terminators	English	United States
SHADER	0xc3d3f0	0x172	ASCII text, with CRLF line terminators	English	United States
SHADER	0xc3d568	0x3ae	ASCII text, with CRLF line terminators	English	United States
SVG	0xc3e3d0	0x47b	SVG Scalable Vector Graphics image	English	United States
RT_CURSOR	0xbde560	0x134	data	English	United States
RT_CURSOR	0xbde698	0xb4	data	English	United States
RT_CURSOR	0xbde778	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0xbde8c8	0x134	data	English	United States
RT_CURSOR	0xbdea18	0x134	data	English	United States
RT_CURSOR	0xbdeb68	0x134	data	English	United States
RT_CURSOR	0xbdecb8	0x134	data	English	United States
RT_CURSOR	0xbdee08	0x134	data	English	United States
RT_CURSOR	0xbdef58	0x134	data	English	United States
RT_CURSOR	0xbdf0a8	0x134	data	English	United States
RT_CURSOR	0xbdf1f8	0x134	data	English	United States
RT_CURSOR	0xbdf348	0x134	data	English	United States
RT_CURSOR	0xbdf498	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0xbdf5e8	0x134	data	English	United States
RT_CURSOR	0xbdf738	0x134	data	English	United States
RT_CURSOR	0xbdf888	0x134	data	English	United States
RT_BITMAP	0xbd94f0	0x7e8	data	English	United States
RT_BITMAP	0xbe3d18	0x674	data	English	United States
RT_BITMAP	0xbe36f8	0x620	data	English	United States
RT_BITMAP	0xbe4390	0x71c	data	English	United States
RT_BITMAP	0xbe58c0	0x158	data	English	United States
RT_BITMAP	0xbe5a18	0x1b28	data	English	United States
RT_BITMAP	0xbe7540	0x334	data	English	United States
RT_BITMAP	0xbe7878	0x334	data	English	United States
RT_BITMAP	0xbe7bb0	0x2cc	data	English	United States
RT_BITMAP	0xbe4ab0	0x4ac	data	English	United States
RT_BITMAP	0xbe7e80	0x4ac	data	English	United States
RT_BITMAP	0xbe4f60	0x4ac	data	English	United States
RT_BITMAP	0xbe5410	0x4ac	data	English	United States
RT_BITMAP	0xbdfaf8	0xb8	data	English	United States
RT_BITMAP	0xbdfbb0	0x144	data	English	United States
RT_ICON	0xc02a38	0x2e8	data	English	United States
RT_ICON	0xc02d20	0x1e8	data	English	United States
RT_ICON	0xc02f08	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc03030	0xea8	data	English	United States
RT_ICON	0xc03ed8	0x8a8	data	English	United States
RT_ICON	0xc04780	0x6c8	data	English	United States
RT_ICON	0xc04e48	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc053b0	0x9cbd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xc0f070	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xc11618	0x10a8	data	English	United States
RT_ICON	0xc126c0	0x988	data	English	United States
RT_ICON	0xc13048	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc13560	0x10a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xc14620	0x10a8	data	English	United States
RT_ICON	0xc156e0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc15b60	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc15fe0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc16460	0x668	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xc16ac8	0x2e8	data	English	United States
RT_ICON	0xc16db0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc16ed8	0xea8	data	English	United States
RT_ICON	0xc17d80	0x8a8	data	English	United States
RT_ICON	0xc18628	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc18b90	0x25a8	data	English	United States
RT_ICON	0xc1b138	0x10a8	data	English	United States
RT_ICON	0xc1c1e0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc1c6d0	0x668	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xc1cd38	0x2e8	data	English	United States
RT_ICON	0xc1d020	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc1d148	0xea8	data	English	United States
RT_ICON	0xc1dff0	0x8a8	data	English	United States
RT_ICON	0xc1e898	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc1ee00	0x25a8	data	English	United States
RT_ICON	0xc213a8	0x10a8	data	English	United States
RT_ICON	0xc22450	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc22940	0x668	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xc22fa8	0x2e8	data	English	United States
RT_ICON	0xc23290	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc233b8	0xea8	data	English	United States
RT_ICON	0xc24260	0x8a8	data	English	United States
RT_ICON	0xc24b08	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc25070	0x25a8	data	English	United States
RT_ICON	0xc27618	0x10a8	data	English	United States
RT_ICON	0xc286c0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc28bb0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc29030	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc294b0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc29930	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc29db0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc2a230	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0xbd9d00	0x15fa	data	English	United States
RT_MENU	0xbdb300	0x14c6	data	English	United States
RT_MENU	0xbdc7c8	0x1d94	data	English	United States
RT_DIALOG	0xbcf170	0x316	data	English	United States
RT_DIALOG	0xbd3670	0x26a	data	English	United States
RT_DIALOG	0xbd38e0	0x138	data	English	United States
RT_DIALOG	0xbd5d88	0x240	data	English	United States
RT_DIALOG	0xbd5fc8	0x1a4	data	English	United States
RT_DIALOG	0xbd28a0	0x27c	data	English	United States
RT_DIALOG	0xbd2b20	0x2cc	data	English	United States
RT_DIALOG	0xbd31b0	0x2e4	data	English	United States
RT_DIALOG	0xbcee08	0x362	data	English	United States
RT_DIALOG	0xbd2e50	0x1a8	data	English	United States
RT_DIALOG	0xbd2ff8	0x1b8	data	English	United States
RT_DIALOG	0xbcf488	0x52c	data	English	United States
RT_DIALOG	0xbcfa38	0x40	data	English	United States
RT_DIALOG	0xbcf9b8	0x40	data	English	United States
RT_DIALOG	0xbcf9f8	0x40	data	English	United States
RT_DIALOG	0xbd0690	0x92e	data	English	United States
RT_DIALOG	0xbcfa78	0x88e	data	English	United States
RT_DIALOG	0xbd0308	0x388	data	English	United States
RT_DIALOG	0xbd0fc0	0x94e	data	English	United States
RT_DIALOG	0xbd1910	0x5f4	data	English	United States
RT_DIALOG	0xbd1f08	0x67c	data	English	United States
RT_DIALOG	0xbce848	0x5bc	data	English	United States
RT_DIALOG	0xbd2588	0x314	data	English	United States
RT_DIALOG	0xbd8270	0x498	data	English	United States
RT_DIALOG	0xbd3498	0x1d4	data	English	United States
RT_DIALOG	0xbd4070	0xbce	data	English	United States
RT_DIALOG	0xbd4c40	0x32e	data	English	United States
RT_DIALOG	0xbd4f70	0x176	data	English	United States
RT_DIALOG	0xbd50e8	0x880	data	English	United States
RT_DIALOG	0xbd5968	0x420	data	English	United States
RT_DIALOG	0xbd3a18	0x94	data	English	United States
RT_DIALOG	0xbd3ab0	0x182	data	English	United States
RT_DIALOG	0xbce290	0x5b8	data	English	United States
RT_DIALOG	0xbd3f58	0x118	data	English	United States
RT_DIALOG	0xbce1b8	0xd4	data	English	United States
RT_DIALOG	0xbd3f18	0x40	data	English	United States
RT_DIALOG	0xbd6170	0x10c	data	English	United States
RT_DIALOG	0xbd3c38	0x2e0	data	English	United States
RT_DIALOG	0xbd6280	0x54a	data	English	United States
RT_DIALOG	0xbd2df0	0x60	data	English	United States
RT_DIALOG	0xbd6b98	0x48c	data	English	United States
RT_DIALOG	0xbd7028	0x49e	data	English	United States
RT_DIALOG	0xbd74c8	0x56e	data	English	United States
RT_DIALOG	0xbce0e0	0xd4	data	English	United States
RT_DIALOG	0xbd8ac0	0x484	data	English	United States
RT_DIALOG	0xbd67d0	0x3c4	data	English	United States
RT_DIALOG	0xbd7a38	0xd0	data	English	United States
RT_DIALOG	0xbd7b08	0x604	data	English	United States
RT_DIALOG	0xbd8110	0x15e	data	English	United States
RT_DIALOG	0xbd8708	0x198	data	English	United States
RT_DIALOG	0xbd88a0	0x21a	data	English	United States
RT_DIALOG	0xbd8f48	0xd8	data	English	United States
RT_DIALOG	0xbd9020	0xc8	data	English	United States
RT_DIALOG	0xbd90e8	0x402	data	English	United States
RT_DIALOG	0xbdf9d8	0xe8	data	English	United States
RT_DIALOG	0xbdfac0	0x34	data	English	United States
RT_STRING	0xc4d548	0x60	data	English	United States
RT_STRING	0xc4d5a8	0x6a	data	English	United States
RT_STRING	0xc4d618	0xb2	data	English	United States
RT_STRING	0xc42f60	0xe0	data	English	United States
RT_STRING	0xc43040	0x44	data	English	United States
RT_STRING	0xc43088	0x78	data	English	United States
RT_STRING	0xc4b3a0	0x30	data	English	United States
RT_STRING	0xc40548	0x36	data	English	United States
RT_STRING	0xc3fe10	0x11c	data	English	United States
RT_STRING	0xc40458	0xea	data	English	United States
RT_STRING	0xc3ff30	0x128	data	English	United States
RT_STRING	0xc429a0	0x5bc	data	English	United States
RT_STRING	0xc40580	0xc72	data	English	United States
RT_STRING	0xc411f8	0x642	data	English	United States
RT_STRING	0xc41e08	0x5f2	data	English	United States
RT_STRING	0xc42650	0x2e6	data	English	United States
RT_STRING	0xc3fc68	0x122	data	English	United States
RT_STRING	0xc43100	0xd2	data	English	United States
RT_STRING	0xc431d8	0xd8	data	English	United States
RT_STRING	0xc435f8	0x138	data	English	United States
RT_STRING	0xc3ec00	0x136	data	English	United States
RT_STRING	0xc3ed38	0x30e	data	English	United States
RT_STRING	0xc456d8	0x134	data	English	United States
RT_STRING	0xc42400	0x94	data	English	United States
RT_STRING	0xc42498	0x9c	data	English	United States
RT_STRING	0xc4b0e8	0x2b8	data	English	United States
RT_STRING	0xc3fd90	0x7e	data	English	United States
RT_STRING	0xc43730	0x2a	data	English	United States
RT_STRING	0xc43760	0x8e	data	English	United States
RT_STRING	0xc437f0	0xfc	data	English	United States
RT_STRING	0xc448e8	0x184	data	English	United States
RT_STRING	0xc45350	0x232	data	English	United States
RT_STRING	0xc45810	0x1ca	data	English	United States
RT_STRING	0xc45d58	0x188	data	English	United States
RT_STRING	0xc45ee0	0x1ca	data	English	United States
RT_STRING	0xc460b0	0x202	data	English	United States
RT_STRING	0xc45588	0x150	data	English	United States
RT_STRING	0xc462b8	0x48	data	English	United States
RT_STRING	0xc463d0	0x1f0	data	English	United States
RT_STRING	0xc468f0	0x1ec	data	English	United States
RT_STRING	0xc46d70	0x1a0	data	English	United States
RT_STRING	0xc46f10	0x6ce	data	English	United States
RT_STRING	0xc475e0	0x290	data	English	United States
RT_STRING	0xc479a8	0x2a4	data	English	United States
RT_STRING	0xc47c50	0x216	data	English	United States
RT_STRING	0xc47e68	0x214	data	English	United States
RT_STRING	0xc465c0	0x32e	data	English	United States
RT_STRING	0xc46ae0	0x28a	data	English	United States
RT_STRING	0xc47870	0x138	data	English	United States
RT_STRING	0xc48080	0x1e8	data	English	United States
RT_STRING	0xc43428	0x1cc	data	English	United States
RT_STRING	0xc42938	0x66	data	English	United States
RT_STRING	0xc43380	0xa4	data	English	United States
RT_STRING	0xc432b0	0xcc	data	English	United States
RT_STRING	0xc42538	0x114	data	English	United States
RT_STRING	0xc48268	0x9e	data	English	United States
RT_STRING	0xc48760	0x1d8	data	English	United States
RT_STRING	0xc486a8	0xb6	data	English	United States
RT_STRING	0xc48938	0x6c	data	English	United States
RT_STRING	0xc489a8	0x146	AmigaOS bitmap font	English	United States
RT_STRING	0xc48af0	0x5e	data	English	United States
RT_STRING	0xc48b50	0x4c	data	English	United States
RT_STRING	0xc48c30	0x12c	data	English	United States
RT_STRING	0xc48ba0	0x8e	data	English	United States
RT_STRING	0xc48d60	0x66	data	English	United States
RT_STRING	0xc48490	0x4a	data	English	United States
RT_STRING	0xc484e0	0x1c8	data	English	United States
RT_STRING	0xc48308	0x184	data	English	United States
RT_STRING	0xc46300	0xcc	data	English	United States
RT_STRING	0xc48dc8	0x52	data	English	United States
RT_STRING	0xc48e20	0x2f8	data	English	United States
RT_STRING	0xc49118	0x386	data	English	United States
RT_STRING	0xc494a0	0x3ca	data	English	United States
RT_STRING	0xc44e88	0x4c8	data	English	United States
RT_STRING	0xc49df8	0x864	data	English	United States
RT_STRING	0xc4a660	0x4e2	data	English	United States
RT_STRING	0xc4ab48	0x2f4	data	English	United States
RT_STRING	0xc49870	0x3a6	data	English	United States
RT_STRING	0xc49c18	0x1da	data	English	United States
RT_STRING	0xc3f4d0	0x12c	data	English	United States
RT_STRING	0xc3fa40	0x224	data	English	United States
RT_STRING	0xc3f600	0x43c	data	English	United States
RT_STRING	0xc459e0	0x374	data	English	United States
RT_STRING	0xc40058	0x400	data	English	United States
RT_STRING	0xc41840	0x252	data	English	United States
RT_STRING	0xc41a98	0x370	data	English	United States
RT_STRING	0xc4ae40	0x2a6	data	English	United States
RT_STRING	0xc3f048	0x482	data	English	United States
RT_STRING	0xc44a70	0x414	data	English	United States
RT_STRING	0xc438f0	0x30a	data	English	United States
RT_STRING	0xc43c00	0x38a	data	English	United States
RT_STRING	0xc43f90	0x374	data	English	United States
RT_STRING	0xc44308	0x5e0	data	English	United States
RT_STRING	0xc4b3d0	0x2f8	data	English	United States
RT_STRING	0xc4bdd8	0x22e	data	English	United States
RT_STRING	0xc4c008	0x780	data	English	United States
RT_STRING	0xc4c788	0x760	data	English	United States
RT_STRING	0xc4cee8	0x660	data	English	United States
RT_STRING	0xc4b6c8	0x70c	data	English	United States
RT_STRING	0xc4d6d0	0x82	data	English	United States
RT_STRING	0xc4d758	0x2a	data	English	United States
RT_STRING	0xc4d788	0x184	data	English	United States
RT_STRING	0xc4d910	0x4ee	data	English	United States
RT_STRING	0xc4e190	0x264	data	English	United States
RT_STRING	0xc4deb0	0x2da	data	English	United States
RT_STRING	0xc4ebd8	0x8a	data	English	United States
RT_STRING	0xc4de00	0xac	data	English	United States
RT_STRING	0xc4eac8	0xde	data	English	United States
RT_STRING	0xc4e3f8	0x4a8	data	English	United States
RT_STRING	0xc4e8a0	0x228	data	English	United States
RT_STRING	0xc4eba8	0x2c	data	English	United States
RT_STRING	0xc4ec68	0x53e	data	English	United States
RT_GROUP_CURSOR	0xbde750	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xbdef40	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbde8b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdedf0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdeca0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdf5d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdeb50	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdf1e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdea00	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdf090	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdf330	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdf480	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdf720	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdf870	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xbdf9c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xc134b0	0xae	data	English	United States
RT_GROUP_ICON	0xc14608	0x14	data	English	United States
RT_GROUP_ICON	0xc156c8	0x14	data	English	United States
RT_GROUP_ICON	0xc228b8	0x84	data	English	United States
RT_GROUP_ICON	0xc1c648	0x84	data	English	United States
RT_GROUP_ICON	0xc28b28	0x84	data	English	United States
RT_GROUP_ICON	0xc29018	0x14	data	English	United States
RT_GROUP_ICON	0xc29498	0x14	data	English	United States
RT_GROUP_ICON	0xc29918	0x14	data	English	United States
RT_GROUP_ICON	0xc29d98	0x14	data	English	United States
RT_GROUP_ICON	0xc2a218	0x14	data	English	United States
RT_GROUP_ICON	0xc2a698	0x14	data	English	United States
RT_GROUP_ICON	0xc15b48	0x14	data	English	United States
RT_GROUP_ICON	0xc15fc8	0x14	data	English	United States
RT_GROUP_ICON	0xc16448	0x14	data	English	United States
RT_VERSION	0xc3e850	0x3ac	data	English	United States
RT_HTML	0xc00a90	0x313	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0xc00560	0x52f	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0xbeebe8	0x2c4	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0xbeeeb0	0x4cb	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0xbef380	0x111dc	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_HTML	0xc00da8	0x1761	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	English	United States
RT_HTML	0xc02510	0x522	HTML document, ASCII text, with CRLF line terminators	English	United States
RT_MANIFEST	0xc4f1a8	0x863	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	English	United States
None	0xbd9cd8	0x26	data	English	United States

Imports

DLL	Import
gdiplus.dll	GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdipCreateBitmapFromHBITMAP, GdipSaveImageToStream, GdipCreateBitmapFromStream, GdipCreateBitmapFromFile, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImagePaletteSize, GdipGetImagePalette, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipGetImageGraphicsContext, GdipDeleteGraphics, GdipDrawImageI, GdipSaveImageToFile, GdipGetImageEncoders, GdipGetImageEncodersSize, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromScan0, GdipFree, GdipAlloc, GdiplusStartup, GdipDrawImageRectI
UxTheme.dll	DrawThemeBackground, IsThemeBackgroundPartiallyTransparent, SetWindowTheme, GetThemePartSize, IsAppThemed, DrawThemeParentBackground, GetThemeColor, GetCurrentThemeName, GetWindowTheme, DrawThemeText, GetThemeSysColor, CloseThemeData, OpenThemeData
WINMM.dll	timeBeginPeriod, timeGetTime, timeSetEvent, timeKillEvent, timeEndPeriod, PlaySoundW, timeGetDevCaps, waveOutGetVolume, waveOutSetVolume, mixerSetControlDetails
KERNEL32.dll	GetThreadLocale, lstrcmpA, GetProfileIntW, GetPrivateProfileIntW, GetPrivateProfileStringW, WritePrivateProfileStringW, VerSetConditionMask, lstrcpyW, VerifyVersionInfoW, FindResourceExW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, LocalReAlloc, GetSystemDefaultUILanguage, GlobalFlags, SetErrorMode, GetWindowsDirectoryW, SearchPathW, WaitForSingleObjectEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, UnregisterWaitEx, GetStringTypeExW, InterlockedPopEntrySList, GetModuleHandleA, GetThreadTimes, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetNumaHighestNodeNumber, GetFileSize, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, SwitchToThread, SignalObjectAndWait, CreateTimerQueue, WriteConsoleW, SetEnvironmentVariableA, FindFirstFileExW, GetConsoleCP, ReadConsoleW, EnumSystemLocalesW, IsValidLocale, GetOEMCP, IsValidCodePage, HeapQueryInformation, SetStdHandle, ExitProcess, GetCommandLineW, GetCommandLineA, FreeLibraryAndExitThread, SizeofResource, LockResource, LoadResource, FindResourceW, GetProcAddress, GetModuleHandleW, MultiByteToWideChar, lstrcmpiW, UnlockFile, QueryDepthSList, LockFile, QueryActCtxW, FindActCtxSectionStringW, DeactivateActCtx, ActivateActCtx, CreateActCtxW, GlobalFindAtomW, GetModuleHandleExW, EncodePointer, OutputDebugStringW, TryEnterCriticalSection, GetExitCodeThread, RtlPcToFileHeader, QueueUserWorkItem, GetStringTypeW, OutputDebugStringA, GlobalSize, OpenThread, SetThreadContext, GetThreadContext, CreateToolhelp32Snapshot, Thread32First, Thread32Next, HeapCreate, LoadLibraryA, GetTimeZoneInformation, SuspendThread, ResumeThread, GetProcessAffinityMask, GetShortPathNameW, GetLongPathNameW, RemoveDirectoryW, CreateHardLinkW, MoveFileW, SetFileAttributesW, GetSystemDirectoryW, GetConsoleMode, GetSystemTime, TzSpecificLocalTimeToSystemTime, LocalFileTimeToFileTime, SystemTimeToFileTime, FileTimeToLocalFileTime, GetFileType, GetFileTime, SetFileTime, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetStdHandle, IsDBCSLeadByte, GetCPInfo, CompareStringW, FoldStringW, AreFileApisANSI, DebugBreak, IsDBCSLeadByteEx, LocalAlloc, IsBadWritePtr, IsBadReadPtr, GlobalGetAtomNameW, FormatMessageW, FlushInstructionCache, QueryPerformanceCounter, QueryPerformanceFrequency, lstrlenW, SetThreadPriority, GetCurrentThread, GetThreadPriority, VirtualFree, VirtualAlloc, ReleaseSemaphore, CreateSemaphoreW, WaitForMultipleObjects, lstrcmpW, GetNumberFormatW, SetLastError, GetVersionExW, LCMapStringW, InterlockedPushEntrySList, InterlockedFlushSList, RtlUnwindEx, ExitThread, GlobalAlloc, GlobalLock, GlobalUnlock, GetFileAttributesW, LoadLibraryExA, VirtualQuery, VirtualProtect, GetSystemInfo, FormatMessageA, CreateProcessW, FreeEnvironmentStringsW, GetEnvironmentStringsW, DuplicateHandle, CreatePipe, TerminateProcess, CreateThread, GetVolumeInformationW, GetModuleFileNameW, GetTempFileNameW, DecodePointer, RaiseException, GetUserDefaultUILanguage, ReadDirectoryChangesW, GetOverlappedResult, CancelIo, GetACP, GetTimeFormatW, GetDateFormatW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFileAttributesExW, GlobalDeleteAtom, GlobalAddAtomW, ReleaseMutex, CreateMutexW, SetCurrentDirectoryW, HeapSetInformation, SetDllDirectoryW, GlobalFree, DeviceIoControl, GetTempPathW, CreateFileA, WriteProcessMemory, ReadProcessMemory, IsDebuggerPresent, DeleteFileW, CopyFileW, SleepEx, HeapReAlloc, HeapSize, HeapDestroy, HeapFree, GetProcessHeap, HeapAlloc, FreeResource, GetDriveTypeW, LocalFree, GetLocaleInfoA, GetCurrentDirectoryW, FindNextFileW, GetDiskFreeSpaceExW, FindClose, FindFirstFileW, SetSystemPowerState, SetThreadExecutionState, GetLocaleInfoW, TerminateThread, WaitForSingleObject, WriteFile, GetTickCount, MulDiv, ResetEvent, SetEvent, CreateEventW, CreateDirectoryW, GetLocalTime, GetCurrentProcessId, CreateFileW, ReadFile, SetFilePointerEx, GetFileSizeEx, InitializeCriticalSection, CloseHandle, LoadLibraryExW, GetCurrentThreadId, WideCharToMultiByte, AddVectoredExceptionHandler, RemoveVectoredExceptionHandler, Sleep, GetUserDefaultLCID, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, LeaveCriticalSection, LoadLibraryW, FreeLibrary, GetLastError, GetFullPathNameW, GetCurrentProcess, SetPriorityClass, DeleteCriticalSection
USER32.dll	BringWindowToTop, IsClipboardFormatAvailable, MapVirtualKeyW, GetKeyNameTextW, CharNextW, MapDialogRect, GetWindowDC, TabbedTextOutW, GrayStringW, DrawTextW, WaitMessage, SendDlgItemMessageA, LoadBitmapW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, IsDialogMessageW, SetWindowTextW, IsDlgButtonChecked, CheckRadioButton, CheckDlgButton, SetDlgItemTextW, GetDlgItemInt, SetDlgItemInt, IsWindowEnabled, GetNextDlgTabItem, WinHelpW, SetScrollInfo, GetLastActivePopup, GetWindowTextLengthW, GetWindowTextW, RemovePropW, GetPropW, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, ValidateRect, EndPaint, BeginPaint, SetMenu, SetFocus, IsChild, GetClassInfoExW, GetMenuState, GetMenuStringW, GetIconInfo, wsprintfW, GetDCEx, SetWindowRgn, GetScrollInfo, GetClassLongPtrW, GetWindowRgn, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, InvertRect, DrawTextExW, GetMenu, CreateDialogIndirectParamW, EndDialog, DialogBoxParamW, CharUpperW, CharLowerW, CharToOemBuffW, OemToCharA, CharToOemA, OemToCharBuffA, CharLowerBuffW, DestroyWindow, RegisterClassW, LoadAcceleratorsW, GetQueueStatus, DestroyMenu, TrackPopupMenu, GetMessageW, SetParent, GetMessagePos, UnregisterClassW, SetProcessDefaultLayout, SendNotifyMessageW, EnumDisplayDevicesW, RedrawWindow, SetPropW, GetDlgCtrlID, GetWindowLongPtrW, TranslateMessage, GetDlgItemTextW, SetWindowLongPtrW, SetWindowPos, MoveWindow, FindWindowExW, CreateWindowExW, CallWindowProcW, IntersectRect, UnregisterHotKey, RegisterHotKey, RegisterRawInputDevices, GetRawInputDeviceInfoW, GetRawInputDeviceList, GetRawInputData, SetWindowPlacement, GetWindowPlacement, ShowWindow, AllowSetForegroundWindow, DefWindowProcW, LockWindowUpdate, ChangeDisplaySettingsExA, MsgWaitForMultipleObjectsEx, SetClassLongPtrW, GetDoubleClickTime, TrackMouseEvent, GetClassNameW, EnumDisplayMonitors, CallNextHookEx, DispatchMessageW, GetMessageTime, GetWindowThreadProcessId, SetWindowsHookExW, UnhookWindowsHookEx, EqualRect, MonitorFromRect, DestroyIcon, FindWindowW, MsgWaitForMultipleObjects, CheckMenuItem, AppendMenuW, RemoveMenu, CreatePopupMenu, ChangeDisplaySettingsExW, EnumDisplaySettingsW, IsMenu, MessageBeep, CheckMenuRadioItem, TranslateAcceleratorW, InsertMenuItemW, GetMenuBarInfo, UnpackDDElParam, ReuseDDElParam, GetSystemMenu, SetWindowContextHelpId, ShowOwnedPopups, SetLayeredWindowAttributes, CopyImage, RealChildWindowFromPoint, CopyAcceleratorTableW, InvalidateRgn, GetNextDlgGroupItem, DrawEdge, DrawStateW, DrawFocusRect, DrawIconEx, ToUnicodeEx, GetKeyboardLayout, GetKeyboardState, SetWindowLongW, SetRectEmpty, InsertMenuW, DeleteMenu, EnableMenuItem, SetMenuItemInfoW, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, LockWorkStation, ExitWindowsEx, SystemParametersInfoW, GetActiveWindow, GetTopWindow, GetForegroundWindow, MonitorFromPoint, NotifyWinEvent, SetCursorPos, GetMenuDefaultItem, EnableScrollBar, HideCaret, CopyIcon, DrawIcon, SetMenuDefaultItem, ModifyMenuW, IsCharLowerW, MapVirtualKeyExW, CharUpperBuffW, UpdateLayeredWindow, DrawMenuBar, DefFrameProcW, DefMDIChildProcW, TranslateMDISysAccel, GetUpdateRect, SubtractRect, CreateMenu, GetComboBoxInfo, DestroyCursor, GetAsyncKeyState, GetMonitorInfoW, GetWindowLongW, AdjustWindowRectEx, GetMenuItemRect, GetSubMenu, SetForegroundWindow, IsIconic, PostThreadMessageW, LoadMenuW, RegisterWindowMessageW, PostQuitMessage, GetFocus, GetAncestor, GetCapture, IsZoomed, RegisterClipboardFormatW, MessageBoxW, GetKeyState, GetSysColorBrush, GetCursorPos, DrawFrameControl, OffsetRect, ReleaseCapture, WindowFromPoint, ScreenToClient, ClientToScreen, SetCapture, FrameRect, FillRect, CopyRect, MonitorFromWindow, ReleaseDC, GetDC, SetTimer, KillTimer, PeekMessageW, UpdateWindow, SetActiveWindow, GetDesktopWindow, SetRect, UnionRect, SetCursor, GetSysColor, GetDlgItem, LoadIconW, PtInRect, GetSystemMetrics, InflateRect, GetWindowRect, IsRectEmpty, InvalidateRect, IsWindow, PostMessageW, MapWindowPoints, GetClientRect, IsWindowVisible, GetWindow, LoadCursorW, CreateAcceleratorTableW, DestroyAcceleratorTable, CloseClipboard, SetClipboardData, EmptyClipboard, GetParent, OpenClipboard, LoadImageW, SendMessageW, EnableWindow, GetClassInfoW
GDI32.dll	PtVisible, RectVisible, RestoreDC, SaveDC, SelectPalette, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextAlign, ExtTextOutW, SetWindowExtEx, SetWindowOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, GetMapMode, DPtoLP, GetBkColor, GetCharWidthW, GetPixel, CreateDIBitmap, GetTextCharsetInfo, GetRgnBox, CreateEllipticRgn, Ellipse, Polygon, Polyline, CreateRoundRectRgn, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetSystemPaletteEntries, RealizePalette, LPtoDP, RoundRect, ExtFloodFill, SetPaletteEntries, FrameRgn, GetBoundsRect, PtInRegion, GetViewportOrgEx, SetPixelV, GetTextFaceW, GetWindowOrgEx, FillRgn, SetRectRgn, OffsetRgn, GdiFlush, OffsetViewportOrgEx, SelectClipRgn, AbortPath, GetPath, EndPath, CloseFigure, BeginPath, SetMapMode, AddFontResourceW, GetICMProfileW, TextOutW, SetTextColor, SetBkColor, GetCurrentObject, TranslateCharsetInfo, EnumFontFamiliesExW, CreateFontW, CombineRgn, CreateRectRgn, EnumFontFamiliesW, GetTextMetricsW, GetTextColor, GetStockObject, ExtSelectClipRgn, CreateRectRgnIndirect, SetPixel, SetBkMode, CreateFontIndirectW, SetViewportExtEx, SetViewportOrgEx, CreateDCW, DeleteObject, GetObjectW, CreateDIBSection, SelectObject, DeleteDC, CreateCompatibleDC, SetStretchBltMode, StretchBlt, BitBlt, CreatePen, Rectangle, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetObjectType, GetClipBox, ExcludeClipRect, Escape, CreatePatternBrush, CreateHatchBrush, CopyMetaFileW, PatBlt, CreatePolygonRgn, GetDeviceCaps, SetDIBColorTable, CreateSolidBrush, MoveToEx, LineTo, CreateBitmap, StretchDIBits, GetTextExtentPoint32W, CreateCompatibleBitmap
MSIMG32.dll	AlphaBlend, TransparentBlt
WINSPOOL.DRV	DocumentPropertiesW, ClosePrinter, OpenPrinterW
ADVAPI32.dll	RegSetValueA, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExA, RegCreateKeyExW, RegDeleteKeyA, RegDeleteKeyW, RegEnumKeyW, SetFileSecurityW, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, CryptDecrypt, CryptDestroyKey, CryptEncrypt, CryptDeriveKey, CryptReleaseContext, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptAcquireContextW, RegCloseKey, RegSetValueW, RegQueryValueW, RegQueryValueA, RegOpenKeyW, RegOpenKeyA, RegCreateKeyW, RegCreateKeyA, RegFlushKey, RegSetValueExW, RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyW, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueW, RegEnumValueA, RegEnumKeyExW, RegEnumKeyExA, RegDeleteValueW, RegDeleteValueA
SHELL32.dll	ShellExecuteW, SHChangeNotify, DragQueryFileW, DragFinish, Shell_NotifyIconW, SHBrowseForFolderW, SHGetPathFromIDListW, SHAddToRecentDocs, ExtractIconExW, SHGetFolderPathW, ShellExecuteExW, SHParseDisplayName, SHOpenFolderAndSelectItems, SHFileOperationW, SHGetSpecialFolderLocation, SHGetFileInfoW, SHGetDesktopFolder, SHAppBarMessage, ExtractIconW
COMCTL32.dll	ImageList_Remove, ImageList_GetImageCount, ImageList_ReplaceIcon, ImageList_GetIcon, ImageList_AddMasked, ImageList_Draw, ImageList_Add, _TrackMouseEvent, ImageList_EndDrag, ImageList_DragLeave, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragEnter, ImageList_BeginDrag, ImageList_GetImageInfo
SHLWAPI.dll	PathRenameExtensionW, PathStripPathW, PathRemoveFileSpecW, StrFormatByteSizeW, PathFindExtensionW, PathSkipRootW, PathRemoveExtensionW, PathMakePrettyW, PathIsDirectoryW, PathCombineW, PathAddExtensionW, PathAddBackslashW, StrCmpLogicalW, SHCopyKeyW, PathFileExistsW, StrRetToStrW, PathAppendW, PathCompactPathW, PathRelativePathToW, PathCanonicalizeW, PathRemoveBackslashW, PathIsRelativeW, PathIsPrefixW, PathIsUNCW, PathFindFileNameW, UrlUnescapeW, PathStripToRootW, StrFormatKBSizeW
ole32.dll	StringFromCLSID, PropVariantClear, StringFromGUID2, CoInitializeEx, CoFreeUnusedLibraries, OleDuplicateData, ReleaseStgMedium, CoLockObjectExternal, OleUninitialize, OleInitialize, CreateStreamOnHGlobal, OleLoadFromStream, OleSaveToStream, CoUninitialize, CoInitialize, CoWaitForMultipleHandles, RegisterDragDrop, RevokeDragDrop, CreateItemMoniker, GetRunningObjectTable, CLSIDFromString, MkParseDisplayName, CreateBindCtx, CoCreateInstance, CoTaskMemAlloc, CoTaskMemFree, OleGetClipboard, CoCreateGuid, CLSIDFromProgID, CoDisconnectObject, CoGetClassObject, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CreateILockBytesOnHGlobal, OleFlushClipboard, OleIsCurrentClipboard, DoDragDrop, OleLockRunning, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, CoRevokeClassObject, CoRegisterMessageFilter
OLEAUT32.dll	SysFreeString, VarBstrFromDate, VariantCopy, SafeArrayDestroy, LoadTypeLib, OleCreateFontIndirect, SystemTimeToVariantTime, VariantTimeToSystemTime, SysStringByteLen, SysAllocStringByteLen, OleCreatePropertyFrame, VariantChangeType, SysStringLen, SafeArrayUnaccessData, SafeArrayAccessData, VariantClear, VariantInit, SysAllocString, VarBstrCmp, SysAllocStringLen
oledlg.dll	OleUIBusyW
WS2_32.dll	WSASetLastError, WSAGetLastError, WSAAsyncSelect, select, closesocket, WSACleanup, accept, listen, shutdown, recvfrom, recv, ntohs, inet_ntoa, WSAStartup, gethostbyname, socket, sendto, bind, inet_addr, getpeername, connect, htonl, getsockname, send, htons
OLEACC.dll	CreateStdAccessibleObject, AccessibleObjectFromWindow, LresultFromObject
WININET.dll	InternetGetLastResponseInfoW, InternetWriteFile, InternetSetFilePointer, InternetOpenUrlW, InternetConnectW, InternetOpenW, InternetCanonicalizeUrlW, InternetCrackUrlW, InternetReadFile, InternetSetOptionW, InternetConnectA, HttpSendRequestA, InternetCloseHandle, InternetOpenA, HttpAddRequestHeadersA, HttpQueryInfoW, InternetSetOptionA, InternetSetStatusCallbackW, HttpOpenRequestW, HttpAddRequestHeadersW, HttpSendRequestExW, HttpEndRequestW, HttpOpenRequestA, InternetQueryDataAvailable, InternetQueryOptionW, InternetGetConnectedState
IMM32.dll	ImmReleaseContext, ImmGetContext, ImmGetOpenStatus
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

Total Packets: 13
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2022 21:00:27.924804926 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:27.924849987 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:27.925012112 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:27.953790903 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:27.953834057 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:28.007111073 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:28.007222891 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:28.581796885 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:28.581826925 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:28.582082987 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:28.582175970 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:28.585884094 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:28.628509045 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:28.637630939 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:28.637835979 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:28.637866020 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:28.637960911 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:28.640680075 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:28.640932083 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:28.640973091 CEST	443	49750	172.67.3.208	192.168.2.3
Jul 6, 2022 21:00:28.641058922 CEST	49750	443	192.168.2.3	172.67.3.208
Jul 6, 2022 21:00:28.641100883 CEST	49750	443	192.168.2.3	172.67.3.208

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2022 21:00:27.880156040 CEST	65358	53	192.168.2.3	8.8.8.8
Jul 6, 2022 21:00:27.904690981 CEST	53	65358	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 6, 2022 21:00:27.880156040 CEST	192.168.2.3	8.8.8.8	0xf25d	Standard query (0)	mpc-hc.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 6, 2022 21:00:27.904690981 CEST	8.8.8.8	192.168.2.3	0xf25d	No error (0)	mpc-hc.org	172.67.3.208	A (IP address)	IN (0x0001)
Jul 6, 2022 21:00:27.904690981 CEST	8.8.8.8	192.168.2.3	0xf25d	No error (0)	mpc-hc.org	104.20.45.28	A (IP address)	IN (0x0001)
Jul 6, 2022 21:00:27.904690981 CEST	8.8.8.8	192.168.2.3	0xf25d	No error (0)	mpc-hc.org	104.20.46.28	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

mpc-hc.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49750	172.67.3.208	443	C:\Users\user\Desktop\mpc-hc64.exe

Timestamp	Direction	Data
2022-07-06 19:00:28 UTC	OUT	GET /version.txt HTTP/1.1 User-Agent: MPC-HC (64-bit) (Windows 10.0 x64)/1.7.13 (e37826845) Host: mpc-hc.org Cache-Control: no-cache
2022-07-06 19:00:28 UTC	IN	HTTP/1.1 200 OK Date: Wed, 06 Jul 2022 19:00:28 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 8 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff Last-Modified: Tue, 15 Sep 2020 06:30:10 GMT Cache-Control: max-age=2592000 Expires: Thu, 21 Jul 2022 04:09:41 GMT CF-Cache-Status: HIT Age: 1349447 Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 726a955ebfb39229-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-07-06 19:00:28 UTC	IN	Data Raw: 31 2e 37 2e 31 33 2e 30 Data Ascii: 1.7.13.0

Target ID:	0
Start time:	21:00:16
Start date:	06/07/2022
Path:	C:\Users\user\Desktop\mpc-hc64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mpc-hc64.exe"
Imagebase:	0x7ff77f370000
File size:	12661488 bytes
MD5 hash:	B371A4B7CCB2AC89E38DB6DB3FFF5381
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mpc-hc64.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

System Behavior

Analysis Process: mpc-hc64.exePID: 6528, Parent PID: 5556

General

File Activities

Windows Analysis Report
mpc-hc64.exe